Hackers Stole 600 Gallons of Gas From Detroit Gas Station, Report Says

Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. From a report: The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers. The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled. Here's what is known about the supposed hack: Per Fox 2 Detroit, the thieves used some sort of remote device that allowed them to hijack the pump and take control away from the gas station employee. Police confirmed to the local publication that the device prevented the clerk from using the gas station's system to shut off the individual pump.

Manual Shut Off?

[Drethon]

Seriously, I'm not big on the whole let the computer handle everything on important things, particularly something that is potentially safety critical. Manual shut off valves aren't hard.

Re:Manual Shut Off?

[Darinbob]

Or call the police. It shouldn't have taken 90 minutes for police to show up.

Re:Manual Shut Off?

[gnick]

Shut down the full station just to fix one bad pump?

Yes! If the other option is to let gas free-flow for 90-minutes, then shut down the whole station. Of course! You think the gas station made $1,800 profit on the functioning pumps during that 90-minutes?

Re:Manual Shut Off?

[Anubis+IV]

When you pull up to a gas station and see an out of order placard on a pump, do you bother checking to see if free gas is being dispensed by it, or do you simply go to an open pump? For all I know, this problem is a common one, with none of us any the wiser.

Re:Manual Shut Off?

[hawguy]

Shut down the full station just to fix one bad pump? Maybe the clerk did not know how to full reboot

When I worked at a gas station, I knew where the breaker panel was and we had separate breakers for each pump.

So, the easy solution would have been to just power off the hacked pump.

Re:Manual Shut Off?

[Joe_Dragon]

they tried but systemd just auto restared the pump

Re: Manual Shut Off?

[demonlapin]

The master on/off switch for my power to my house isn't there to stop a live wire thrown into a bathtub, but if if I had a toaster in the tub, that's the one I'd be using.

Re:Manual Shut Off?

[demonlapin]

You'd need something like 30-40 cars to get 600 gallons. I have had one truck with a 25-gallon tank, but most passenger cars are around 15. (Metric users, 1 gallon is just under 4 L.)

That said, yeah, inside job. An hour and a half? Plenty of time to shut it down.

Re:Fire Emergency shut-off

[Junta]

I wager the attendant didn't catch on for a while. Generally nowadays the systems are *supposed* to only dispense if the customer has given payment info or the attendant has turned it on. In fact, most of the time when I go to a gas station now, I've set up payment before I even leave the car and just get out and pump. A station attendant may have a hard time distinguishing someone paying by mobile from someone who made it dispense gasoline otherwise, depending on how it works. Note it says it went on for 90 minutes, then he shut it down, *then* he called police. It also says he "got an emergency kit"., which may have been how he was describing the fuel shut off (his English may not have been the best). Him describing the system being non-responsive doesn't mean he sat there for a long time trying to overcome the situation, it just speaks to his surprise.

Gas?

[ickleberry]

What kind of gas was this? Butane? Propane? Methane?

Re:Call the police?

[ArchieBunker]

You really don't know much about Detroit. The police wont even show up for shootings unless there are two bodies. Stealing gas doesn't even register.

Hackers steal 600 gallons of gas in Detroit...

[Narcocide]

...then ironically don't use it to leave Detroit.

Re:Of course, it's Detroit

[Chris+Mattern]

Some people listen to their moral voice, and other just Kant.

Park a car

[Latent+Heat]

The attendant, supervisor or owner park one or more cars to block the pump?

Re:AC Stole First Post From Slashdot

[Tuidjy]

That would not surprise me. Off the top of my head, in order of effectiveness:
1) Park your car at the pump in question.
2) Put a "Out of Order" sign on the pump in question. This way, anyone using the pump is obviously in cahoots with the hackers.
3) Master emergency switch. In 90mn, no gas station makes nearly $2,000 pure profit.
4) Call the police... maybe the response time for property crimes is high, but still.

It wasn't the pumps

[Megane]

I used to write code to talk to gas pumps 20 years ago, and they really aren't much different today, aside from having better screens and needing to deal with chip cards. (I have seen only a single station so far with what appeared to be chip-ready card readers! Isn't that cut-over only a year or two away? But there are restaurants that over two years later still have tape over the chip reader.)

First of all, the pump (the part that gives you fuel while measuring it) is completely separate from the terminal on top. They both talk to a computer in back over an RS-485 link. The computer in back, even if it's a crappy one from the pump manufacturer, takes payment information from the terminal (and commands from the POS inside the store), then enables the pump, possibly with a preset limit. When you hang up the hose, the computer sees that status in the pump, reads the dispensed amount, and finishes the transaction.

The back-end computer could certainly have bad programming. I once had to do a site visit for a beta site, and found out that the authorizer (the part that says "this card is okay, turn on the pump" and handles the billing) was saying yes to ANY card. Not my code, of course. Fortunately, people were using the membership card of the club store (they probably thought it would be automatically billed), which meant they could be tracked down if necessary.

One thing that could be done is to open up the pump, and flip its configuration switches to set it into a manual mode. That still won't stop the fuel counters inside the pumps, so it won't match inventory with the back room computer later on. But you have to open it up first. Not only is there a key to deal with, but these days there are tamper stickers on the door because so much inside can be fucked with, not just the pump.

Another thing that could be done is someone with inside knowledge of the system could create a management card that makes the computer give free gas. That would be noticed eventually too, but the big problem is you have to have access to the back end. This could possibly be done for a RFID keyfob, but that means you still need a way to get the keyfob ID into the system, and it would still be an inside job.

If the deed was done wirelessly, as implied, I'm going to guess that means that someone had a wireless connection like WiFi on the same network as the back-end computer, and it wasn't encrypted, etc. It could also be a keyfob or NFC, but other than that, I haven't heard of any kind of wireless technology that would need to go into the pump. It's always possible that there was some kind of stupid buffer overflow bug on something wireless.

As to what could have been done to shut it down, if the person at the store knew this was happening, um, yeah. Unless he called a manager who told him to not turn it off (fuel is a good way to get customers to buy your overpriced sodas and snacks), the E-Stop button would have been enough. An "out of order" sign would probably have worked too, simple psychology, nobody would have bothered to use the pump. It's also possible that the POS had a way to shut pumps off. And I wouldn't be surprised if nobody understood how to use such features.