French Gas Stations Robbed After Forgetting To Change Gas Pump PINs

An anonymous reader quotes a report from ZDNet: French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits.

Crooks would operate in small teams of two to three individuals who visited gas stations at night using two vehicles. A man in a first car would use the remote to unlock the gas station, and then a second car, usually a van, would come along seconds later to fill a giant tanker installed in the back of the vehicle with as much as 2,000 or 3,000 liters in one go. The group advertised the fuel they stole on social media, providing a time and place where customers could come and refuel their vehicles or pick up orders for gasoline and diesel at smaller prices. Police uncovered the scheme in April 2018, when they arrested a suspect in possession of a remote used in the hack. "Five men, part of the same gang, were arrested on Monday, according to Le Parisien, who first reported the scheme last November," the report adds.

Please do not call them hackers

[Squiddie]

There is nothing clever about this. This is just security failing because of the incompetency of the gas station managers. Nothing about this could be called a hack.

Re:Please do not call them hackers

[Immerman]

Not even that - script kiddies are still trying to bypass security - these guys were just following the instructions on the box to see if the manager had been stupid enough to not change the factory-default passcode.

Seems to me that default passwords not being changed is a common enough security threat, across a wide range of devices, that any programmer should defend against it as a standard security precaution. Perhaps simply have the device refuse to operate at all until the password/code is changed, instead simply displaying a message demanding that the passcode be changed before proceeding.

You probably want initial setup and diagnostics to work normally, but refuse to actually pump any gas, forward any packets, or whatever else the device is supposed to do, until the code is changed.