Slashdot Mirror

← Back to Stories (view on slashdot.org)

French Gas Stations Robbed After Forgetting To Change Gas Pump PINs (zdnet.com)

Posted by BeauHD on from the exploited-vulnerabilities dept.

An anonymous reader quotes a report from ZDNet: French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits.

Crooks would operate in small teams of two to three individuals who visited gas stations at night using two vehicles. A man in a first car would use the remote to unlock the gas station, and then a second car, usually a van, would come along seconds later to fill a giant tanker installed in the back of the vehicle with as much as 2,000 or 3,000 liters in one go. The group advertised the fuel they stole on social media, providing a time and place where customers could come and refuel their vehicles or pick up orders for gasoline and diesel at smaller prices. Police uncovered the scheme in April 2018, when they arrested a suspect in possession of a remote used in the hack. "Five men, part of the same gang, were arrested on Monday, according to Le Parisien, who first reported the scheme last November," the report adds.

11 of 102 comments (clear)

  1. Please do not call them hackers by Squiddie · · Score: 2, Insightful

    There is nothing clever about this. This is just security failing because of the incompetency of the gas station managers. Nothing about this could be called a hack.

    1. Re:Please do not call them hackers by hcs_$reboot · · Score: 3, Informative

      So, the guys bought a remote (like this one [good product btw]), had the remote learn the protocol, and then tried the default '0000' ; quite a hack actually.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Please do not call them hackers by Immerman · · Score: 5, Insightful

      Not even that - script kiddies are still trying to bypass security - these guys were just following the instructions on the box to see if the manager had been stupid enough to not change the factory-default passcode.

      Seems to me that default passwords not being changed is a common enough security threat, across a wide range of devices, that any programmer should defend against it as a standard security precaution. Perhaps simply have the device refuse to operate at all until the password/code is changed, instead simply displaying a message demanding that the passcode be changed before proceeding.

      You probably want initial setup and diagnostics to work normally, but refuse to actually pump any gas, forward any packets, or whatever else the device is supposed to do, until the code is changed.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    3. Re: Please do not call them hackers by yakatz · · Score: 2

      Thankfully, devices that require you to change the default code are becoming more common. Our brand new copy machines don't force you to change the admin password, but every time someone with admin rights logs in, the system reminds you that the default admin account still has the default password. In truth, even better are devices that don't have a default password at all, but make you set one the first time you connect them.

  2. Re:you don't set them from inside the store? by Anonymous Coward · · Score: 2, Informative

    You used to have to have cables and set them from inside. Most of the old hardware is this way. These remote ones are "new", "better" and "improved" version that the manufacturers push on customers. Much like amazon pushing remotes with an always on microphone and moving from bluetooth to wifi

  3. More human security by AHuxley · · Score: 2

    1. Have human staff on duty when the gas station is operational.
    2. Have human staff look at the "van" and the amount of fuel and the price of that fuel.
    3. Make people walk from the gas pumps to a cashier with a computer display showing pump used, price and amount of fuel.
    4. Pay for the fuel.
    5. Human staff on duty will see huge numbers never seen before from any average "van" on the computer display? Thats not normal.
    Have the computer alert to totally unexpected numbers.
    6. Lots of quality CCTV for face, passengers face and gait.
    7. Remove anything automated that can allow your gas station to pump fuel for free at any time.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re: More human security by Nidi62 · · Score: 2

      Theres the problem. Here in the US, ever since the Iraq War when gas shot up to double what it is currently is, every station makes you pay before you pump. Too many people were stealing gas.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    2. Re:More human security by stealth_finger · · Score: 2

      Re "keeping tabs on operations?" Would be selling newspapers, magazines. Hats and sunglasses. Food and making hot fresh coffee. Bread and snacks. All that fuel. Making sure vans don't steal large amounts of fuel.. would be another great reason.

      Well if you want your till monkeys to be security they should be paid/trained/equipped accordingly. But they want to pay some kid minimum wage and expect them to notice, give a shit or even do anything about it other than a cursory phone call to the police/manager to let them know what's happened.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
  4. The gas station owner must be fined severely by 140Mandak262Jamuna · · Score: 5, Interesting

    If some thief steals donuts and coffee it is a simple theft. But here the gas station lost control of a hazardous substance and there were rickety vans with leaky tanks with 3000 liters of gasoline sloshing about. These crooks most likely do not understand the effects of fluid being transported in un-baffled tanks. It was a disater waiting to happen. Safety of hundreds of people has been endangered.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. Re:Only a moron uses "0000" as a pin! by Scarred+Intellect · · Score: 4, Funny

    Quick, change my pin to "1234"!

    I use 9999, because it's the most secure PIN because it's the last one to get guessed.

    You start with 0000, then 0001, 0002 and so on...9999 will be the last one the haxxors get to!

  6. Re: That's the kind of PIN... by Creepy · · Score: 2

    Factory defaults are designed to be easy so the manual can say 'enter 0000, then press change PIN).' It is also usually designed with a factory reset in mind in case the PIN is lost or forgotten (which would require direct hardware access, usually behind an alarmed key lock).