French Gas Stations Robbed After Forgetting To Change Gas Pump PINs

An anonymous reader quotes a report from ZDNet: French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits.

Crooks would operate in small teams of two to three individuals who visited gas stations at night using two vehicles. A man in a first car would use the remote to unlock the gas station, and then a second car, usually a van, would come along seconds later to fill a giant tanker installed in the back of the vehicle with as much as 2,000 or 3,000 liters in one go. The group advertised the fuel they stole on social media, providing a time and place where customers could come and refuel their vehicles or pick up orders for gasoline and diesel at smaller prices. Police uncovered the scheme in April 2018, when they arrested a suspect in possession of a remote used in the hack. "Five men, part of the same gang, were arrested on Monday, according to Le Parisien, who first reported the scheme last November," the report adds.

Re:Please do not call them hackers

[hcs_$reboot]

So, the guys bought a remote (like this one [good product btw]), had the remote learn the protocol, and then tried the default '0000' ; quite a hack actually.

Re:Please do not call them hackers

[Immerman]

Not even that - script kiddies are still trying to bypass security - these guys were just following the instructions on the box to see if the manager had been stupid enough to not change the factory-default passcode.

Seems to me that default passwords not being changed is a common enough security threat, across a wide range of devices, that any programmer should defend against it as a standard security precaution. Perhaps simply have the device refuse to operate at all until the password/code is changed, instead simply displaying a message demanding that the passcode be changed before proceeding.

You probably want initial setup and diagnostics to work normally, but refuse to actually pump any gas, forward any packets, or whatever else the device is supposed to do, until the code is changed.

The gas station owner must be fined severely

[140Mandak262Jamuna]

If some thief steals donuts and coffee it is a simple theft. But here the gas station lost control of a hazardous substance and there were rickety vans with leaky tanks with 3000 liters of gasoline sloshing about. These crooks most likely do not understand the effects of fluid being transported in un-baffled tanks. It was a disater waiting to happen. Safety of hundreds of people has been endangered.

Re:Only a moron uses "0000" as a pin!

[Scarred+Intellect]

Quick, change my pin to "1234"!

I use 9999, because it's the most secure PIN because it's the last one to get guessed.

You start with 0000, then 0001, 0002 and so on...9999 will be the last one the haxxors get to!