Hackers Actively Targeting Gas Pumps 123
An anonymous reader writes: Security researchers from Trend Micro wondered what kind of cyberattacks might target one of our most common and vital pieces of infrastructure: gas pumps. So, they set up some honeypots to find out if and how gas pumps were being attacked. The researchers ended up getting more than they bargained for. Between February and July, there were at least 23 distinct attacks on their honeypots alone (PDF). This included identifications, modifications, and DDoS attacks. "In their research, they found that a DoS or DDoS attack could disrupt inventory control and distribution, which means gas stations may not have enough supply on hand. Changing pump names could result in the wrong fuel being added to a tank—such as putting Unleaded inside Premium, or vice versa. Drivers wouldn't like that. Or changing the pump volume could result in tanks being underfilled."
With all these attacks, (Score:5, Insightful)
Re:With all these attacks, (Score:4, Insightful)
With the fact that they are talking about....connecting directly to the internet.... Seems they could have done this with a sniffer.
Just read some logs, there are all manner of automated attacker out there searching for prey. Run sshd, you will begin getting root login attempts pretty quickly, and the party don't stop.
Yes, looking for attacks coming down the inter-tube is like looking for bacteria in a pond. Yah, its there, lots and lots of it. That is hardly a newsworthy result.
Re: (Score:3)
Re: (Score:3)
Or DD-WRT? Of course since many of these people could not even be bothered to change the password, I think a firewall is pretty fucking unlikely.
DUPE (Score:2)
http://it.slashdot.org/story/15/01/23/1856201/us-gas-stations-vulnerable-to-internet-attacks [slashdot.org]
Give 'em a break, it's only been seven months since this was last posted.
Re: (Score:2)
With all the vulnerabilities we've seen with desktop computers, you'd expect there would have been a major virus that would wipe everyone's hard drive. So far, we haven't seen that, though. Why not? Just because something is possible doesn't mean someone will do it.
Re: (Score:2)
Re: (Score:3)
With all the vulnerabilities we've seen with desktop computers, you'd expect there would have been a major virus that would wipe everyone's hard drive. So far, we haven't seen that, though. Why not?
Because there's no money in it and malware writers are no longer the pimply-faced-youth (PFY) looking to just break things.
No, it's organized crime now. Instead of wiping computers, it's about creating armies of botted computers. It's about bot-herding, and renting out botted computers at literally a nickle a
Re: (Score:2)
Re:With all these attacks, (Score:5, Insightful)
Funny how we're so worried about supply lines being disrupted while our wallets starve the most.
Funny how we're so worried about our wallets while we're raping mother earth with a rusty pick-ax.
Re: (Score:2)
And subsidising the pick axe with taxpayer money.
Re: (Score:2)
Try getting gas anywhere else in the world where the government isn't subsidizing gas prices. In Japan just a couple of years ago, we were paying about $8/gal. Typical is around $6/gal.
Re: (Score:1)
which is actually a reasonably low price considering that they have no domestic source for oil.
We should be paying for the cost of lost resources, lost to inefficiencies all through the system. Wise up mericans, we are letting our children and grandchildren get raped by the oil companies while we sit in our SUVs and pickups and blow fumes in the faces of our neighbors "harharhar!!!"
Seriously ? (Score:2)
Many of these systemsâ"earlier this year, Rapid7 identified about 5,800 of them worldwideâ"are connected to the Internet without a password
Isn't anyone held responsible for this kind of gross negligence ?
Re: (Score:2, Insightful)
Why the fuck is a gas pump even in a position to be DDoS'ed? Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.
Many gas stations are owned or operated by big chains, who need to know the current status of a large number of stations without waiting for reports. Paying to have a delivery truck come out when the tank is only 1/4 empty, or not sending it out until it has been empty for hours is throwing money out the window.
Then there's leak and theft detection, where you want to find out before next day, even if it happens when the gas station is closed and no-one around to hear the alarm.
No, having gas metering equip
Re: (Score:2)
having gas metering equipment online is sensible
Having it *accessible* on a private network is quite reasonable. Having it on the public internet, firewall or not, is simply asking for it to be hacked and misused.
Re:Seriously ? (Score:5, Insightful)
Have your staff report daily on the amount of gas sold, don't put this shit online for fucks sake.
Stop overreacting. Putting it online saves labor, lowers costs, and has caused ZERO problems. The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium (in which case 90% won't even notice because their car isn't designed to use high octane anyway). You should find something else to panic about.
Re: (Score:2)
So actually sending the data via telephone lines save labor, lowers costs and will cause zero problems (if of course postulating over the internet coul
Re: (Score:2)
Re: (Score:2)
Putting something important like this over the Internet is really just negligence.
Since when did the tank level at a gas station become "something important"?
Re: (Score:3)
"and has caused ZERO problems"
That you know of. Oil companies are hardly going to tell the world if someone has hacked their systems.
"The worst that could happen is that someday a few people get mispriced gas, or unleaded instead of premium"
No. The worst that could happen in that instance is someone gets diesel instead of gas or vice verca which is pretty fucking serious and will destroy an engine. Shall we give them your name to come for compensation since you think its no big deal?
Re: (Score:2)
Re: (Score:2)
No, many worse things could happen, including a delivery overfilling a misreporting tank, causing flooding and potentially a fire. Bada-boom. Big bada-boom.
Nonsense. The check valve on the delivery truck is a mechanical device, that has no software at all.
Re: (Score:1)
How about when you pump more fuel into your car than it has capacity. That happened to me. 16 gallon tank and it pumped 20 gallons. I expected to pump around 12 gallons. They didn't care of course, pay up sucker! Maybe this is what happened. This was back when it was real expensive.
Re:Seriously ? (Score:4, Insightful)
Remote read access: good idea
Remote write access: bad idea
Nobody should be able to change anything on the pump without physical access. At minimum, someone should have to flip a switch inside the pump to enable remote writes.
Re: (Score:3)
To do that you have to be able to write to the pump.
Only if the system is fucking ignorant. The pump should get permission to pump from a machine inside the station, under lockdown. The variables regarding pumping are set there, and there's no way to command the pump to use internal values; obviously it will need to store such values internally, but since it will be constantly polling the server for updates, you can't do anything to the pump remotely that will cause it to change its behavior for more than a fraction of a second.
Such a system is still vulnera
Re: (Score:2)
How do you think self service gas stations work? I'll clue you in. If you don't have a credit/debit card you have to go in and pay the clerk for your gas. You give them $14 and they program the pump to deliver $14 worth of gas. That's done over a network. To do that you have to be able to write to the pump.
There is no reason that has to be done over the internet, over wireless, or even over TCP/IP. There is no reason that this shouldn't be absolutely secure from any attack other than someone having direct access to the machine communicating with the pump.
Re: (Score:2)
Re: Seriously ? (Score:1)
The companies that have Internet accessible systems are the companies that use contracted maintenance, ie the smaller companies. They save money by contracting out the maintenance, rather than paying for a full time technician. So internet access is necessary for the contractors to be able to view work orders remotely. Most of these are franchises and only have whatever security joe franchise owner decided to set up. The larger companies find it cheaper to hire their own technicians than to have contracto
Re: (Score:2)
Moral of the story, it's only cheaper to contract out if you aren't doing the full security required for the job.
Re:Regular vs Premium (Score:4, Insightful)
Honestly, unless your almost inhuman in disregarding your brain, you'll need to have someone fill up your car without telling you the octane, and then record your observations.
We humans are correlation engines, and it would almost be proof of brain abnormality to not find a correlation, regardless of whether it's there or not.
Re: (Score:2)
Re: (Score:2)
Knocking *is* directly related to octane levels, so it's no surprise to find observable correlations there. Also, knocking is not a subtle problem liable to selection bias.
The question is whether *higher* octane gas than required for an engine (engines can be tuned for high octane gas) improves performance. And the gas manufacturers themselves don't claim that. (In their ads, the benefits are all quite nebulous: "better for your engine")
But it's a pretty widespread belief that high octane gasoline has "s
Re: (Score:2)
It can. If your car has a knock sensor, it works by retarding the timing when knocking is detected (usually before you can detect it by ear while sitting in the drivers seat); this reduces performance. If your spark plugs are dirty or there's other problems with the ignition system, you might get more knock with regular than premium, so you could have a loss of power that
Re: (Score:2)
Most modern cars have knock sensors and retard the timing when knocking is detected so you won't notice knocking. You will get fewer miles to the gallon since this is less efficient.
Re: (Score:2)
Re: (Score:3)
I suspect this been going on for awhile (Score:1)
I used a very infrequently used credit card at a gas station way out in the middle of nowhere on I-10 in Florida going to Panama Beach. I check my account balances frequently, and luckily caught 25+ Xbox Live subscriptions that were opened on that card a day or two after using it at that gas station. I hadn't used that card for anything else in probably several months before those charges, so I really think my CC details got skimmed at that pump.
You would think those types of charges would trigger some ty
A while?! (Score:1)
Try over a decade! But the banking and credit card industry had no incentive to change - until recently withe huge attacks against Target and other retailers.
And still tet're moving at a snails pace.
Even now, when something happens, it's the consumer's burden. That's why I have ONE credit card and NO debit card. And no, having one credit card has no detrimental affect on your credit score.
Re: (Score:3)
Apparently, it's no longer necessary to check the level of one's fuel tanks with the long wooden stick.
Precisely how much critical infrastructure could be disrupted by corrupting this data is open to discussion, but the real worry is how little password protection is used by many thousands of indus
Diesel v ordinary - THAT would be nasty (Score:2)
Re: (Score:3)
Don't most cars (excepting the most expensive, high-performance models) have knock sensors that tolerate regular unleaded even if they say use premium?
My car says premium is preferred, but that regular unleaded works fine but might result in slightly diminished performance. I've used both and not seen any difference in normal driving.
It'd be annoying to pay the 20-odd cent additional cost and get regular instead of premium, but I'm not sure most drivers would know the difference.
Of course diesel would be a
Re: (Score:3, Interesting)
Re:Diesel v ordinary - THAT would be nasty (Score:5, Interesting)
To answer both of you, I'm guessing things differ in your part of the world and you're simply not aware that things can be different. You're are both right.
Not really. There's (typically) only two grades of gasoline at the station and they mix them to make the grades in between with a blend valve, no matter how many hoses there are on the pump. If they have a third tank, it's for diesel, but that always has a separate hose. So you absolutely never know that the grade of gas you're getting is the same as the one you paid for, unless you do an octane test. You can actually do a halfway decent octane test with just two devices; one which tells you the alcohol content (ugh) and one which tells you the specific gravity — a hydrometer. I have a pair of them for measuring cetane levels; you can do it with diesel fuel, too.
Re: (Score:1)
Re: (Score:2)
My "You're are" typo aside, I was only addressing the "number of dispensers on a pump" dispute between the two of them.
The thread is about whether multiple grades of gasoline go through the same pipe [slashdot.org], not the same hose. So in fact, only one of them is right, and it's the person who didn't misinterpret "pipe" for "hose".
Re: (Score:1)
Re: (Score:2)
Well sorry for not being raised in english.
If I thought you had to be sorry, you'd know. I'm just explaining, for your benefit. HTH, HAND.
Re: (Score:1)
And in Europe you have separate tanks for all the grades of gas and the diesel. And yes, you get separate hoses. And they still let you pump first and pay later.
Re: (Score:3)
The pumps in my local petrol station have 4 hoses, marked Regular Unleaded, Premium Unleaded, Regular Diesel and Premium Diesel. I pick up the hose corresponding to the fuel I want. Any other method would lead to cross-contamination of the fuels.
Re: (Score:2)
He's talking about the delivery to the underground tank, not the car fueling.
Re: (Score:1)
Re: (Score:3)
Audi's go into safe mode if you put the wrong gas in them. This mode retards the timing and makes the car generally drive like crap and on turbo models it severely limits the boost.
Who told you that? Audis have continuously variable timing just like all other modern cars; my 1997 A8Q has got it, as well as cylinder deactivation. If there is pinging, it just retards the timing until there isn't. That's not "safe mode", it's just retarded timing.
In the 32V Audi V8, low-grade will slightly affect performance, and mid-grade seems to not affect anything at all. If it does affect anything, it will only be in the low end; you can run more timing advance at higher RPMs even on low-grade fuel.
Re: Diesel v ordinary - THAT would be nasty (Score:1)
Re: (Score:2)
In my old a4 3.2 it definitely went into safe mode on bad gas.
If you get too many faults too quickly, it's possible for it to throw a code. But that would take more than just 87 octane. It would take some really crap gas, and you would have to stick your foot into it without consideration for the fact that you put a lesser fuel into it.
Re: (Score:2)
Yes, but if you ask a BMW owner, they will tell you that in no uncertain terms: running Regular unleaded through a BMW motor destroys the engine.
(in fact, you'll probably throw a few codes as the knock sensor tells the DME to retard timing to compensate for the lower octane; which will cause the owner to take it to the dealer, who will charge them $1000 to read the harmless codes and reset them).
Re: (Score:2)
That isn't a problem limited to BMW owners - most car owners have no idea what octane is, or what it does. A lot of people will use 94 octane in their car because they think it makes their car "run better".
People like you who seem to think everyone is defined by the car they drive are just idiots who like to try to seem superior. In reality, you're exactly the kind of douchebag the road doesn't need.
Re: (Score:2)
My electric car doesn't care about the rating of the electrons. It will take anything from crappy 120v AC electrons all the way up to highly refined 400v DC electrons. It doesn't care about the quality of the wire, either. I can plug in any old extension cord and as long as the electrons can find their way to the car, it's good.
Re: (Score:1)
How about browning out and dirty power? No, I am not being an ass (hopefully) but am really curious.
Re: (Score:2)
Appropriate question. The AC charger is high efficiency and very smart. It will tolerate a wide variety of voltages from 120 to 240 and isn't upset by dirty power. If it is drawing too much current and the voltage drops (due to undersized wire, etc) it will cut back on the current it is drawing until the voltage comes back up.
Re: (Score:1)
That makes sense, to some extent. I will have to give it some thought. And it deals with spikes with the traditional fused method? I am going to get an EV. I am not sure which. I may wait and get the hybrid i8 or I may just get a Tesla. I make enough trips to the close town where I can justify it and I have a passion for automobiles so an EV is something I certainly should own. I can move up the i8 list as I am a "preferred buyer" at BMW - in fact I am awaiting my 640li eagerly as it comes in next week. I o
Re: Diesel v ordinary - THAT would be nasty (Score:2)
I highly recommend you take a test drive in a Tesla. The performance and handling are better than any car I have ever driven. You have to drive it to experience it. Lust is the best way to describe it.
Re: (Score:1)
I have driven a friend's and it was quite fun but the handling characteristics are a little off. I was a professional driver, including security training. I can do what is known as a "J-turn" in a bus full of prisoners or drive a sedan like a professional stunt driver. (My MOS was 3505 which put me in the motor pool but driving an HMMWV was not all that we did in there.) My friend told me to drive it like I stole it, he actually came all the way up from Boston with it - it took him quite a while and some pl
Re: (Score:2)
I have seen the i8 and it is seriously sexy (unlike the i3 which is seriously ugly). I am not a professional driver so don't have your experience. I don't think the i8 is available for test drives yet so don't know how it handles. However, I'm not really interested in cars with fossil fuel engines even if they have a limited range battery.
The Tesla does have a very low center of gravity due to the battery pack location under the center of the car. This also gives it a perfect 50-50 front rear weight distrib
Re: (Score:2)
The problem with people who try to sound smart is often they aren't.
Gas powered cars don't care what kind of gas you use in them either (provided you're not using gas in a diesel or vice versa). It's just that if you're using high octane gas in an engine not designed for it there will be no benefit.
Re: (Score:2)
Most cars don't give a shit what you feed them. Use the octane specified on your gas cap for best results.
Re: (Score:1)
No, my BMW adjusts because it has a knock sensor. I have been to gas up and found no premium available and had to put in some regular. It just changes the timing a little and is fine. I have owned a bunch of BMWs (and I get my new one delivered in six days). Not one of them have died due to putting regular gasoline in it. I prefer 97 octane when available. My calculations indicate that is where I get the best mileage.
Do you mean (Score:2)
Who knew?...
This is why we can't have anything nice.
Re: (Score:2)
I thought you were talking about natural gas pumping stations. Jeremy Clarkson on American English. [youtube.com]
Actually, we call it gasoline. We can't help it if people choose to use an abbreviated version that happens to overlap with a scientific state of matter.
Also note that gasoline is dispensed as a liquid (with vapor (gas) capturing devices), but is burned as a gas.
I believe it (Score:1)
I worked at an unnamed gas pump producer for a while. Their concern with security was laughable. Security was the minimum amount of effort they needed to pass certification. In some cases, the passwords were stored on the server in a clear text file. Very poorly managed company. These places mainly see themselves as hardware companies that have software bonus. They haven't realized how crucial software is to their business, so they treat it with that level of respect.
Wot, no free gas? (Score:2)
I would have thought the obvious hack would be to grab card details or get free gas from self-service pumps. So far it just seems like mean pranks, not actual for-profit crime.
Hackers my ass! (Score:1)
First they started associating computer hackers with crime. Now they call 'hacker' somebody that steals from a gas pump? Soon we will be reading that a bunch of humans have been hacked by actively attacking their skin, with lead bullets.
Also, Slashdot, you were cool.
Retail Network Design (Score:3)
I used to install pump controllers and POS systems a long while back. Pump controllers would only talk to the back-end computer on a separate VLAN. The primary VLAN had the POS terminals on it. The back office PC had a dial-up VPN connection back to the Home Office. The network didn't rely on the internet but on dial-up access. To affect the station network you would have to have physical access.
It wouldn't surprise me that gas stations today have internet access for real time inventory and sales management of gas, groceries, etc. This would, as the article points out, open up the site to DDOS and other standard internet attack vectors. One way to reduce this threat is to implement ACLs, only allowing traffic back to the Home Office public IP addresses. But that only defends against basic DDOS attacks. The type of hardware/software that you would need to thoroughly protect the site is prohibitively expensive.
One defense is the fact that there are so many of them. Yes, a botnet could wreck havoc on a number of stations, but hitting them all in a region, in my opinion, would be a lot harder. Granted, maybe you only need to disrupt "enough" of them.
Re: (Score:2)
And as someone who wrote code to talk to gas pumps back in the late '90s, and had to hang around unattended sites after installs and upgrades, the worst that can happen by attacking tank monitoring is that the site runs dry. At which point the pumps simply stop pumping. The only loss is in missed sales.
If they use blender pumps and regular runs dry, only premium will work, which means only the least popular of three (or more) grades works, plus diesel if they sell that. That happened once when I was at a s
Re: (Score:3)
One way to reduce this threat is to implement ACLs, only allowing traffic back to the Home Office public IP addresses. But that only defends against basic DDOS attacks. The type of hardware/software that you would need to thoroughly protect the site is prohibitively expensive.
http://www.mitxpc.com/products... [mitxpc.com]
Starting at $250 and supports IPsec tunnels back to the home office with nothing accessible to the outside. Not expensive at all. But neither is change a password and they did not even do that.
How similar to real gas pumps? (Score:3)
Were these honeypot pumps set up in the same way real systems would be set up? In other words, how realistic was the experiment? Were hackers able to attack these systems because they were set up to be honeypots, or does the experiment really indicate that gas pumps around the world are vulnerable?
What OS do these Gas Pumps run on? (Score:2)
Re: (Score:2)
For what it's worth, the pumps themselves (the part that delivers fuel) are likely to be barely changed from the late '90s, when they were a simple embedded system with no operating system other than "while (1) dostuff();" The displays were just beginning to change then, though. Gilbarco's new LCD display ran on Linux, and you could see all the boot messages out of a diagnostic port. But there was no TCP/IP stack, just the same RS-485 link to control the display.
The stuff referred to in TFA is about the ba
Re: (Score:1)
Safeway uses windows 95 at a lot of their stations. Yes, windows 95. No, really windows 95. Surprised the crap out of me too. I don't use Safeway anymore.
Wut? (Score:2)
"such as putting Unleaded inside Premium"
I hate to be the one to break it to you, but premium IS unleaded gas. Gas hasn't contained lead for a very long time now.
Re: (Score:2)
'Unleaded' is the common name given to the lowest octane gasoline a station sells. Most stations in this country sell gas labeled 'Unleaded', 'Mid-Grade', or 'Premium', corresponding to 87, 91, and 93 octane (using the (R+M)/2 method), and none of which contain lead. A station has a storage tank of 87 octane and another tank of 93, and they sell 91 octane by pumping a 50:50 mix down the same hose.
Decades ago during the phase out of lead, stations simply called the low octane 'unleaded' to distinguish it fr
Re: (Score:2)
Then you should pay more attention at the pumps, because you're dead wrong and so is the article.
Re: (Score:2)
You don't hear about because it isn't talked about (Score:1)
One of my first tech jobs was working for a large oil company. Roughly once a week we had a franchise we busted and shut down for hacking their own pumps. Never buy gas from a designed franchise!
That was about two decades ago. Reason to do so was to reduce the amount sold to rip off two parties - the customer and the oil company. By slightly reducing the amount delivered to the customer they could cut the royalties paid to the oil companies.
The thieves that sold the chips knew that state inspectors used 5 a
The is a lot (Score:2)
Re: (Score:2)
FTA: "..Or changing the pump volume could result in tanks being underfilled"
Yeah, because Hackers would never do the opposite.
What is a pump volume? Do they mean the rate of flow through the pump? Or do they mean the volume of the tank from which the pump gets the gasoline?
Re: (Score:2)
Maybe they meant the hackers 'pump up the volume', where they play Country-Rap crossover music so loud that you drive away before your tank is completely full.