Hacker Shows How Gas Pumps Are Security Swiss Cheese And Easy Targets For Thieves
As gas prices continue to rise, some shadowy figures are looking for "alternative" method to acquire fuel, whether legal or not. One such method, specifically hacking a gas pump, has led to the recent theft of 400 gallons of fuel at a High Point gas station in North Carolina. However, this is not the only incidence of this happening, and as it turns out, gas pumps are surprisingly vulnerable to being hacked.
Earlier this week, a video surfaced of a man stealing gas for himself and other vehicles that arrived after the gas station had closed. Police and news outlets claim that the person pointed a device at the gas pump to release the dispenser to help fill up several cars waiting for free gas, leading to the theft of approximately $1600 in fuel. It is speculated that the thieves used a "special remote to alter the mechanics of the gas pump that puts it in 'dispense mode,' dispensing hundreds of gallons of gas for free," according to Petroleum Technician Trey Barker, who spoke with Fox 8 in North Carolina. He continued, stating, "The reason dispensers have this option is so petroleum technicians, and NC Weight and Measures can test and calibrate dispensers."
Interestingly, this theft is not the only one in recent years and is not the only option thieves have. In 2018, Kaspersky Labs found a basic web interface on a Linux-based controller unit in an embedded box at a gas station somewhere in the US. Following this discovery, it was found that this site is "responsible for managing every component of the station, including dispensers, payment terminals and more," at the heart of the gas station. However, this was not the only gas station at risk, as there were at least 1,000 others with similar infrastructure exposed to the internet.
It is likely that other gas pump brands may use a similar configurations that could be exposed as well, and we might not know about them yet. In any event, default credentials for these web interfaces are sometimes not changed, allowing easy access into these systems. Besides this, there might also be hard-coded credentials in the system's firmware, which were discovered by the team at Kaspersky.
Though this may not be a new issue, it still seems particularly relevant today as gas stations have not updated their systems or improved overall protection in what amounts to a crisis for many American families and small business. As such, gas thefts will likely continue until IoT and gas station security is improved.
(Gas Station Surveillance Snapshot Courtesy of WFMY News 2)