Hackers should be pumped about gas station security flaws

Add gas stations to the long list of everyday places and things no longer considered secure, joining hospitals, cars and televisions, to name just a few.

Kaspersky Lab released research on gas station vulnerabilities last month, pointing to more than 1,000 gas stations, from the US to India, that were open to cyberattacks. The problem stems from gas station pumps connected to the internet with default passwords that owners couldn't change and controls that give an attacker complete access to the machine.

On Friday, Kaspersky Lab senior security researcher Ido Naor and Israeli security researcher Amihai Neiderman presented their full breakdown of the issues with gas station security, during Kaspersky's Security Analyst Summit in Cancun, Mexico.   

Their research showed that an attacker can change gas prices, steal credit card information logged on the pumps, get license plate numbers, steal gas, adjust temperature monitors and more.

"When we have root access, we can do anything we want," Neiderman said.

The attackers don't even need to be anywhere near your local gas station, Naor said. They can do it all remotely because these gas stations are connected online with a weak password, he said.

The online software comes from Orpak Systems, a fuel management company acquired by North Carolina-based Gilbarco Veeder-Root last May. According to Orpak, its software is installed in more than 35,000 gas stations around the world. Orpak put its guides online, showing technical details including passwords and screenshots of how to access its interface.

Orpak said the vulnerabilities were not relevant to its customers, as its gas stations in the US are in areas with no retail access and within closed corporate networks. 

"Orpak has implemented software patches and upgrades, and sites where there may be vulnerabilities have been notified to implement additional IT security measures to reduce or eliminate risks," Aviv Tal, a spokesman for the company said in an email. 

The guides and the gas stations were originally online for the sake of convenience. Several of the guides have since been removed, but we were able to independently find them through a quick Google search.

The vulnerabilities highlight the issues behind internet-of-things devices, which have been widely criticized for lack of security. Hackers have been able to launch massive cyberattacks because of unsecured webcams and DVRs. But with a gas station, the risks for a dangerous attack are much higher, Naor said.

In an extreme scenario, a hacker could adjust the pressure and temperatures in the tank, potentially causing an explosion, he said.

The trouble could be more mundane, too.

"You would have no idea that your little gas station could be remotely shut down, and your entire fleet is now grounded," Naor said.

Naor and Neiderman said they contacted the vendors in 2017, but were mostly ignored. It's likely that these vulnerabilities are still out there, Neiderman said. The machines are out of date, sometimes more than a decade old, and so is the software, he added.

"When we looked at the code, it doesn't appear that they have any real updating mechanisms," Neiderman said. "Pretty early on when we started talking to them, they ghosted us."

Originally published March 9 at 7:40 a.m. PT. 
Updated March 12 at 6:08 a.m. PT: Added statements from the gas station manufacturers.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.