It seems that gas stations are not as safe as you might have thought. Their insecurity has been cataloged at the same level of cars, televisions, hospitals and many more.
Results of a recent investigation about gas station vulnerabilities revealed that more than 1,000 of them can be easily accessed by hackers. Affected gas stations are spread from the U.S. to India. The source of such vulnerabilities was found in the default passwords of the gas station pumps connected online. As proprietaries can´t change or control such passwords, hackers gain full access to them.
Once they are in, hackers may access every function of the stations. Consumers and gas station owners can be equally affected. Credit card information, license plate numbers, as well as temperature monitors, can be manipulated. Even gas itself can be stolen in this way.
Hackers may access gas stations remotely. It allows them to be located anywhere around the world. All they need is to break a weak password that grants them full access.
A complete report of the research was presented last Friday in Cancun, Mexico as part of the events in Kaspersky´s Security Analyst Summit. The Israeli security researcher Amihai Neiderman and Kaspersky Lab senior security research Ido Naor were in charge of it.
The software that runs the gas stations
The analyzed gas stations operate with an online software that is also installed in more than 35,000 stations worldwide. It is commercialized by the fuel management company Orpak Systems. This company has jeopardized gas stations by publishing online technical information about gas stations. What makes things worse is that the information includes passwords and all the steps to access the software´s interface.
Although the information was published to ease stations´ operations it ended damaging their online security in unexpected ways. Part of the information was already removed by Orpak, but it was too late when they did it. The guides were spread around the web and researchers were able to find them from other sources on the web through the Google browser.
Despite all the efforts to reach Orpak´s representatives, it was not possible to get any response to any inquiries.
Internet of things
The situation with gas stations represents an example of the lack of security behind devices with the Internet of things. DVRs, TVs, webcams, cameras, and financial systems are among hacker´s targets. However, the fact that gas stations store inflammable substances increases the risk for the general population. Hackers can practically do whatever they want with them as they have already done in the with unsecured devices. Even little mistakes are potentially dangerous. For instance, a hacker could regulate pressure and temperatures and initiate an explosion or a gasoline spill.
But the software is just part of the problem. The rest of the equipment in gas stations is also part of it. The bumps are more than 10 years old and the software too. Even more, researchers founded out that the code of the software doesn´t offer the possibility to get updated. Vendors seem to ignore the situation to the point that they did not respond when researchers tried to contact them.