Gas station prey to hacks

Gas stations worldwide have been exposed for years to remote hacker attacks due to several vulnerabilities affecting the automation software they use, researchers at Kaspersky Lab have reported.
A week ago, Motherboard revealed how a security researcher discovered a backdoor access to fuel stations around the world. Kaspersky, who were involved in the original research, has now disclosed more details in a blog by Ido Naor. The details show just how older accepted practices among industrial systems designers are making life easy for hackers.
“Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong,” explained Kaspersky’s Ido Naor. “With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.”
Kaspersky researchers discovered that the “secure” part is not exactly true. The vulnerable product is SiteOmat from Orpak, which is advertised by the vendor as the “heart of the fuel station.” The software, currently installed in over 1,000 stations, allow remote access from the Internet. It is designed to run on embedded Linux machines or a standard PC, provides “complete and secure site automation, managing the dispensers, payment terminals, forecourt devices and fuel tanks to fully control and record any transaction.”
In many cases the controller had been placed in the fuel station over a decade ago and had been connected to the internet ever since.
The manufacturer was notified when the threat was confirmed. Over half of the exposed stations are located in the United States and India.
Fuel stations are already good pickings for hackers. They have learned how to manipulate the “pay at pump” systems to steal credit and debit card data. This ranges from skimming cards at the pump through to malware installed on POS systems. A single operation in 2014 stole more than $2 million across three US States.

The basics of this security breach are simple. Poor security, default usernames and passwords, technical data published online and little to no security.

Share this with Your friends: