[ARTICLE] The price of fuel is not a problem for hackers!

Leaders in the oil industry are offering attractive new options such as the digitisation of petrol stations, thus surfing on the wave of the Internet of Things. Total offers payment by mobile phone using the eWallet application. In addition, gas pumps have long been and increasingly frequently connected to ensure their maintenance and monitoring[1]. In China, intelligent service stations are able to automatically detect the arrival of a motorist and immediately start the entire supply process[2]. Nevertheless, this digitization is not without risk, as evidenced by the recent cases of piracy in the department of Oise (Hauts de France region). On October 22, police arrested a man who had managed to hijack more than 2000 litres of gasoline after hacking into the gas pump[3]. This brilliant move confirms the extent to which connected industrial infrastructures are permeable to cyber attacks. Piracy of gas stations is not a first. From the early 2010’s, hackers were using skimmers to steal users’ bank details. What is new is piracy techniques, which are evolving as stations digitize. This article presents an overview of the main computer vulnerabilities at service stations.

How hacking station-service

Gas stations lose millions of dollars every year due to gas fraud. A surge in prices at the pump is leading to an increase in theft. While the purpose of gas station piracy is to embezzle money and steal gasoline for concealment purposes, there are different techniques that highlight the imagination of hackers. This ranges from intercepting bank data at the pump to malware installed on point-of-sale systems.

Installation of specific tools

Although handmade, skimmers are extremely effective. A skimmer is a kind of miniature magnetic stripe recorder, is placed where the user inserts his CB. Hackers have cloned credit cards for reuse or resale of bank details. At the same time, micro-cameras are placed above the keypad, providing criminals with an unobstructed view of the PIN codes[4]. By 2015, the Florida Department of Agriculture had requested the inspection of more than 7,000 gas stations in Florida State. The surprise was huge, when the Ministry’s special agents discovered the presence of 103 skimmers of bank data[5]. In 2016, several customers of a Breteuil gas station had their bank cards hacked. According to the investigation conducted by the Gendarmes, a skimmer had been installed on the payment terminal of one of the pumps[6].

Default passwords and malware

The attackers now focus on numerical means such as searching for vulnerable pumps on Shodan or installing malware. Gas station pumps are connected to the Internet with default passwords that owners could not change and controls that give an attacker full access to the machine, allowing attackers to have full access to the machine. The assailants don’t even have to be near the gas station. For example, Orpak Systems, which has developed and installed fuel management software in more than 35,000 service stations, has put its guides online, showing technical details, including passwords and screenshots of how to access its interface. Guides and gas stations were originally online for convenience. Several guides have since been deleted, but some Kaspersky experts have been able to find them thanks to a Google search…

In early 2018, intelligence officers (FBS) in Russia identified malware that trapped customers of compromised service stations. Car owners thought they were paying for the gasoline they were pouring into their vehicles. Only, a pirate would take up to 7% of the hijacked gasoline[7]. Finally, last July, a gas station in the southern suburbs of Detroit was also hacked. In just over an hour, nearly $1,500 worth of gasoline was stolen. Ten cars were able to fill up and leave without paying the bill. The most likely explanation for this incident would be the hacking of the gasoline inventory tracking software.

Case study: The connected remote control, Holy Grail of budding hackers

On 22 October 2018, a petrol station located in the department of Oise (Hauts de France region) was the victim of piracy. Indeed, criminals bought on the Internet a remote control usually used by repairers to take control of the pumps, an attack made possible by the presence of weak or known passwords. Indeed, in many cases, the original security code of the service station has never been changed by the owner or operator. These are often the factory passwords used by default. As part of the hacking of petrol stations in the Oise, the attackers waited until nightfall before starting their siphoning operation: a first car passes through and unlocks the pump using the remote control acquired on the Internet. A few minutes later, a commercial vehicle took over. This one contains a tank that can hold more than 2000 litres. Criminals fill this tank with gasoline that they have been able to obtain free of charge thanks to the modifications made to the pump by the pirate remote control[8]. The litres of stolen fuel will be sold on the black market. Indeed, the price of the fuel sold is at one euro, much cheaper than in pumps[9].

The gas station’s surveillance cameras allowed investigators to uncover the scheme; the same scheme was observed a few months earlier at another gas station in Cauffry where 90 litres of gasoline and 3,000 litres of diesel had been stolen. An investigation, conducted by the Beauvais research brigade and the Gendarmerie de l’Oise group, reported at least eight fuel theft attempts in the department between July 2017 and October 2018, representing nearly 16,000 litres of stolen gasoline.

Beyond the theft of petrol, hacking into petrol stations could cause serious damage

In January 2018, Kaspersky Lab published a study on gas station piracy revealing that more than 1,000 gas stations, from the United States to India, are vulnerable[10]. Gas stations thus have computer vulnerabilities that, once operated, allow hackers to perform different types of actions that can harm owners and customers.  In addition to hacking into pumps for personal enrichment, some hackers may consider sabotaging infrastructure for political reasons or simply by “playing” to test new compromise techniques and create buzz. Several attack scenarios are thus possible, if we take into account the techniques already used by the attackers and the new means of compromise that could emerge in the coming years:

  • Compromise a service station via connected or manual solutions (such as the remote control used in Oise service stations) in order to change the price of fuel and steal gasoline[11]. This leads to the paralysis of gas stations for a day or two while the repairers intervene. Significant financial losses are thus generated. Pirates, on the other hand, sell fuel on the black market, making huge profits for themselves. In addition, by siphoning gasoline, criminals could spill hydrocarbons when filling tanks and lead to pollution of sales and basements, or even cause a fire.
  • Hacking a gas station with default words, which unfortunately are not changed by the owners. This is the main vulnerability of the stations. In some cases, hackers could exploit the pump data by modifying them to the point of causing an explosion. Hackers could also access backbones to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network.
  • An intruder accessing the service station can also connect directly to the payment terminal and either extract payment information or use payment methods directly to steal transactions.
  • According to Kaspersky Lab, a lot of information about how gas stations work is available online. Manufacturers display much of the device’s technical information, such as very detailed user manuals, various commands and a step-by-step guide on how to access and manage each interface, which allows potential attackers to learn how to enter the IS and even access management control. An attacker could increase the overflow limit of a tank to more than its capacity, which could cause the tank to overflow and start a fire or even a gas station explosion.
  • Finally, hackers could encrypt the stolen data on the management control of service stations and ask for a ransom in exchange or, in a particularly extreme case, even stop the station’s operations.

Conclusion

“Service stations are connected to the Internet for a variety of reasons. This is a real opportunity for attackers to take advantage of security weaknesses that have not been considered upstream by manufacturers, for example when designing or installing a service station. These comments, gathered from our security consultant Sylvain Hajri, show that connecting service stations to the Internet is a significant opportunity for hackers. With a simple remote control, it is thus possible to hack into certain pumps and make your theft profitable by selling the stolen litres on the black market. In France, there have already been 8,200 fuel thefts since the beginning of the year. As petrol station piracy is intrinsically linked to the increase in fuel prices, it is likely that this type of theft will increase in the coming years.