Gas thieves remotely pwn pump with mysterious device

Last month, in broad daylight, thieves somehow hacked into a Detroit gas pump and, over the course of about 90 minutes, stole 600 gallons of gas.

The gas, worth about $1,800, was pumped into the tanks of 10 cars, all while the station attendant tried and failed to shut the gas pump down.

The attendant, Aziz Awadh, told Fox 2 Detroit that until he finally got an emergency kit to shut down the pump, he couldn’t get the system screen to respond:

I tried to stop it, but it didn’t work. I tried to stop it here from the screen, but the screen’s not working. I tried to stop it from the system, [but nothing was] working.

After Awadh finally got the pump shut down, he called police.

There are plenty of videos available online about button sequences that will get a pump to give you free (also known as stolen!) gas. But police say that the Detroit gas thieves were actually using a remote device to hack the pump. Police also told Fox that it’s an active investigation. As of Thursday, they weren’t sure whether all the people in the 10 cars were in on the theft.

The owner declined to share surveillance video with the TV station. But police told Fox that whatever device was used did, in fact, prevent the pump from being turned off from inside the station.

Police are looking for two suspects.

That’s about all we know at this point. One possible explanation is that the attackers targeted the fuel-management software used by the Marathon gas station.

As Motherboard reported earlier this year, two Israeli security researchers have discovered multiple vulnerabilities in one automated system used to control fuel prices and other information at thousands of gas stations around the world. The vulnerabilities would enable attackers to shut down fuel pumps, hijack credit card payments, steal card numbers, or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. Or then again, an attacker could simply exploit the vulnerabilities to alter prices and steal fuel.

The researchers used the Shodan search engine to search for thousands of vulnerable gas stations with internet-connected devices and systems. Although the web interface for the system in question is supposed to be password-protected, the researchers found a user manual on the fuel-management company’s website that contained a default password. After that, they found a system that hadn’t changed the default password. From there, they were able to download the entire file system from the gas station’s site and analyze the code.

Of course, any software with a web interface is a potential target, and the ones that aren’t password-protected are sitting ducks when you use Shodan, a search engine for unsecured internet-connected devices of all sorts, from webcams to Internet of Things (IoT)-enabled stuffed toys or, well, IoT anything, really, including fuel-management software.

We should always assume that using a default password with an internet-connected device is the same as using no password at all, for sure. But that still doesn’t tell us anything about the device used to remotely pwn the Detroit gas pump.

All we know, at this point, is that gas stations are ripe for the plucking via multiple ways, be they plain old analog siphoning or digital.

For example, in January, we reported on Russian authorities having uncovered a massive fraud ring that installed malicious software at gas pumps, making customers think they were getting more fuel than they were. In fact, they were pumping up to 7% less than they were being charged for.

A few years back, we also saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.

Eventually, 13 alleged thieves were charged with forging bank cards using details pinged via Bluetooth to nearby crooks from devices that were impossible for gas-buying customers to detect, given that the skimmers were installed internally.

But using Bluetooth presents a problem for crooks: given the limited range of this wireless technology, thieves have to hang around nearby. It also means that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”

But last year, New York City police started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GSM text messages to get card details to the crooks anywhere in the world.