back to article Anonymous HACKED GAS STATIONS - and could cause FUEL SHORTAGES

Hackers – possibly affiliated with Anonymous – have already attacked at least one internet-connected gas (petrol) station pump monitoring system. Evidence of malfeasance, uncovered by Trend Micro, comes three weeks after research about automated tank gauge vulnerabilities from Rapid7, the firm behind Metasploit. Automated …

  1. Munin

    This was only vandalism, but if you read the manual...

    There's a lot of other things you can do if you read the manual about how to interface with that model device.

    For instance, if you (the evil black-hat bent on causing trouble) decided to, you could alter the amount of water reported to be in the tank - something which would call for a shutdown of fuel service and for someone to run a test on the tank to determine how much water is present.

    Alternatively, you can change the tank's diameter to 0, which sets off all manner of alarms, some of which conflict with each other - a rather Hollywood sort of error condition, where everything lights up and buzzers sound and all that jazz.

    Or you could change the reported fuel level to something miniscule, so that the fuel truck will attempt to deliver several hundred more gallons to the tank than there is space for, potentially resulting in a nasty spill.

    Or why not change the threshold for the leak detection vapor pressure? This one's nice and subtle, and results in vastly reduced fuel flow at the pump, so those few who do stay around to pump fuel end up having to spend much longer (thus taking up space) at the pump than they would otherwise.

    All of this is nicely documented in the manual from the manufacturer, freely available online to anyone with half a clue of what to look for.

    Needless to say, attaching unauthenticated devices directly to the internet is a very bad idea, and those persons who made that choice need to be sacked forthwith.

    1. Paul Crawford Silver badge

      Re: This was only vandalism, but if you read the manual...

      No doubt the manual also warns of the consequences of being a moron and making all of this visible & vulnerable to world+dog?

      Various countries, any recently the UK, have already regulated the installation of electrical wiring to prevent stupid things being done the put lives at risk due to fire or shock. It is high time that those who put important stuff (or personal stuff via smart TVs, etc) on the Internet are held accountable for gross stupidity and not applying best-practice precautions that any 1st year computing course ought to teach.

      1. Mark 65 Silver badge

        Re: This was only vandalism, but if you read the manual...

        Isn't it great when they map the serial port to an internet port without making the connection read-only and requiring updates/maintenance to be carried out in person?

    2. Anonymous Coward
      Anonymous Coward

      Re: This was only vandalism, but if you read the manual...

      I know something about site systems used at service stations, and believe it or not, most developers working in the area do take security pretty seriously. Some gear in the field is obviously insecure, but probably oddball or old equipment, as most ATG systems are from a couple of big companies like GVR (Gilbarco Veeder-Root), and they do know they are doing.

      Mostly ATGs are read only devices that are pretty simple - they report back a numeric value which is just another value to feed into the back-office system and pushed up through to head-office. ATG's do get a little more complex (things like manifolded tanks & leakage detection), but smarts are often located away from sensor kit and in the more secure systems upstream taking the raw data and reconciling it.

      Although there can be ATG configuration, (units reported, fuel grade etc), should be very little possible without admin access, as normally people working at a station are locked out from tampering with this at any level (you don't want your overnight staff stealing a few hundred litres every night by tampering with levels). Suspect the hackers in this case tampered with the easy stuff (sensor label) which is something you might want to be easily tweakable on site, but not important or a critical system.

      Most of the other scenarios are pretty unlikely as ATG's are just another sensor in the network; the hose nozzles also measure flow, so ATG is sanity checked against total fuel dispensed and expected losses (evaporation / leaking ). At least in systems I have seen, the site manager checks the reads each shift-end and manually checks and updates readings to account for any delivery. They can also correct things like the staff entering that 5K litres were delivered into tank1, when the driver actually put it into tank2, and go out and manually dip tanks, as ATG's can and do fail or screw up from time to time.

      Tanker drivers don't often have real-time access to ATG data at hand, so they tend to monitor the delivery and would top up tanks with overflow protection on the tanker pumps, so avoid big spills.

      Just because a sensor is on the web, and can have a label modified, does not imply to me that the systems are dangerously vulnerable. Generally people forget that sensors on a Scada system are expected to fail or go wrong from time to time, so generally very unlikely that bad things will suddenly happen automatically if one part of a network is compromised.

  2. Marketing Hack Silver badge
    Facepalm

    Hooray for thoughtless, insecure deployment of technology!!

    The world being what it is, gas pump monitoring and control is just as important as securing electric power, natural gas or potable water distribution. I'm sure there are ecologically-minded and technologically literate types who might consider sticking it to Big Oil by shutting down or disrupting fuel supplies to gas stations, or people who might do that unless they are paid off by gas station owners, or other hackers who might just do it for lulz.

    In the meantime we risk having people who can't get to work or home, emergency vehicles that can't move and goods not getting to customers because the vehicle refueling infrastructure got compromised.

    1. BobRocket

      Re: Hooray for thoughtless, insecure deployment of technology!!

      'In the meantime we risk having people who'... might be a little bit inconvienienced.

      FFS, when I was a kid people only worked a three day week (the power was off for the other four).

      When I got older, bodies piled up on street corners but still the world turned.

      Tankers, Tanks, Pumps and Tills were and are separate systems. (tied toghether with bits of string)

      Out of boundary conditions trigger alarms.

      Failure of bits of it is an everyday occurrence but it doesn't really matter.

      If a tank reports an abnormal low level (not matched by sales through the pump or declared deliveries) then it is assumed to be leakage - Call EPA and rebalance pump nozzles to use alternative tanks.

      Again with high level, assume water, call someone and shut tank. (there is a tank to pump map, just lock a couple of nozzels)

      No tank readings ? Use dipsticks.

      Did you not read the history provided, in the old days people used to do this stuff by hand.

      1. Marketing Hack Silver badge

        Re: Hooray for thoughtless, insecure deployment of technology!!

        If bad guys are manipulating tank level readings ("Doesn't look like Johnson's Shell needs a new tanker of unleaded") or doing other nefarious things, it could put a real crimp in local mobility, especially in rural areas where there might be 2-3 gas stations within 20 miles.

    2. Matt Bryant Silver badge
      Facepalm

      Re:Marketing Hack Re: Hooray for thoughtless, insecure deployment of technology!!

      ".....In the meantime we risk having people who can't get to work or home, emergency vehicles that can't move and goods not getting to customers because the vehicle refueling infrastructure got compromised." Please do try and contain your hyperventilating hysteria. If you read the article you would have seen the bit about how the researchers actually found very few vulnerable systems around the whole World.

  3. moiety

    "The internet will be so many IP addresses because of IPv6, so many devices, sensors, things that you're wearing, things that you're interacting with that you won’t even sense it, it will be part of your presence all the time. Imagine you walk into a room, and the room is dynamic, right?

    And – again – with your permission and all of that, you're interacting with the things going on in the room, a highly personalised, highly interactive and very interesting world emerges because of the disappearance of the internet."

    --Google exec chairman Eric Schmidt

    The IoT is seeming pretty noticeable so far....

    1. BobRocket

      Imagine you walk into a room, and the room isn't dynamic, what?

      The IoT is seeming pretty noticeable so far....

      Have you any idea how much work It takes to make your life as seamless and real as it is now?

      If there were no problems then you would just go mad and die.

      Such is life.

      1. John Brown (no body) Silver badge

        "Have you any idea how much work It takes to make your life as seamless and real as it is now?"

        And every now and then there's a deja vu glitch to let you know the Agents are coming.

  4. petur
    Go

    VPN

    nuff said

  5. Message From A Self-Destructing Turnip
    Holmes

    changed from “DIESEL” to “WE_ARE_LEGION.”

    So how do the "researchers" know that the pump was previously named "DIESEL" ?

    1. Anonymous Coward
      Coat

      Re: changed from “DIESEL” to “WE_ARE_LEGION.”

      Dark green font.

      1. BobRocket

        Re: changed from “DIESEL” to “WE_ARE_LEGION.”

        Black := Derv

        Yellow:= Some kind of chip fat

        Green:= Unl

        Blue:= Unl Super (I think)

        Red:= Leaded

        Should also have used circle, triangle, square, rectangle and star in standard combination.

        Derv nozzles have wider diameter than Petrol nozzles

        (colour.shape.size, there must be an XKCD in that)

        They didn't change the pump display, only the reporting of the variable value

        1. Message From A Self-Destructing Turnip

          Re: changed from “DIESEL” to “WE_ARE_LEGION.”

          Yeah I get that only the variable value was changed. I was suggesting that knowledge of the previous value implies possible involvement in changing the value, as the story has little impact otherwise without the anonymous angle.

          1. BobRocket

            Re: changed from “DIESEL” to “WE_ARE_LEGION.”

            'knowledge of the previous value implies possible involvement in changing the value'

            yep.

        2. John Brown (no body) Silver badge

          Re: changed from “DIESEL” to “WE_ARE_LEGION.”

          "Red:= Leaded"

          I've not seen a leaded pump in years!

          I remember when the choice was 2 star, 3 star, 4 star and, for those fancy luxury cars driven by rich people, even 5 star.

          Dad would always put 3 star in but now and then would "treat" the car to 4 star. :-)

          These days, practically every pump I see has two identical diesel nozzles and an unleaded one with a separate pump for LPG. Can't say I ever see super unleaded anymore, let alone bio-diesal. Maybe at smaller places. Harvest Energy or some such and similar places.

  6. Anonymous Coward
    Anonymous Coward

    And He asked him, "What is thy name?" And he answered, saying, "My name is Legion: for we are many." - Mark 5:9

    This was obviously the work of fundamental Christians who want to preserve the dinosaur bones their ancestors rode around on.

    1. P. Lee Silver badge
      Facepalm

      >This was obviously the work of fundamental Christians

      I don't think those who spoke the "We are Legion" line were Christians. Jesus kicks them out and they can't even control pigs.

  7. NoneSuch

    Not my circus.

    Not my monkeys.

  8. Anonymous Coward
    Anonymous Coward

    Is there any doubt?

    I mean really, is there any doubt why all hackers should not be executed?

    1. Paul Crawford Silver badge

      Re: Is there any doubt?

      I mean really, is there any doubt why all anonymous trolls should not be executed?

      1. Anonymous Coward
        Anonymous Coward

        Re: Is there any doubt?

        Paul, you appear to be a anonymous troll so apparently you feel you should be executed. I concur.

        1. Paul Crawford Silver badge

          Re: Is there any doubt?

          You might want to look up "anonymous", it kind of is opposite to declaring a consistent name.

  9. Matt Bryant Silver badge
    Facepalm

    "WE_ARE_LEGION"

    YOU_ARE_MORONS, get over yourselves. Wow, you "hacked" a system with no security, just so gosh-darn 1337 of you! Not. You are nothing more than supporting evidence for the idea there should be an IQ test before people are allowed to use the Internet.

    1. phuzz Silver badge
      Trollface

      Re: "WE_ARE_LEGION"

      I think it's more that anyone who hacks something, and knows there might be some comeback will put in a bunch of references to anonymous just to muddy the waters.

      Someone on 4chan (or whereever) is bound to claim responsibility for this just to sound cool, leaving the real hacker to find a way to sell the skill they now have.

  10. swampdog

    Govt Spokesperson

    Dammit. I've not read the article. Even if I had, I wouldn't understand it but ffs my opinion is worth as much as all you three gender scientists. ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019