Gas stations worldwide have been exposed for years to remote
hacker attacks due to several vulnerabilities affecting the automation software
they use, researchers at Kaspersky Lab have reported.
A week ago, Motherboard revealed how a security researcher
discovered a backdoor access to fuel stations around the world. Kaspersky, who
were involved in the original research, has now disclosed more details in a
blog by Ido Naor. The details show just how older accepted practices among
industrial systems designers are making life easy for hackers.
“Before the research, we honestly believed that all fueling
systems, without exception, would be isolated from the internet and properly
monitored. But we were wrong,” explained Kaspersky’s Ido Naor. “With our
experienced eyes, we came to realize that even the least skilled attacker could
use this product to take over a fueling system from anywhere in the world.”
Kaspersky researchers discovered that the “secure” part is
not exactly true. The vulnerable product is SiteOmat from Orpak, which is
advertised by the vendor as the “heart of the fuel station.” The software, currently
installed in over 1,000 stations, allow remote access from the Internet. It is designed
to run on embedded Linux machines or a standard PC, provides “complete and
secure site automation, managing the dispensers, payment terminals, forecourt
devices and fuel tanks to fully control and record any transaction.”
In many cases the controller had been placed in the fuel
station over a decade ago and had been connected to the internet ever since.
The manufacturer was notified when the threat was confirmed.
Over half of the exposed stations are located in the United States and India.
Fuel stations are already good pickings for hackers. They
have learned how to manipulate the “pay at pump” systems to steal credit and
debit card data. This ranges from skimming cards at the pump through to malware
installed on POS systems. A single operation in 2014 stole more than $2 million
across three US States.
The basics of this security breach are simple. Poor
security, default usernames and passwords, technical data published online and
little to no security.