Tuesday, June 18, 2024

Several Gas Station Design Flaws Allows Attackers to Change the Price and Take Full Control on the Gas Station Remotely

The Executive Committee of the Mediterranean Association of ICT Experts (ASPERTIC), meeting at its winter assembly in Barcelona on 16 and 17 February 2018, revealed a detailed report commissioned to several of the association members.

This report reveals the gravity that constitutes a certain risk of an ecological disaster of serious proportions, which can be caused by lack of skill, bad faith, organized crime and/or terrorism and agree to raise the authorities and make public said report.

This report reveals concerning issues about the state of industrial security but centers mostly on two very known issues regarding gas stations.

The first issue largely discussed in the report was already published on GBHackers “Globally Gas Stations are Extremely Vulnerable to an Internet of Things (“IoT”) Cyber Attacks” and it’s a very known issue by the security community since at least 2015.

The second issue that the report refers to and the main focus of this article is related to several gas station design flaws that allow attackers to CHANGE THE PRICE on the gas pumps remotely but not that.

What can a remote intruder actually do? Take full control of the gas station with minimal knowledge since the maker of the pumps has published very well detailed manuals for operating the systems.

  • But more specifically we are talking about flaws that will allow attackers to steal credit cards, hijack payments, take control of surveillance cameras, scrape vehicle license plates and driver identities, shut down all fueling systems, halt the station’s operation, demanding a ransom in exchange, execute code on the controller unit and maybe the most concerning one can cause fuel leaks with the risk of casualties.

The top 10 countries affected by a number of detected systems by this Gas Station Design Flaws

  1. India 526
  2. United States 369
  3. Chile 242
  4. Singapore 188
  5. Israel 156
  6. Turkey 105
  7. Spain 98
  8. Netherlands 48
  9. Czech Republic 44
  10. United Kingdom 26

Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities and reserved the following CVE with MITRE:

  • CVE-2017-14728 Hardcoded Administrator Credentials
  • CVE-2017-14850 Persistent XSS
  • CVE-2017-14851 SQL Injection
  • CVE-2017-14852 Insecure Communication
  • CVE-2017-14853 Code injection
  • CVE-2017-14854Buffer Overflow allows RCE

Kaspersky and Motherboard published very detailed articles regarding the flaws. These systems have been exposed to the internet for more than a decade and is very much worrying that we can locate them with a simple search using only one keyword.

Any security professional expects these systems to be off the internet or at least behind VPN and it is clearly not the case.

As we see not only default unchanged admin credentials is a usual flaw by an integrator, also the problem is in the development phase “hardcoding” them.

We want to remark the HIGH IMPORTANCE of these botched jobs while IoT is increasing in Critical Infrastructures.

Nowadays, the 80’s myth about Russian pipeline sabotage that leads to an explosion could be real, back in 2009 a storage tank at Bayamon (Puerto Rico) burns due to a glitch in the facility’s monitoring system.

Here we talk only about Gas Stations, something that we have near our homes and becomes familiar. But the risk is all along the production and distribution chain in Oil & Gas Industry. Extraction, Processing, Transporting and Selling.

In 2008 cybercriminals already intentionally manipulates alarms and communications in a Turkish pipeline inducing an explosion and spill of 5.000.000 liters of oil.

In 2012 some cyber criminals break into Telvent to steal the project files of their SCADA software, probably to find “holes” to attack directly Oil & Gas Companies.

There are only some cases that we had already suffered. We must be prepared and apply all the security resource we have in our hands… S-SLDC, Security-in-Depth, Red vs Blue Team strategies and of course, community sharing and awareness.

Credits: This Article was Written by Antonio Fernandes & Claudio ChifaAll the Content of this Article Belongs to Original Authors. www.gbhackers.com won’t take any credits.


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles