Wednesday, October 16, 2024
HomeHacksSeveral Gas Station Design Flaws Allows Attackers to Change the Price and...

Several Gas Station Design Flaws Allows Attackers to Change the Price and Take Full Control on the Gas Station Remotely

Published on

Malware protection

The Executive Committee of the Mediterranean Association of ICT Experts (ASPERTIC), meeting at its winter assembly in Barcelona on 16 and 17 February 2018, revealed a detailed report commissioned to several of the association members.

This report reveals the gravity that constitutes a certain risk of an ecological disaster of serious proportions, which can be caused by lack of skill, bad faith, organized crime and/or terrorism and agree to raise the authorities and make public said report.

This report reveals concerning issues about the state of industrial security but centers mostly on two very known issues regarding gas stations.

- Advertisement - SIEM as a Service

The first issue largely discussed in the report was already published on GBHackers “Globally Gas Stations are Extremely Vulnerable to an Internet of Things (“IoT”) Cyber Attacks” and it’s a very known issue by the security community since at least 2015.

The second issue that the report refers to and the main focus of this article is related to several gas station design flaws that allow attackers to CHANGE THE PRICE on the gas pumps remotely but not that.

What can a remote intruder actually do? Take full control of the gas station with minimal knowledge since the maker of the pumps has published very well detailed manuals for operating the systems.

  • But more specifically we are talking about flaws that will allow attackers to steal credit cards, hijack payments, take control of surveillance cameras, scrape vehicle license plates and driver identities, shut down all fueling systems, halt the station’s operation, demanding a ransom in exchange, execute code on the controller unit and maybe the most concerning one can cause fuel leaks with the risk of casualties.

The top 10 countries affected by a number of detected systems by this Gas Station Design Flaws

  1. India 526
  2. United States 369
  3. Chile 242
  4. Singapore 188
  5. Israel 156
  6. Turkey 105
  7. Spain 98
  8. Netherlands 48
  9. Czech Republic 44
  10. United Kingdom 26

Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities and reserved the following CVE with MITRE:

  • CVE-2017-14728 Hardcoded Administrator Credentials
  • CVE-2017-14850 Persistent XSS
  • CVE-2017-14851 SQL Injection
  • CVE-2017-14852 Insecure Communication
  • CVE-2017-14853 Code injection
  • CVE-2017-14854Buffer Overflow allows RCE

Kaspersky and Motherboard published very detailed articles regarding the flaws. These systems have been exposed to the internet for more than a decade and is very much worrying that we can locate them with a simple search using only one keyword.

Any security professional expects these systems to be off the internet or at least behind VPN and it is clearly not the case.

As we see not only default unchanged admin credentials is a usual flaw by an integrator, also the problem is in the development phase “hardcoding” them.

We want to remark the HIGH IMPORTANCE of these botched jobs while IoT is increasing in Critical Infrastructures.

Nowadays, the 80’s myth about Russian pipeline sabotage that leads to an explosion could be real, back in 2009 a storage tank at Bayamon (Puerto Rico) burns due to a glitch in the facility’s monitoring system.

Here we talk only about Gas Stations, something that we have near our homes and becomes familiar. But the risk is all along the production and distribution chain in Oil & Gas Industry. Extraction, Processing, Transporting and Selling.

In 2008 cybercriminals already intentionally manipulates alarms and communications in a Turkish pipeline inducing an explosion and spill of 5.000.000 liters of oil.

In 2012 some cyber criminals break into Telvent to steal the project files of their SCADA software, probably to find “holes” to attack directly Oil & Gas Companies.

There are only some cases that we had already suffered. We must be prepared and apply all the security resource we have in our hands… S-SLDC, Security-in-Depth, Red vs Blue Team strategies and of course, community sharing and awareness.

Credits: This Article was Written by Antonio Fernandes & Claudio ChifaAll the Content of this Article Belongs to Original Authors. www.gbhackers.com won’t take any credits.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Raptor Train Botnet That 60,000+ Compromised Devices

Researchers discovered a large, Chinese state-sponsored IoT botnet, "Raptor Train," that compromised over 200,000...

Telegram Bot Selling Phishing Tools to Bypass 2FA & Hack Microsoft 365 Accounts

A newly discovered phishing marketplace, ONNX Store, empowers cybercriminals to launch sophisticated attacks against...

Mobile Device Management Vendor Mobile Guardian Hacked

 Mobile Guardian, a leading Mobile Device Management (MDM) vendor, experienced unauthorized access to its...