According to foreign media Cnet, Kaspersky Lab researchers released a study on gas station vulnerabilities last month, pointing out that more than 1,000 gas stations from the United States to India may face cyber attacks. These problems come from petrol station controllers that can connect to the Internet. The owner cannot change the default password, and the attacker has full access to the machine.
On Friday, Ido Naor, a senior security researcher at Kaspersky Lab, and Amihai Neiderman, an Israeli security researcher, conducted a comprehensive analysis on the safety of gas stations during Kaspersky’s security analysts' summit in Cancun, Mexico. Their research shows that attackers can change gas prices, steal credit card information recorded on controllers, obtain license plate numbers, cause oil leaks, adjust temperature monitors, and so on.
Neiderman explained: "When we get root permissions, we can do anything we want to do." "Naor said that the attacker does not even need to go anywhere near the local gas station." The controllers at these gas stations can all be connected to the Internet, and their passwords are less secure and can therefore be completed remotely.
The online software came from Orpak Systems, a fuel management company that was acquired in May last year by Gilbarco Veeder-Root Corporation of North Carolina. According to Orpak, its software has been installed at more than 35,000 gas stations worldwide. Orpak put its guide on the web, showing the details of the gas station technology, including how to access the password and screenshots of its interface. These companies did not respond to requests for comment.
These vulnerabilities have highlighted issues behind IoT devices and have been widely criticized for lack of security. Due to the online connection of insecure webcams and DVRs, hackers have been able to launch large-scale cyber attacks. Naor said, but at the gas station, the risk of dangerous attacks is much higher. In extreme cases, hackers may adjust the pressure and temperature inside the fuel tank and may cause an explosion.
Naor and Neiderman stated that they contacted suppliers in 2017 but mostly ignored them. Neiderman stated that these loopholes are likely to remain. These machines are outdated, sometimes even more than a decade, and so are software, he added.