Skip to content
Naked Security Naked Security

Gas thieves remotely pwn pump with mysterious device

In broad daylight, over the course of about 90 minutes, thieves somehow remotely froze pump software and stole 600 gallons of gas.

Last month, in broad daylight, thieves somehow hacked into a Detroit gas pump and, over the course of about 90 minutes, stole 600 gallons of gas.
The gas, worth about $1,800, was pumped into the tanks of 10 cars, all while the station attendant tried and failed to shut the gas pump down.
The attendant, Aziz Awadh, told Fox 2 Detroit that until he finally got an emergency kit to shut down the pump, he couldn’t get the system screen to respond:

I tried to stop it, but it didn’t work. I tried to stop it here from the screen, but the screen’s not working. I tried to stop it from the system, [but nothing was] working.

After Awadh finally got the pump shut down, he called police.
There are plenty of videos available online about button sequences that will get a pump to give you free (also known as stolen!) gas. But police say that the Detroit gas thieves were actually using a remote device to hack the pump. Police also told Fox that it’s an active investigation. As of Thursday, they weren’t sure whether all the people in the 10 cars were in on the theft.
The owner declined to share surveillance video with the TV station. But police told Fox that whatever device was used did, in fact, prevent the pump from being turned off from inside the station.
Police are looking for two suspects.
That’s about all we know at this point. One possible explanation is that the attackers targeted the fuel-management software used by the Marathon gas station.
As Motherboard reported earlier this year, two Israeli security researchers have discovered multiple vulnerabilities in one automated system used to control fuel prices and other information at thousands of gas stations around the world. The vulnerabilities would enable attackers to shut down fuel pumps, hijack credit card payments, steal card numbers, or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. Or then again, an attacker could simply exploit the vulnerabilities to alter prices and steal fuel.
The researchers used the Shodan search engine to search for thousands of vulnerable gas stations with internet-connected devices and systems. Although the web interface for the system in question is supposed to be password-protected, the researchers found a user manual on the fuel-management company’s website that contained a default password. After that, they found a system that hadn’t changed the default password. From there, they were able to download the entire file system from the gas station’s site and analyze the code.
Of course, any software with a web interface is a potential target, and the ones that aren’t password-protected are sitting ducks when you use Shodan, a search engine for unsecured internet-connected devices of all sorts, from webcams to Internet of Things (IoT)-enabled stuffed toys or, well, IoT anything, really, including fuel-management software.
We should always assume that using a default password with an internet-connected device is the same as using no password at all, for sure. But that still doesn’t tell us anything about the device used to remotely pwn the Detroit gas pump.


All we know, at this point, is that gas stations are ripe for the plucking via multiple ways, be they plain old analog siphoning or digital.
For example, in January, we reported on Russian authorities having uncovered a massive fraud ring that installed malicious software at gas pumps, making customers think they were getting more fuel than they were. In fact, they were pumping up to 7% less than they were being charged for.
A few years back, we also saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.
Eventually, 13 alleged thieves were charged with forging bank cards using details pinged via Bluetooth to nearby crooks from devices that were impossible for gas-buying customers to detect, given that the skimmers were installed internally.
But using Bluetooth presents a problem for crooks: given the limited range of this wireless technology, thieves have to hang around nearby. It also means that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”
But last year, New York City police started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GSM text messages to get card details to the crooks anywhere in the world.


14 Comments

I find it implausible that the attendant could not turn off the pumps. Gas stations should all have an emergency shut off switch that stops all pumps in case of fire. The attendant could have used that, and if it did not work, then that is a clear safely violation.
Also, why did the attendant wait till after the pumps were off before he called the cops?

Perhaps the gas station attendant thought he was in a bad movie like the ones where everyone flounders around while their systems are being hacked remotely yet no one tries cutting the hardlines.

More likely the owners only bothered making sure the attendant knew the normal way to shut it down and he had to phone them to find out about the main kill switch.

I’d like to think we have a federal regulation in the US that requires gas stations to feature a readily accessible, emergency kill switch (as mentioned by s31064), but maybe it’s only a requirement in some states like California. :) In fairness, I wonder these days how many people here know that one should exist.

How can 10 cars hold 600 gallon of gas that is 60 gallon per car that is one big tank

Maybe it *was* one big tank, specially modified (and nine normally-sized ones).
Having said that, nothing about this story adds up. (The thing that really doesn’t add up if you live in the UK is the idea of 600 US gallons [*] of petrol for $1800. By my calculator, that is about 2200 litres for £1350, which comes out at, what, 60p a litre. Are you SERIOUS?)
[*] The US, unsurprisingly, never adopted Imperial measures. For marketing reasons, hundredweights grew to 112 pounds and pints expanded to 20 fluid ounces during the reign of Queen Victoria.

The price is about right. Petrol (“gas”) in the US currently (2018) runs a bit less than USD $3 per (US) gallon, in most places. So that part of the story is right on – 600 gallons at $3/gallon would be about $1800.
However, to have 10 vehicles steal 600 gallons, at least some of the vehicles would have had to have special storage tanks. Even the biggest SUVs and pickup trucks rarely have fuel tanks bigger than 40 gallons. About 25 to 30 is more normal.

Sorry, I don’t believe it. All fuel pumps in the US have to have physical emergency cutoffs for power in case of fire. It doesn’t matter if the system is hacked, if the pump has no power, no fuel is going to be coming out.

This is a very interesting story. It’s highly, highly unlikely that the attendant was unable to shut the pump down from inside. There are a myriad a safety and EPA regulations violated if he/she could not. Why did the attendant not call the police when they first notice something odd/illegal was happening?
“As of Thursday, they weren’t sure whether all the people in the 10 cars were in on the theft.” If those 10 cars received stolen gas, they were involved in the theft. Why would the police be looking for 2 suspects when there were 10 cars involved? How can the police be so sure that the device cut access to the attendant when they don’t even known what kind of device was used or how it works?
I was unable to find this story on any other reliable new sources. The whole story seems dubious. I wonder if the phrase insurance fraud applies here.
1 gallon = 3.78541 liters
600 gallons = 2271.25 liters
$1 = .75£
$1800 = 1358.15£
2271.25 liters for 1358.15£ = 1.67£/liter
1.67£/liter or $6.32/gallon

You got the division of “2271 litres at a cost of £1350” upside down.
(If you divide litres by pounds, as you did, you don’t end uppounds per litre. Your result is 1.67 litres per pound. Take the reciprocal to convert to pounds per litre. And 1/1.67 is basically 3/5, or 0.60, which comes out at 60p/litre, as I calculated above. That’s less than half the regular pump price in the UK.)

Paul – you can’t compare pump prices like that; you are actually comparing taxes, not the cost of fuel. Yesterday the cost of regular gasoline at the closest station to me was $3.49 per gallon, or $0.921 per liter (Google says that is 0.69 Pound sterling or 0.78 Euro today). We also have one of the highest state fuel tax rates in the country, as well as one of the highest pump prices in the country. The US has chosen not to place extreme taxes on fuel to pay for programs unrelated to transportation. With some exceptions, fuel taxes in the US are primarily used to pay for transportation infrastructure and administration. My state of Washington does not have a state income tax, so they do dip into fuel taxes for some unrelated purposes, but it is relatively limited Fuel costs are based on Federal tax plus state and local taxes. If our national fuel tax rates were as high as Europe’s the national economy would collapse because of the cost of transporting goods and services.
Just to make you feel better, a few years ago I saw a comparison of fuel costs (actual cost of fuel excluding taxes) and gasoline in the UK was actually less expensive than in the US. The rest is taxes. I’m sure your government appreciates your generosity.

I most certainly *can* compare pump prices like that – indeed, that is exactly what I did, and exactly what I intended to do.
Indeed, if I actually had a car licensed for private use on public roads, and needed to fill it up with fuel – whether I lived in the UK or the US – I would be required by law to refuel at a properly-licensed fuelling station, and I would be charged the pump price.
For all you know, if your national fuel taxes were as high as in the EU, your economy might improve – you’d probably end up transporting more goods by train; you might be able to revitalise local economies by encouraging people to shop for local products in local stores instead of driving to the mall to buy goods that were transported multiple times from farms to processing plants, then for packaging, and warehousing, and shipping to the store, and then from the store to your fridge; people might walk to the local shops once a day and thus be healthier; you wouldn’t need (or want) to drive gas-guzzlers…
…who can say?
All I know is that I intended to compare pump prices, I did compare pump prices, and IIRC I did the sums correctly.

Hard to believe, I’ve installed fuel pump electronics, there are too many safety features in line to make it plausible that the attendant couldnt shut down the pumps…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?