Hackers are Attacking US Gas Pumps

When I worked for Paul Keeshin, at Keeshin Charter Service, between 1985 and 1997, I

Keeshin Charter Service - [1980 -1997]

had the opportunity to work on the "Red Jacket" series of pump controllers and tank monitoring equipment.

The Red Jacket software enabled us to tightly control the amount of fuel that went into our motor coaches and service trucks, preventing theft by drivers who also owned diesel powered trucks. It also tied back into the Versys Charter trip scheduling software, and, based on the

Red Jacket Fueling Systems

the engine operating hours and mileage driven, all entered by the driver or fueler, at the pump, and allocated to the vehicle being fueled at the time of fueling, kept track of vehicle maintenance intervals.

As early as 1989, our computer systems, at all four of our locations, were interconnected.

Versys Charter Management Software

Our main servers were located at 615 W 41st in Chicago, and our O'Hare and McCormick Place offices had access to all of the charter, service work, fuel consumption, maintenance scheduling, maintenance statistics, parts inventory, and lots of other information. During the early 90s, I also made access available via telephone dial-up, and, eventually, the Internet: a feature which allowed incredible growth and gave Keeshin Charter Service a unique edge in our industry at the time.

As part of the software interface, I worked diligently to ensure strong passwords were used: both at an Administrative and user level. I took a bit of heat, from both my co-workers, from the software vendor, and from other users of the software over the fact that I voiced my concerns about security and "back doors". They balked at my insistence on higher than, what were then considered, normal security measures, but we never had an incidence of hacking or inappropriate information access.

Anonymous Takes Credit for Hacking Gas Pumps

Now, because of the fact that so much tech support is being centralized, remotely accessible software security has fallen by the wayside.

Standardized, and default passwords, which make it easier for support personnel to remotely access fueling systems, to troubleshoot or update the software, also allow software allow hackers easy access.

Many of the fueling software systems are easy to get into, because they're still protected by "default" passwords. In other cases, a "standard" password has been established so that any one of up to several hundred techs can remote access software.

Hackers Can Attack US Gas Pumps

Here's a fact, and, yes, it's meant to scare you:

Gas monitoring systems or automated tank gauges (ATG) keep an eye on fuel levels, volume and temperature, among other stats.

When not properly secured, and left unprotected, fuel system software can be manipulated to do something extremely destructive -- like blow up a gas station.

Trend Micro learned about this security breech and decided to do some investigating, and this is what they found out:  "After a gas station monitoring system was hacked earlier this year, Trend Micro researchers Kyle Wilhoit and Stephen Hilt decided to take a closer look. They set up fake internet-connected systems called "GasPots" -- honeypots that mimic the real ones -- in several countries to track hackers' movements.  Turns out gas monitors are never safe: the researchers observed a number of attacks on their GasPots within a period of six months, with US-based ones being the most targeted."

Hilt and Wilhoit discovered more than 1,515 vulnerable gas pump monitoring devices worldwide, less than a third of the figure logged by HD Moore last month.  That would be reason for cautious optimism – except that the duo also uncovered evidence of tampered Guardian AST devices.  The US-located system, left wide open on the net, had been hacked, apparently by mischief-makers, referencing one of ragtag hacker group Anonymous’s favorite catch phrases.

"An attacker had modified one of these pump-monitoring systems in the US. This pump system was found to be internet facing with no implemented security measures.  The pump name was changed from “DIESEL” to 'WE_ARE_LEGION.'  The group Anonymous often uses the slogan 'We Are Legion,' which might shed light on possible attributions of this attack.  But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group. 

An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems.  For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values.  Empty tank values could also be shown full, resulting in gas stations having no fuel."

The insecure gas pump monitoring system issue is part of the wider problem of insecure SCADA (industrial control) devices.

Start a Ticket

SmarterTech from ChicagoNetTech

Just in case that didn't sink in, let me repeat that: In the case of gasoline monitoring and control software, these default, and standardized passwords potentially allow terrorists to use local gas stations as IEDs (incendiary explosive devices) by overtaking, and overriding, the controls embedded into the same software that allows us to pay for our gasoline at the pump, using our credit cards.

Whether you require assistance securing your fuel dispensing systems, patient data, financial data, or your computer network, give me a call (773-365-0105), or open a ticket at https://portal.chicagonettech.com/Main/frmNewTicket.aspx (registration required).

With more than 35 years of experience, we'll help vet any hidden issues and secure your data - before it becomes an explosive situation.

Copyright © ChicagoNetTech Inc, 2015. All rights reserved.