Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

US Gas Pump Hacked With 'Anonymous' Tagline 101

An anonymous reader writes Researchers at Trend Micro have uncovered a gas pump in the United States whose ID has been changed from 'DIESEL' to 'WE_ARE_LEGION' — the call-sign of the Anonymous hacking group. Following up recent revelations regarding the vulnerability of gas pump systems to online attackers, the researchers found 1,515 completely unprotected gas pump monitoring devices via the Shodan device-based search engine. The report notes that the exposed devices are capable of being protected via six-digit pins, but this security measure is not being used. The report concludes: "Our investigation shows that the tampering of an Internet-facing device resulted in a name change. But sooner or later, real world implications will occur, causing possible outages or even worse."
This discussion has been archived. No new comments can be posted.

US Gas Pump Hacked With 'Anonymous' Tagline

Comments Filter:
  • But... (Score:5, Insightful)

    by Anonymous Coward on Thursday February 12, 2015 @11:54AM (#49038369)
    Can you change the price?
    • Can you change the price?

      From the article photo, it looks like the 'pump' is actually some sort of monitoring device used to track how much gas/diesel is in the storage tanks. I imagine that gets used by suppliers to anticipate delivery requirements.

      I don't know if the same system is used to control the pricing at the customer pumps, and the article doesn't make it clear. I'd guess than since this was published there are going to be some who will be trying it out though.

      • Can you change the price?

        From the article photo, it looks like the 'pump' is actually some sort of monitoring device used to track how much gas/diesel is in the storage tanks. I imagine that gets used by suppliers to anticipate delivery requirements.

        I don't know if the same system is used to control the pricing at the customer pumps, and the article doesn't make it clear. I'd guess than since this was published there are going to be some who will be trying it out though.

        Depends on the monitoring device. Some of the monitoring devices connect to both the pumps and the tanks so that you can compare how much gas was pumped vs how much gas is left in the tank. Although it is not 100% accurate, if there are leaks or pumps that are way out of calibration, the device might be the first indication that there is a problem. And yes, the major use is to track how many times a tanker needs to come by and fill up the storage tanks.

        On systems with Pay-at-the-Pump that take credit/debit

      • What if the storage tank levels and their consumption rates were aggregated and reported to distributors or refiners, and these demand indicators helped set local wholesale prices by some kind of automated system?

        I'm guessing gas prices are mostly "set" by the price of a barrel of oil (or some regional crude oil price), but even if retail inventory wasn't used for calculating price it may be used to influence regional refinery production which could influence price (ie, demand appears slack, refinery output

    • by RyoShin ( 610051 )

      Yes, but you have to have substantial capital to use as influence in the commodities market and perhaps a connection to some mercenaries in an oil-rich country, primarily in the middle east.

  • Internet of Things (Score:5, Insightful)

    by penguinoid ( 724646 ) on Thursday February 12, 2015 @11:58AM (#49038407) Homepage Journal

    Can't wait to have internet connected devices all over my house!

    • To be fair, if the manufacturers of the devices you have in your house are as competent as the manufacturers of the devices compromised here, it would be mostly your fault if they got hacked; the station owners never set up the passcodes. I say mostly because the manufacturer did limit it to a 6 digit numeric code, but even a weak security measure is better than none at all; presumably, these also report failed logins, which would have alerted the owner to a problem before the hackers got in, but how useful
      • To be fair, if the manufacturers of the devices you have in your house are as competent as the manufacturers of the devices compromised here,

        How much hope for security do you have in a system which has no password by default, and limits the password to a six-digit numeric code? You don't think that system is vulnerable all over the place?

        • but even a weak security measure is better than none at all

          At least the vendors put *some* thought into security. These systems are intended to be accessed via other systems which often have a numeric keypad as their only source of input, so it actually makes sense that the password would be so limited; it's stronger than your ATM PIN, which is really only secure because it's backed by somewhat robust intrusion detection (fail your PIN 3 times, ATM keeps the card, attack stops).

          Mind you, there are ways around that, but it's enough to stop most attackers, as the d

          • IMO shipping with *no* default password is safer than shipping with, say, the same default on all devices or a default based on the device's serial number, which seems to be the norm lately; at least then you *know* it's not actually protected. Default passwords provide a false sense of security to people who don't realize that everyone and their mother has the means to find out what that password is; it's the equivalent to no password at all, without the benefit of being so obviously insecure.

            If you're trying to help incompetent people, it's better to not let the device operate until they set up a password (and then not let them use any password that shows up on a 'thousand most common passwords' list.

            If you don't have time to do it the right way now, when will you find time to fix it?

            Nice sig.

            • Yes, that's better, but if your competition makes it easier for them to get up and running, the average incompetent user will use your competition. That brings us back to no password or a simple default.
  • by ihtoit ( 3393327 ) on Thursday February 12, 2015 @12:17PM (#49038513)

    Anonymous owns your fridge, your eighty thousand pound Tesla, your PACEMAKER.

    Take your Internet of Things and stick it up your arse. My shit might be stone age, but I OWN IT.

    • by squiggleslash ( 241428 ) on Thursday February 12, 2015 @12:23PM (#49038553) Homepage Journal

      I don't know, I've found my Internet connected pacemaker to be pretty useful, gives me stats, automatically informs my doctor if there's a problem, it's nice. And there is good security with a password and full logging, as anyone browsing to http //172.16.54.138/admin.php?include=/usr/share/www/basic-authentication.php&log=/home/pacemaker/default.log&addlog=2015-02-12%2011:21:00%20Initiated%20login can clearly see.

      Best part: the guy who wrote the software apparently used to work for what was, until a year or so ago, the biggest Bitcoin exchange in the world, so with a background in handling sensitive financial transactions he obviously knows a lot about security.

      • by ihtoit ( 3393327 )

        oh snap! lol you nearly had me up until the Mt. Gox thing.

        Well played.

      • by Duhavid ( 677874 )

        I don't know, I've found my Internet connected pacemaker to be pretty useful, gives me stats, automatically informs my doctor if there's a problem, it's nice. And there is good security with a password and full logging, as anyone browsing to http //172.16.54.138/admin.php?include=/usr/share/www/basic-authentication.php&log=/home/pacemaker/default.log&addlog=2015-02-12%2011:21:00%20Initiated%20login can clearly see.

        Best part: the guy who wrote the software apparently used to work for what was, until

    • My shit might be stone age, but I OWN IT.

      Uh.... Mosanto's on the line, they want to have a word with you...

      • by ihtoit ( 3393327 )

        I'd respond with something witty but I'm laughing too fuckin' hard! :D

        • You may be laughing, but I'm fairly sure their lawyers are already finding out whether they can slap you with a fine for not paying for those "derived works" you create with their product.

    • by Dragonslicer ( 991472 ) on Thursday February 12, 2015 @01:47PM (#49039433)

      My shit might be stone age

      Damn, what the hell have you been eating?

    • by antdude ( 79039 )

      Yep, people think I am crazy for being stone age with old stuff (Casio Data Bank 150 watch, analog bone conduction hearing aid, KVM from Y2K for VGA and PS/2 stuff, analog speakers, VCR, CRT TV, etc.) I still use. They still work for me, so why do I need newer stuff?

      • by ihtoit ( 3393327 )

        dude, CDB150?? My watch is powered by a spring! The most advanced bit on it is the slide rule bezel. Which for some reason pushes its insurable value to ridiculous.

  • Wrong summary title (Score:5, Informative)

    by OzPeter ( 195038 ) on Thursday February 12, 2015 @12:20PM (#49038533)

    TFA says that a Gas Pump Monitoring device was hacked, and the pic in TFA shows a screen capture from an inventory system. No mention is made of a Gas Pump being hacked. Thus the headline of TFS stating that a gas pump was hacked is pure click bait.

    • by OzPeter ( 195038 )

      OK .. well after posting my comment I read the TFA again and saw that the headline of the TFA says gas pump and the body of the TFA says gas pump monitoring system. So there is confusion all over the place in TFA.

      But when you dig down into the report that TFA refers to, you find that the heading of that is Is Anonymous Attacking Internet Exposed Gas Pump Monitoring Systems in the US?

      So even though my comment was a bit sloppy, the context of the story was changed between the original report and TFA.

  • "But sooner or later, real world implications will occur, causing possible outages or even worse ."

    Like setting gas to $0.01 a gallon.

  • is this a Christian Bible reference or reverence?
    • by Anonymous Coward

      Reference, obviously. Anonymous is a legion of evil spirits, liable to possess and drown a herd of swine.

    • Yes. Mark 5:9 to be exact.

      >>And Jesus asked him, “What is your name?” He replied, “My name is Legion, for we are many.”
  • by mlts ( 1038732 ) on Thursday February 12, 2015 @12:28PM (#49038593)

    I don't get why these devices are on the Internet in the first place. If access is needed to read statistics, have an internal server scoop the info from the SCADA servers, hand it to a DMZ server, and the external applications use SSL with client authentication (both sides authenticate to each other using keys), to fetch the data, or if it has to be a person doing this, have a web server on the DMZ that is accessed via 2FA for this info. If the SCADA boxes have to be controlled through the Internet, then there is always a high security VPN that uses smart cards or USB crypto tokens.

    One project I had a few years ago was to get data from manufacturing systems (systems which could be on the Internet, but at best, had security strapped on at the last moment... so they were not secure) to remote receivers. I ended up putting the systems on one isolated subnet with a Linux box that would scan them, then shove the data through a serial port with the Rx line cut (so it could only transmit, not receive.) The machine on the other end of the cable would take the data from the serial port and format it into useful reports, which wound up on a decently secure webserver.

    No, this system wasn't fast, but it did the job where info could be read but a blackhat couldn't tamper with the isolated network without physical access.

    • No, this system wasn't fast, but while it did the job it was a bit of a lashup that required extra coding, installation, and maintenance where info could be read but a blackhat couldn't tamper with the isolated network without physical access.

      TFTFY.

      The parts you left out are why you don't grasp why the devices are on the internet.

      • by mlts ( 1038732 )

        The ironic thing is that this setup has been in place for at least seven years, and is still working without issue. Otherwise, I'd definitely be made aware that it was not working.

        I'll turn the question around... why does a device have to be onto the Internet if it doesn't have to? I do admit I did a low tech solution without going through extensive third party data diode, firewall, and other offerings... but it has worked without issue or need for upkeep for years now.

        • The ironic thing is that this setup has been in place for at least seven years, and is still working without issue. Otherwise, I'd definitely be made aware that it was not working.

          You can't draw a curve through a single point.

          I'll turn the question around... why does a device have to be onto the Internet if it doesn't have to?

          Well, the "doesn't have to" represent an assumption on your part. For a lot of things, it's awfully dang convenient, reduces or eliminates, human error, and saves a ton of man

    • by dj245 ( 732906 )

      I don't get why these devices are on the Internet in the first place. If access is needed to read statistics, have an internal server scoop the info from the SCADA servers, hand it to a DMZ server, and the external applications use SSL with client authentication (both sides authenticate to each other using keys), to fetch the data, or if it has to be a person doing this, have a web server on the DMZ that is accessed via 2FA for this info. If the SCADA boxes have to be controlled through the Internet, then there is always a high security VPN that uses smart cards or USB crypto tokens.

      One project I had a few years ago was to get data from manufacturing systems (systems which could be on the Internet, but at best, had security strapped on at the last moment... so they were not secure) to remote receivers. I ended up putting the systems on one isolated subnet with a Linux box that would scan them, then shove the data through a serial port with the Rx line cut (so it could only transmit, not receive.) The machine on the other end of the cable would take the data from the serial port and format it into useful reports, which wound up on a decently secure webserver.

      No, this system wasn't fast, but it did the job where info could be read but a blackhat couldn't tamper with the isolated network without physical access.

      We're talking gas stations here. Frequently these are small businesses with a single location, sometimes operating on a franchise model. Even if you think that the parent franchise should be pushing high security standards, there are a lot of independent 1-location operators out there. They aren't going to be set up the same as an industrial plant. Berating them for that is a bit silly.

    • The devices are installed by the oil company/credit card processor (yes, they're usually one in the same). The fuel stations are run by people (either owner/operators or corporate employees) who have skill sets in things other than network administration. They probably never read the manual that came with the devices.

    • becouse everything must be online no matter how pointless these days.
  • This idea that we need to connect /everything/ _directly_ to the internet is insane.

    Device manufacturers have a hard enough time makin devices work, let alone secure them. Even important things like manage switches and home routers have gaping security holes in them, I don't expect a mass sudden outbreak of common sense anytime soon, so we're all doomed, doomed I tell ya!

    • I would, if I could.

      You may rest assured, though, that it will be very, very hard to do so. For a few reasons that are quite obvious. One, adding such a gimmick is trivially cheap and since it's one thing you can add to the tickbox list of features, every item will have it. For reference, see cellphones and cameras. I don't want it, I don't need it, I would especially love to get it for our workers (for the obvious reason) but there is not a single cellphone that has no camera or where it is at least easily

    • If in the end Anonymous' one single effect on the real world is to cause people to think cautiously about ridiculously hooking up everything to the internet for laziness, er ... convenience, they will have been nothing more than a boon to the wisdom of humanity. Let's hope that's all they cause.
  • Are we sure this was anonymous? Maybe this was a message from the Legion guy from the Geth. Clearly, he's leveled up recently in his AI hacking skills.
  • to be frank, "We Are Legion," "Expect Us" and "We Do Not Forget" sound just as appropriate as major oil company slogans as they do a hacking collective.
  • How do we know someone affilaited with Trend Micro didn't Do what amounted to digital grafiti? No diffrent than some jackass teenager spray painting "Allahu Ackbar" on the bathroom shitter, and then watching dumb fucking cops get scared about terrists.

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...