Hackers Stole 600 Gallons of Gas From Detroit Gas Station, Report Says (gizmodo.com) 263
Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. From a report: The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers. The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled. Here's what is known about the supposed hack: Per Fox 2 Detroit, the thieves used some sort of remote device that allowed them to hijack the pump and take control away from the gas station employee. Police confirmed to the local publication that the device prevented the clerk from using the gas station's system to shut off the individual pump.
Manual Shut Off? (Score:5, Interesting)
Seriously, I'm not big on the whole let the computer handle everything on important things, particularly something that is potentially safety critical. Manual shut off valves aren't hard.
Re: (Score:2)
Shut down the full station just to fix one bad pump? Maybe the clerk did not know how to full reboot
Re:Manual Shut Off? (Score:5, Insightful)
Shut down the full station just to fix one bad pump?
Yes! If the other option is to let gas free-flow for 90-minutes, then shut down the whole station. Of course! You think the gas station made $1,800 profit on the functioning pumps during that 90-minutes?
Re: Manual Shut Off? (Score:3, Insightful)
Re: Manual Shut Off? (Score:2)
Re: Manual Shut Off? (Score:2, Funny)
Emergency shutoffs are for fires and when cars crash into pumps. They are not there to stop a theft.
Re: Manual Shut Off? (Score:5, Insightful)
Re: (Score:3, Interesting)
Don't know I have had a fire safety officer make people walk past a functioning exit from the building during a drill because it was not a recognized fire exit for the building. It was electrically operated and might fail in the event of a fire. Presumably he would stop someone climbing out the window on the ground floor if there was a fire outside the room they where in.
Re: (Score:2)
There are other things to consider, though. One is that fuel is not where the profit is - it's inside sales. If customers pull up and see the pumps aren't working, they're going to go elsewhere for their fuel and, more importantly, for their high margin inside purchases like ci
Re:Manual Shut Off? (Score:5, Informative)
Shut down the full station just to fix one bad pump? Maybe the clerk did not know how to full reboot
When I worked at a gas station, I knew where the breaker panel was and we had separate breakers for each pump.
So, the easy solution would have been to just power off the hacked pump.
Re: (Score:2)
Shut down the full station just to fix one bad pump? Maybe the clerk did not know how to full reboot
When I worked at a gas station, I knew where the breaker panel was and we had separate breakers for each pump.
So, the easy solution would have been to just power off the hacked pump.
This, exactly! I don't care what system gets hacked on the internet, turn the power off with a physical switch and there is absolutely nothing the internet can do.
Re:Manual Shut Off? (Score:5, Funny)
they tried but systemd just auto restared the pump
Re: (Score:3)
You think a minimum wage gas station attendant gives a fuck if a faceless corporate entity makes a profit or not? How cute!
He better... Lack of profit ==> Going out of business ==> Unemployed.
In fact, I think you've hit on a common issue in today's society, this demonization of the faceless, nameless rich people who employ the vast majority of us. You'd better care about profits for the business you work for, the more the better (within the bounds of law and ethics) because it's what pays your wages and benefits. If you don't like that somebody else is making money on your efforts, then I suggest you start your own bu
Re: (Score:3)
The yellow out of order bag that goes over the nozzle would of sufficed, with the added benefit as pointed out above of identifying anyone actively involved who bypasses the bag and pumps anyway.
Re: (Score:2)
Shut down the full station just to fix one bad pump?
Even if you don't feel that was appropriate in this particular situation (although as others have posted already, it seems pretty reasonable even here), the option to manually shut off everything has to be available regardless and I'm pretty sure it is by requirement for instances where a single pump catches fire!
And let's take this hack a step further into terrorist land where you could easily picture a scenario where someone might shutdown electronic control over the pumps and start setting everything abl
Re:Manual Shut Off? (Score:5, Interesting)
Or call the police. It shouldn't have taken 90 minutes for police to show up.
Lol. They'll take a report Tuesday (Score:3)
The cops might show up to take a report on Tuesday. Or not.
Cops mostly take reports of crimes. Occasionally, they accidentally catch a criminal. Very rarely do they stop a crime in progress.
Re: (Score:2)
Re: (Score:3)
When living in Santa Fe, New Mexico, I called the police about multiple break-ins at a place I was renting. I had nothing worth stealing, but the guy that lived in the connected apartment from mine did. The shortest time it took the cops to get there was 45 minutes. The longest time I stopped counting after 3 hours. My house was broken into 3+ times, and I didn't really care since the rent was cheap, and if any of the little punks tried it when I was around someone would have been calling a coroner instead
Re: (Score:3)
Except this was an ongoing crime. If they police had shown up they could have made easy arrests, boosting their quotas, looking good to the citizens, etc.
Re: (Score:2)
I can tell, you've not called the police have you?
I called 911 once because the car I was driving burst into flames in the middle of a major city and almost within visual distance of the fire station. It took almost 10 min for the police to arrive and another 10 for the fire department. For 20 min, the car burned. I'm guessing this was faster than normal because the car was blocking the major east/west road though town.
In another instance, there was an automobile accident in the middle of a major city
Re: (Score:2)
Re: (Score:2)
Remember... The original story was in Detroit where money for police is in short supply. My guess is their average response time is quite a bit higher in Detroit than the middle of nowhere Minnesota...
Both of my examples where in major metropolitan areas, the first in Raleigh NC and the second in Garland TX (The third largest city in the Dallas-Fort Worth area) and all happened over 20 years ago now. Back when there was money for public services.
Re: Manual Shut Off? (Score:3)
I also think Canadians are less likely to commit crimes, which (if true) means that smaller/cheaper police forces can serve larger populations.
Re: (Score:2)
Re: (Score:3)
Or, how about simply covering the pump with an “Out of Order” sign/bag/covering like they would for any other malfunction? No need to even shut it off when cutting off access to it is sufficient.
Re: (Score:3, Funny)
I'm sure the "please don't take the free gas" sign would've solved everything.
Re:Manual Shut Off? (Score:5, Interesting)
When you pull up to a gas station and see an out of order placard on a pump, do you bother checking to see if free gas is being dispensed by it, or do you simply go to an open pump? For all I know, this problem is a common one, with none of us any the wiser.
Re: (Score:2)
I suspect that almost all the cars either were part of the hacker operation or tipped off by the operation.
Park a car (Score:5, Insightful)
The attendant, supervisor or owner park one or more cars to block the pump?
Circuit Breakers? (Score:2)
Re: (Score:2)
I know nobody reads TFA, but can you at least read TFS?
So the hackers cracked the pump, and a whole line of cars treated themselves to free fill-ups.
Re:Manual Shut Off? (Score:4, Insightful)
That said, yeah, inside job. An hour and a half? Plenty of time to shut it down.
re: you'd need 30-40 cars to get 600 gallons (Score:2)
I've read about similar scams going on where it's far more organized. People have been taking large SUV's, blacking out the rear windows, and turning the whole rear of the vehicle into a giant fuel tank. Then they're able to steal hundreds of gallons of gas at a time, or with just a few stops (since people might actually notice if you sat at a pump long enough to get 500-600 gallons of fuel out of it).
It creates one highly dangerous vehicle on the road .... but they do it.
Re: (Score:3)
Back when gas hit close to $5 a gallon some thieves modified a horse trailer by cutting out parts of the bottom. Then they would install pumps and large tanks.
They would pull the modified trailer over access caps, where they fill the underground tanks, where they would pretend to have truck problems. While two men would be under the hood acting like they where trying to fix the truck, their accomplices in the trailer would remove the access cap and lower a hose down to the underground tank.
Once the t
Re: (Score:2)
My Volvo (a car, not a truck) has a 100L tank; it also does 4L/100km so you can easily drive from Stockholm to Munich without refueling, even through huge queues. What kind of sissy cars are sold in the US that your fuel tanks are that small? Sedans rather than station wagons, that's why you can't fit anything and need to buy trucks :D
With base price around $38k and the 2018 V60 having a tank that is 17.8 gallons, I'm not really seeing the benefit to this car. The Chevy Impala has a base price around $10k less with a slightly larger gas tank and about the same MPG. For the few things that don't fit in the car with the seats folded down, I'll rent the Home Depot truck for $19.
Re: (Score:3)
That's literally 4x the range of my current car, which has a smaller gas tank than my previous car but the same range due to greater fuel efficiency.
100L seems monstrously huge for a gas tank to me, and I have a hard time even imagining 4L/100km. I know Volvos are notoriously unsexy cars, but that kind of fuel efficiency might change my mind.
Someone correct me if I'm wrong but the only Volvo I can find with that gas mileage starts at $63k. Considering I spend about $1,500 a year on gasoline, getting a car that costs that much more than a fair gas milage ICE car (or a better priced hybrid) doesn't make a lot of sense to me.
Re: (Score:2)
My Volvo (a car, not a truck) has a 100L tank; it also does 4L/100km so you can easily drive from Stockholm to Munich without refueling, even through huge queues. What kind of sissy cars are sold in the US that your fuel tanks are that small? Sedans rather than station wagons, that's why you can't fit anything and need to buy trucks :D
Someone is not being truthful but rather exaggerate the numbers. It would be much easier to "fact check" if a model number is given. I don't see any car that has 100L tank. Also, most of them are using Diesel instead. It is known that Diesel fuel gives better mileage than Benzil. Thus, you are comparing apple with orange.
Re: (Score:2)
If they only hacked one pump, then all 10 cars should have been in line for one pump--even when other pumps were available for use. This should be verifiable with the security camera.
It should also be pointed out that a 3/4 ton / 1 ton pick up can have a 40 gallon tank plus one or more 100 gallon service/transfer tanks in the bed. Anything more than one service tank would look--odd.
Re: (Score:2)
It said he couldn't shut off the individual pump. I'm sure there's a massive kill switch of doom (due to nanny-state commie stuff) that shuts off the entire station, but for some reason he didn't want to use it. Worried about getting in trouble over lost sales?
Here in the wilds of Pennsylvania, there is an emergency shut off at the pumps that brings the whole show to a halt. Helps prevent really big deflagrations
Fire Emergency shut-off (Score:2)
All gas stations are required to have a big emergency button mounted on the wall inside of the building that will immediately cut off the flow of fuel to the gas pumps when pushed.
I think that button is also required to be accessible to the public, i.e not hidden behind the counter.
Push that button and no fuel is dispensed until the system is reset.
If the attendant somehow didn't know about that button, then that's a hazardous situation right there.
Re: (Score:3)
If the attendant somehow didn't know about that button, then that's a hazardous situation right there.
I actually read TFA and it seems that the attendant tried all sorts of ways through his normal systems to shut the gas off, but failed. It appears that he finally used the emergency shutoff, but that is not clear in TFA.
Re:Fire Emergency shut-off (Score:5, Insightful)
I wager the attendant didn't catch on for a while. Generally nowadays the systems are *supposed* to only dispense if the customer has given payment info or the attendant has turned it on. In fact, most of the time when I go to a gas station now, I've set up payment before I even leave the car and just get out and pump. A station attendant may have a hard time distinguishing someone paying by mobile from someone who made it dispense gasoline otherwise, depending on how it works. Note it says it went on for 90 minutes, then he shut it down, *then* he called police. It also says he "got an emergency kit"., which may have been how he was describing the fuel shut off (his English may not have been the best). Him describing the system being non-responsive doesn't mean he sat there for a long time trying to overcome the situation, it just speaks to his surprise.
Re: (Score:3)
Re: (Score:2)
Reminds me of a scam I heard about long ago about someone working in a bank who would skim off a few cents of all the accounts. Very few people would even notice the discrepancy (do you remember if your bank balance ends in .65 or .56 right now?), and of them even fewer would bring it up with the bank manager. Those few cents would be reimbursed and considered a glitch or math error somewhere; this was before everything was digitized so shit happened.
But imagine skimming a few cents off a million accounts e
Re: (Score:2)
Paying by mobile can be secure. There is every probability that in this case the mechanism used for the attack is not related to anything unique to enabling paying from phone.
Re: (Score:3)
Re: (Score:2)
All gas stations are required to have a big emergency button mounted on the wall inside of the building that will immediately cut off the flow of fuel to the gas pumps when pushed....Push that button and no fuel is dispensed until the system is reset.
If the attendant somehow didn't know about that button, then that's a hazardous situation right there.
Even ignoring this, the theft went on for 90 minutes. Was there some reason the attendant couldn't get the cops to come out in less than an hour and a half and stop people from filling up?
Re: Fire Emergency shut-off (Score:3)
Re: (Score:2)
You think the police care about a small non-violent property crime?
Re: (Score:2)
I figured they'd rush to the scene of a crime against an oil company.
It may have taken 75 minutes for him to notice. (Score:2)
Pre-paid pump systems work without any action from the attendant. So he may not have noticed anything wrong unless he looked carefully. Then he would have tried to disable the pump from his console, and found it didn't work. With that, it seems he did use either the big red button, or the pump's circuit breaker, to disable it.
Re: (Score:2)
Even ignoring this, the theft went on for 90 minutes. Was there some reason the attendant couldn't get the cops to come out in less than an hour and a half and stop people from filling up?
You're assuming the attendant figured out that it was happening immediately.
The pump dispensing free gas is going to look all that different from the other pumps at a glance, since presumably it has a pay-at-the-pump system. It probably took a while to notice no one was paying.
Gas? (Score:4, Funny)
Re: (Score:2)
Farts. :P
Re: (Score:2)
What kind of gas was this? Butane? Propane? Methane?
The kind referred to as such from coast to coast in a country who's farts (pun intended) are bigger than European countries.
Re: (Score:2)
It's supposed to be funny to people who are too dumb to realize they are on an American website.
Re: (Score:2)
WHOOSH on both of you.
In case you didn't get it, that's the sound of the butane and methane and propane all being ignited at the same time.
Of course, it's Detroit (Score:2)
Of course, people will be looking for another round of shield-and-sword war with hackers.
What happened to
Re:Of course, it's Detroit (Score:5, Funny)
Some people listen to their moral voice, and other just Kant.
Re: (Score:3)
What happened to
Verjährt.
Circuit breaker. (Score:2)
would of made more with an cc skimmer vs maybe (Score:2)
would of made more with an cc skimmer vs maybe a few free full ups.
Hackers steal 600 gallons of gas in Detroit... (Score:5, Funny)
...then ironically don't use it to leave Detroit.
The math from TFS ... (Score:3)
... because I didn't read TFA:
Given:
- $1,800 USD
- ~ 10 cars
- 600 gallons
Then:
$1800/10 car = $180/car
$1,800/600 gallons = $3/gallon
600 gallons/10 cars = 60 gallons/car????
Re: (Score:2)
I bet they don't know how much was stolen, and are only estimating. There is no metering system on the main tank, only on the dispensers. So if the dispenser was tampered with, there is no way to know how much was stolen until you get the main tank refilled and do the accounts.
Re: (Score:2)
TFA says "At least 10". That likely means something like "We saw 10 people do it, so it was AT LEAST that many...but we're missing 600 gallons of gas."
All your math shows is that since 60 gallons a car is improbable, we're probably looking at 20, 30, or more. If these were average cars filling up, probably 40 ish.
Re: (Score:2)
And the rest went to the bed?
What probably happened (Score:3)
Meanwhile the dudes that did the "hack" are either laughing their asses off that they got $50 of gas for free, freaking out because if everyone gets free gas someone will notice, or they were script kiddies $Someone was using as a test case for an attack.
Selfish Hack (Score:2)
At least hide your hack so the exploit can be used by others.
Probably not a computer exploit (Score:2)
Re: (Score:3)
Exactly what I was thinking.
Hacking == theft == covered by insurance.
Malfunction: not covered.
It wasn't the pumps (Score:5, Informative)
I used to write code to talk to gas pumps 20 years ago, and they really aren't much different today, aside from having better screens and needing to deal with chip cards. (I have seen only a single station so far with what appeared to be chip-ready card readers! Isn't that cut-over only a year or two away? But there are restaurants that over two years later still have tape over the chip reader.)
First of all, the pump (the part that gives you fuel while measuring it) is completely separate from the terminal on top. They both talk to a computer in back over an RS-485 link. The computer in back, even if it's a crappy one from the pump manufacturer, takes payment information from the terminal (and commands from the POS inside the store), then enables the pump, possibly with a preset limit. When you hang up the hose, the computer sees that status in the pump, reads the dispensed amount, and finishes the transaction.
The back-end computer could certainly have bad programming. I once had to do a site visit for a beta site, and found out that the authorizer (the part that says "this card is okay, turn on the pump" and handles the billing) was saying yes to ANY card. Not my code, of course. Fortunately, people were using the membership card of the club store (they probably thought it would be automatically billed), which meant they could be tracked down if necessary.
One thing that could be done is to open up the pump, and flip its configuration switches to set it into a manual mode. That still won't stop the fuel counters inside the pumps, so it won't match inventory with the back room computer later on. But you have to open it up first. Not only is there a key to deal with, but these days there are tamper stickers on the door because so much inside can be fucked with, not just the pump.
Another thing that could be done is someone with inside knowledge of the system could create a management card that makes the computer give free gas. That would be noticed eventually too, but the big problem is you have to have access to the back end. This could possibly be done for a RFID keyfob, but that means you still need a way to get the keyfob ID into the system, and it would still be an inside job.
If the deed was done wirelessly, as implied, I'm going to guess that means that someone had a wireless connection like WiFi on the same network as the back-end computer, and it wasn't encrypted, etc. It could also be a keyfob or NFC, but other than that, I haven't heard of any kind of wireless technology that would need to go into the pump. It's always possible that there was some kind of stupid buffer overflow bug on something wireless.
As to what could have been done to shut it down, if the person at the store knew this was happening, um, yeah. Unless he called a manager who told him to not turn it off (fuel is a good way to get customers to buy your overpriced sodas and snacks), the E-Stop button would have been enough. An "out of order" sign would probably have worked too, simple psychology, nobody would have bothered to use the pump. It's also possible that the POS had a way to shut pumps off. And I wouldn't be surprised if nobody understood how to use such features.
Re: (Score:2)
The last time I actually looked at the tamper stickers on a gas pump (a few years ago), they were all broken. I pointed this out to the manager, who wasn't concerned.
Re: (Score:2)
Re: (Score:2)
How many have automatic license plate readers as part of a CCTV system?
Re: (Score:2)
One thing that could be done is to open up the pump, and flip its configuration switches to set it into a manual mode.
Seems a pretty likely real-world attack --- if the pumps have a manual mode. Probably the cabinets have cheap or generic locks, and it's not hard for a rogue to cut through a tamper-resistant sticker and then either just ignore it later or replace with one one of their own fresh sticker after tampering with the equipment.
Rank it second that perhaps they inserted a piece of rogue e
Re: (Score:2)
But there are restaurants that over two years later still have tape over the chip reader.
Retailers are required to have a chip reader by the credit card processors.
Retailers are not required to use the chip reader.
Bad use of hacking skills (Score:2)
Surely someone with the skills to hack a gas pump can get a job that pays far more than $1800 for the same effort. Seems such a sad use of talent.
What am I missing? (Score:2)
Surveillance cams?
Ive seen many gas station systems (Score:2)
He could have thrown a breaker and it would have went down. Kill the tank monitor and the power to the pumps.
Maybe not a hack at all... (Score:2)
Funnily enough, I worked on a project a few years ago to prevent people stealing gasoline from dispensers. Some of the tests I did (at the behest of the client) involved using various methods to break into the gas dispenser. The idea was we would use accelerometers and other sensors to detect if someone was trying to tamper with the dispenser. Needless to say they were ridiculously simple to break into; it can be done in under a minute without causing any damage to the dispenser.
Anyway, once the dispenser w
They were going to call the cops... (Score:2)
...but there were already three cruisers in line at the hacked pump.
It's Detroit (Score:2)
No paper bags? (Score:2)
Old Fashioned (Score:2)
Station is out of code on their electrical. (Score:2)
All new construction gas stations have cut off switches set up as such where they simply don't cut off the gas at the pump, but to depower the actual fuel pumping system by cutting power completely by opening an magnetic contactor.
Of course, existing gas stations usually don't have this in the first place, or else the breaker box is wired to the point of being paranoid. This code varies on strictness and/or enforcement from state to state. This is improving, but is slow.
The Human Brain, is Out of Order. (Score:2)
"...the gas station attendant unable to thwart the hackers."
Unable? An Out of Order sign and a plastic bag over the gas pump would have fucking worked fine.
This is the inherent problem with building systems that are idiot-proof; we ultimately end up building grade-A idiots to sit behind the wheel.
Funny Gas Station Story (Score:2)
Re: (Score:2)
"Wasn't driving the car at the time; aka Dundu nuffin"
Re: (Score:2)
*dindu
Re:Call the police? (Score:5, Informative)
You really don't know much about Detroit. The police wont even show up for shootings unless there are two bodies. Stealing gas doesn't even register.
2^11 drams (Score:2)
Or 256 tablespoons?
Re:AC Stole First Post From Slashdot (Score:4, Insightful)
That would not surprise me. Off the top of my head, in order of effectiveness:
1) Park your car at the pump in question.
2) Put a "Out of Order" sign on the pump in question. This way, anyone using the pump is obviously in cahoots with the hackers.
3) Master emergency switch. In 90mn, no gas station makes nearly $2,000 pure profit.
4) Call the police... maybe the response time for property crimes is high, but still.
Re: (Score:2)
Given the thieves' appearance [youtube.com], I wouldn't assume Russian Mafia.
And no, not because they're black. Stop being all racist.
Re: (Score:2)
There are some parts of Detroit, like most US cities, where you don't want to get out from behind the bulletproof plexiglass, ya know?
This one just kept disbelieving as a train of cars sucked gas out of the pump. Why did it keep pumping? Hot night? Fried circuit? Sensor that the pump handle reached shutoff didn't work, and the first buyer was oddly authorized for a mint? Or was manually enabled by the operator, then he tried to cover his tracks?
Lots of this is explainable, and perhaps credible. It was a fuc
Re: (Score:2)
The clerk knew people were pumping gas. S/he knew it was billing at an incorrect price.
At some point the attendant knew it was billing at an incorrect price.
It's not like they review every transaction as it happens. And with things like "pay at the pump", you may miss that no one is paying for a while unless you are watching closely. And if this is a typical convenience store/gas station combo, the manager given the attendant plenty of other tasks to do besides stare at the pumps.
Color me unsurprised, however. Having seen what passes for convenience store (and many other low-skill) employees in the last decade, I doubt many of them would have thought of the simple expedient of an Out of Order sign.
You get what you pay for. Even when purchasing labor.
Re: (Score:2)
Sounds like a plan, if gas prices are what matters most to you.
Re: (Score:2)
Nope, Missouri is Pay Before You Pump.
Re: (Score:2)
Virtually everywhere is pay before you pump.
And virtually everywhere has pay at the pump. Which will look exactly like pumping free gas unless you happen to watch the few seconds where they'd normally swipe a card.