Flaws in Gas Station Software Let Hackers Change Prices, Steal Fuel, Erase Evidence
Two security researchers discovered vulnerabilities in an automated gas management that allowed them to shut down fuel pumps, hijack credit card payments, and steal card numbers.
Image: Amihai Neiderman
Gas stations lose millions of dollars annually to gas fraud. Most of this fraud occurs when thieves use stolen credit and debit cards to fuel vehicles, resulting in chargebacks to service stations.
But gas station owners in the US and elsewhere may have to worry about a new kind of fraud after two security researchers in Israel discovered multiple vulnerabilities in one automated system used to control fuel prices and other information at thousands of gas stations around the world.
The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store's network. An attacker could also simply alter fuel prices and steal petrol.
Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities after the computer screen on a gas pump in Israel crashed one day last June as Naor was filling his tank and exposed a local IP address. The system turned out to belong to an Israeli company named Orpak Systems, which makes fuel-management software. Orpak's system is used by commercial gas stations in Israel as well as by the military and large corporations to track gas consumption for their fleets of vehicles, to ensure employees and soldiers aren't siphoning gas from work vehicles to fuel personal ones.
But Orpak, which makes both RFID vehicle-tracking systems and fuel-management systems, doesn't just sell its systems in Israel; its software is installed in more than 35,000 service stations and 7 million vehicles in 60 countries, according to marketing literature. And last year, Orpak was acquired by Gilbarco Veeder-Root, a large North Carolina-based maker of gas pump and point-of-sale systems for convenience stores in the US and elsewhere.
The SiteOmat system tracks the amount of gas stored in underground tanks and monitors in real time the temperature and pressure of each tank. It's also used to set the fuel prices and process card payments at commercial pumps, as well as track which employee is pumping the fuel at full-service pumps, what kind and how much fuel is pumped into each vehicle, and the total price paid for the transaction.
The system has a handy web interface so owners of one or multiple gas stations can remotely access the controls for each station.
"If you have a network, a chain of different gas stations, the managers can log into the different fuel pumps and see how much fuel they use, update the prices, and see how much money every pump earned every day, month, week," Neiderman said in an interview.
But easy access for gas station owners turns out to be easy access for hackers as well. Using the Shodan search engine—which locates internet-connected devices and systems—the researchers were able to find a few thousand vulnerable gas stations online using the Orpak system connected to the internet.
Although the web interface for Orpak's system is supposed to be password protected, the researchers found a user manual on Orpak's website that contained the default password. After locating one system in Spain that hadn't changed the default password, they were able to download the entire file system from the gas station's site and analyze the Orpak code.
One of the first problems they found was a backdoor embedded in the Orpak source code with a hardcoded username and password. This would allow remote hackers to bypass the password protection on the front end of the system and access any Orpak gas station, whether the owner had changed the default password or not. The backdoor gives full administrative access to the Orpak web panel, including the power to change fuel prices and other settings. But the system doesn't actually require administrative privilege to alter fuel prices, the researchers found—anyone with access to the system can change fuel prices without authorization. Although the system tracks price changes in a log, a buffer overflow vulnerability they found would let an attacker take control of the system and delete all logs, making it difficult for gas station owners to notice price changes.
After getting the owner of one gas station in Israel to let them test the system, Neiderman and Naor were able to remotely alter the gas price per liter from ILS 6.54 to ILS 6.66 ($1.91 to $1.95) on one pump. Neiderman wrote a script to alter prices automatically, which Naor triggered from his mobile phone when he arrived at the gas station.
They also found that the Orpak software stores user information, such as usernames and passwords, in unencrypted format and uses unsigned and unencrypted firmware, meaning an attacker could overwrite the legitimate Orpak software with rogue software.
Not all Orpak gas stations are directly connected to the internet. Some are protected behind routers and only accessible on a company's internal network. But if a company with multiple gas stations has just one system connected to the internet, an attacker who gains access to that one system can then control other gas stations not accessible through the internet as well as access other systems connected to that network, such as business systems and surveillance cameras.
The researchers contacted Orpak last September about the vulnerabilities and received a reply a month later saying the company was in the process of distributing a "hardened" version of its system but the company has said little since then. After learning that the researchers planned to discuss their findings at a security conference in Moscow in November, the company requested a face-to-face meeting with the researchers, but that meeting never occurred.
Gilbarco Veeder-Root, Orpak's new parent company, didn't respond to requests for comment from Motherboard. Aviv Tal, vice president of strategy and marketing for Orpak wouldn't answer questions about whether the specific vulnerabilities the researchers uncovered had been fixed.
"Orpak’s highest priority is its customer security and we take very seriously the ever-growing cyber risks that may impact our industry," he wrote in an email. "When notified of potential security risks, we take actions to resolve potential vulnerability issues, contact our customers, and continue to timely address any issues as needed in order to protect our customers."
It's not clear if anyone has used the vulnerabilities in the Orpak system to steal fuel or obtain it at a lower price, but a recent case in Russia illustrates just how valuable such vulnerabilities would be to thieves.
According to a news report last week in the Russian media outlet Rosbalt, Russia's Federal Security Service, or FSB, recently discovered a fraud scheme involving a Russian hacker and several gas station managers that allowed them to siphon a hundred-million rubles worth of gas from unsuspecting customers in a scheme using malicious code developed by the hacker.
When customers purchased fuel, the malicious code reportedly diverted between three and seven percent of the purchase to an empty underground tank, while the gas pump screen indicated to customers that the full amount went to their cars. Once the underground tank contained a sufficient amount of diverted gas, the rogue managers sold gas from the tank, though the malicious code prevented these sales from being recorded in the system logs. The hacker partnered with dozens of gas station managers in districts covering "almost the entire south of Russia" before being caught. He earned money not only from the sale of his malicious code, but got a share of the profits from the re-sale of the siphoned gas. The gas stations themselves never lost money, just the customers who were cheated out of a full tank of gas.
Orpak opened a Moscow-Based subsidiary in 2016, and the Israeli researchers delivered their findings in November at a conference in Moscow, though it's not clear if the scam in Russia involved the Orpak system or another automated gas management system.