Hackers Fall Into Internet-Connected Gas Pump Trap

August 11, 2015 at 1:52 pm By

While pumping your gas your biggest concern might be the charges on your card or the high prices. It never occurred to you that Internet-connected gas pumps we use on a daily basis could be exploited by hackers and ultimately lead to very dangerous consequences.

“If attackers could cause a gas station’s tanks to overflow or prevent leak alarms from sounding, it could have devastating consequences—particularly if they struck multiple pumps in a region at once,” reported Wired. 

“To see how real a threat that notion was, Kyle Wilhoit and Stephen Hilt from TrendMicro decided to set up a GasPot—a honeypot composed of virtual gas pump monitoring systems—to lure hackers and watch what they would do.”

The startling truth that prompted this investigation is that there are “5,800 unsecured automated tank gauges” that can be accessed through the internet. There are a number of functions that hackers could control if they were able to find their way into the system. Functions like “setting tank levels, overflow limits, monitor fuel-levels for inventory purposes and gauge the temperature of tanks,” according to the report.

“Remote attackers could take advantage of those controls in a few different ways. First, they could shut stations down by falsifying fuel levels to make it appear that tanks are low when they’re not, or they could change the ‘Unleaded’ label on a tank to ‘Premium’ or ‘Diesel,’ causing confusion about inventory,” according to the report.

“They could also conceivably modify tank levels and overflow limits, potentially leading to dangerous spills. In 2009 in Puerto Rico, for example, a fuel tank exploded into flames and burned for three days after a computerized monitoring system failed to sense when the tank reached capacity during an automated refill.”

The Gas Pot setup was quickly put to shame by hackers who used the US, UK, Germany, Jordan, Brazil, Russia and United Arab Emirates servers that were tested to locate the systems and then carry out their own style of Banksy-like tagging.

“At least nine times, for example, the intruders changed the name of a GasPot tank to things like ‘H4CK3D by IDC-TEAM’ and ‘AHAAD WAS HERE,'” said Wired.

“IDC-TEAM may refer to the pro-Iran hacking group Iranian Dark Coders Team, known for defacing web sites and tagging them with ‘H4CK3D by IDC-TEAM.'”

What’s next on hacker’s list?

Read the full story and study.