Gas Pump Hacking
I’ve been chatting with my colleagues about how this process works for awhile and how it ought to be relatively easy to corrupt. For starters, think of the gas-point programs that many supermarkets offer. You buy at their supermarket where every spent dollar equals a point and then 100 points saves you 10¢. You show up at the gas station and swipe this card and without interaction from the station owner, the pump automatically lowers the price per gallon. At first, one would think this only works because each station has explicitly configured their pumps to work with only certain programs – which makes sense – but how technical are all of these station owners? This process needs to be dirt simple and largely self configuring.
Now, these systems offer even more food for thought when you consider corporate gas cards. These cards often attempt to authenticate their use based on an associated vehicle (by a reasonable running odometer track) against the card id. Obviously, these systems are not universally programmed by the station owner which means these pumps are reaching out over a network to a server identified on the magnetic strip, passing information up, and receiving information back. That information can be as simple as approve/deny or an alteration of the price.
It would seem, it should not be too difficult to “create” an accounting card along with an offshore server for authentication that approves discounted gas. After all, discussions with my little group of nefarious friends figured that given the security state of things like SCADA, we were pretty sure the gas systems were in the clear and using poor (if any) authentication. Anyway, this all seemed very academic until the other day when I came across a security report from TrendMicro alleging Anonymous hacked pumps to display “We Are Legion” instead of “Diesel.” Turns out some simple scanning and databases like Shodan reveal thousands of gas pumps with serial control points connected to IP interfaces. Seems like making some free gas cards is not too far fetched after all.