Vulnerabilities in fuel stations allowed hackers to change fuel prices, cause fuel leaks and more

Vulnerabilities in software that ran on a device in thousands of fuel stations around the world were discovered. The vulnerabilities in the software of the Linux-based controller, allowed hackers to change fuel prices at will among many other things.

This discovery was made by researchers at Kaspersky Lab while they were apparently looking into a totally unrelated matter.

Network layout showing the main controller unit and its access privileges
Network layout showing the main controller unit and its access privileges.

“When it comes to [Internet] connected devices it is easy to focus on the new and to forget about products installed many years ago that might be leaving the business wide open to attack. The damage that could be done by sabotaging a gas station doesn’t bear thinking about. We have shared our findings with the manufacturer,” said Ido Naor, Senior Security Researcher at Kaspersky Lab.

The vulnerabilities were discovered in an Internet-connected embedded fuel station controller. Kaspersky Lab estimated that there are over 1,000 of these devices currently installed at fuel stations globally and even more worrying is that they are still connected to the Internet. The discovery was made when Naor and colleagues were apparently conducting unrelated research into devices with open connections to the Internet.

"More specifically, the controller is at the heart of the station and if an intruder finds a way to take over the box, the results could be catastrophic. Another worrying detail, discovered later in the research, was when the solution was installed – many instances were embedded in fueling systems over a decade ago and have been connected to the internet ever since," said Naor.

Once a hacker could remotely gain access to the main interfaces they would be able to perform any of the following tasks at the fuel station:

  • Shut down all fueling systems
  • Change the fuel prices
  • Cause fuel leakages
  • Circumvent payment terminals to steal money (the controller connects directly to the payment terminal, so payment transactions could be hijacked)
  • Scrape vehicle license plates and driver identities
  • Execute code on the controller unit Move freely within the gas station network

Map of vulnerable fuel stations around the world
Top countries with gas stations open to the internet (data from Shodan and telemetry sources).

None of the top known vulnerable fuel stations are in Afrika although a few may be vulnerable. Kaspersky Lab say that the manufacturer has been notified once the threat was confirmed.