Kaspersky Lab: software vulnerabilities put over 1,000 gas stations around the world at risk
According to CNET, Kaspersky Lab researchers released a research report on gas station vulnerabilities last month, pointing out that more than 1,000 gas stations from the United States to India may face cyber attacks. These problems come from petrol station controllers that can connect to the Internet. The owner cannot change the default password, and the attacker has full access to the machine.
Last Friday, Ido Naor, a senior security researcher at Kaspersky Lab, and Amihai Neiderman, an Israeli security researcher, conducted a comprehensive analysis on the safety of gas stations during Kaspersky’s security analysts’ summit in Cancun, Mexico. Their research shows that attackers can change gas prices, steal credit card information recorded on controllers, obtain license plate numbers, cause oil leaks, adjust temperature monitors, and so on.
Neiderman explained: “When we get root privileges, we can do anything we want to do.” Naor said that the attacker does not even need to go to any place near the local gas station. The controllers at these gas stations can all be connected to the Internet, and their passwords are less secure and can, therefore, be completed remotely.
The online software comes from Orpak Systems, which was acquired by the Gilbarco Veeder-Root Company of North Carolina in May last year. According to Orpak, its software has been installed at more than 35,000 gas stations worldwide. Orpak put its guide on the web, showing the details of the gas station technology, including how to access the password and screenshots of its interface. These companies did not respond to requests for comment.
These vulnerabilities have highlighted issues behind IoT devices and have been widely criticized for lack of security. With the insecure webcam and DVR connected online, hackers have been able to launch large-scale cyberattacks. Naor said, but at the gas station, the risk of dangerous attacks is much higher. In extreme cases, hackers may adjust the pressure and temperature inside the fuel tank and may cause an explosion.
Naor and Neiderman stated that they contacted suppliers in 2017 but mostly ignored them. Neiderman said that these loopholes are likely to remain. These machines are outdated, sometimes even more than a decade, and so are software, he added.
Source: CNET, Image: Kaspersky
