Kaspersky Lab researchers have helped uncover several unknown vulnerabilities that have left petrol stations around the world exposed to remote takeover, in some cases, for over a decade.
Ido Naor, senior security researcher at Kaspersky Lab, says when it comes to connected devices, it is easy to focus on the new and to forget about products installed many years ago that might be leaving the business wide open to attack.
"The damage that could be done by sabotaging a gas station doesn't bear thinking about. We have shared our findings with the manufacturer," he explained.
Open to cyber attack
The vulnerabilities were discovered in an embedded petrol station controller of which there are currently over 1000 installed and online. The manufacturer was informed as soon as the threat was confirmed.
The company's researchers discovered the controller during unrelated research into devices with open connections to the Internet.
Running a Linux machine, the controller operates with high privileges and the researchers discovered a number of vulnerabilities that leave the device and the systems it is connected to open to cyber attack. For example, they were able to monitor and configure many of the petrol station settings.
Shutting down systems
An attacker able to bypass the login screen and gain access to the main interfaces would be able to do several things, including shutting down all fuelling systems, altering fuel prices and causing fuel leakages.
Moreover, an intruder would have the ability to circumvent payment terminals to steal money, as the controller connects directly to the payment terminal, enabling payment transactions to be hijacked.
Finally, they would be able to scrape vehicle licence plates and driver identities, execute code on the controller unit, and move freely within the gas station network.
The vulnerabilities have also been reported to the manufacturer and the research is ongoing.
Share