Kaspersky Lab
researchers have helped
uncover a number of
unknown vulnerabilities
that have left gas stations
around the world exposed
to remote takeover, often
for years.
The vulnerabilities were
found in an embedded gas station controller of
which there are currently
over 1,000 installed and
online. The manufacturer
was notified when the
threat was confirmed.
Kaspersky Lab experts
found the controller
during unrelated research
into devices with open
connections to the internet.
In many cases the controller
had been placed in the fuel
station over a decade ago
and had been connected to
the internet ever since.
The controller, which runs
a Linux machine, operates
with high privileges and
the researchers discovered
a number of vulnerabilities
that leave the device and
the systems it is connected
to open to cyberattack.
For example, the
researchers were able to
monitor and configure
many of the gas station
settings. An intruder able
to bypass the login screen
and gain access to the main
interfaces would be able
to do any of the following:
Shut down all fueling
systems, Change the fuel
prices, Cause fuel leakages,
Circumvent payment
terminals to steal money
(the controller connects
directly to the payment
terminal, so payment
transactions could be
hijacked) Scrape vehicle
license plates and driver
identities Execute code on
the controller unit Move
freely within the gas
station network
“When it comes to
connected devices it is easy
to focus on the new and
to forget about products
installed many years ago
that might be leaving the
business wide open to
attack. The damage that
could be done by sabotaging
a gas station doesn’t bear
thinking about. We have
shared our findings with
the manufacturer,” said
Ido Naor, Senior Security
Researcher at Kaspersky
The vulnerabilities have
also been reported to
MITRE and the research is
Kaspersky Lab advises
manufacturers of
connected internet-ofthing
devices to consider
the security of their
products from the very first
moment of development
and design, and to review
legacy devices for possible
security vulnerabilities.
Users of connected devices
are urged to review
regularly the security of
these devices and not to
rely on factory settings.

READ ALSO  Smile communications partners Mediatek to launch VoLTE smartphone