I have to admit that Internet-enabled gas station equipment has been around for a long time. In fact, WireSpring actually developed an early version of a remotely-managed fuel dispensing system for a (now defunct) company called ifuel waaaaay back in 2004. The system featured remote monitoring and management of the pumps, digital signage, CRIND devices, and even had social components. Unfortunately, it was a bit ahead of its time. However, it was never hacked while it was live.
While there have been a few reports about actual fueling infrastructure getting hacked, the focus of today's story is on a series of honeypots (computer systems intentionally left unsecured so that researchers can learn from would-be attackers) set up to look just like Veeder fuel monitoring systems. The so-called "GasPots" were left online for a period of about six months, during which time researchers at Trend Micro noted attacks coming from various groups. Since the monitoring systems can't actually affect fuel flow, most of the attacks attempted were harmless -- and likely would be if they were carried out on real-world infrastructure. However, the researchers also noticed a number of denial-of-service (DoS) attacks that could have taken a real-world pump offline for some period.
So while the researchers technically didn't observe any real-world attacks (since they weren't looking for them), it's safe to assume that the same type of attackers who came across their honeypots are likely to either have come across real-world devices that are similarly (in)secured, and if not, they probably will in the near future. And while again the focus in this case was on devices that can't actually modify the flow of fuel on is way from tank to pump, there are certainly other internet-enabled devices at many fueling stations and depos that can do precisely that. I'm sure that being able to remotely manage these devices can be beneficial to business owners and managers. However, this type of infrastructure should always be behind a firewall, a VPN, or both.
If you can get past the silly-sounding GasPot terminology, the Trend Micro report actually makes for some interesting reading. It can be downloaded in its entirety here.
Comments
RSS feed for comments to this post