Unknown persons gain access to the serial interface of a petrol station via the Internet. They can paralyze the petrol station system, manipulate fuel prices and fuel tank levels, and bypass the payment terminals to hijack payment traffic. The criminals can then steal stored customer identifiers including vehicle license plates. And the cyber attack is over after a few minutes – without the perpetrators even having set foot in the petrol station.
Around three percent of all US petrol stations have no password protection
What sounds like the plot of a Hollywood blockbuster is, unfortunately, a real threat. In 2015, the US security provider Rapid7 found in a nationwide investigation in the United States that of the approximately 150,000 petrol stations in the country over 5,300 were connected to the Internet without password protection. That is about three percent of all petrol stations in the US.
German petrol stations also affected
Four years later, the security experts at A1 Digital also found weaknesses in a control unit in a study of German petrol stations; criminals are able to sabotage petrol station systems and manipulate them in their favor. “The affected control unit is used by petrol stations worldwide. It is also used in Germany and Austria”, says Aron Molnar, a security expert at A1 Digital and one of the best hackers in Europe. The vulnerability concerns a so-called embedded system that is installed on tens of thousands of devices worldwide and is still online. Hackers would be able to gain control over affected petrol station systems remotely.
72 percent of all businesses are affected by cyber attacks
In addition to all the benefits of digitization, attacks by cybercriminals are one of the few disadvantages. According to a recent study by auditing and consulting firm KPMG, 72 percent of all companies have been victims of cyber attacks in the past two years, with 50 percent suffering disruptions to their business processes as a result. “Businesses still have inadequate security concepts and lack awareness of the problem”, notes Aron Molnar. In addition, there was an average of 40 new security vulnerabilities in infrastructure and application components per day last year.
Hidden workers: embedded systems
Embedded systems operate in home appliances, medical equipment, and logistics systems and control important tasks that make our everyday lives easier and safer. Every year, more than three billion embedded components and devices are connected, in which 98 percent of all microprocessors produced are installed, according to a survey conducted by the Smart Embedded Systems Innovation Center of the Fraunhofer Institute Kaiserslautern. “This makes it clear that today's society and our economy could not exist without embedded systems”, says Molnar. The demands for the reliability and functional security of such systems are accordingly high. “Systemic vulnerabilities are not an option, especially if there is a danger to people and the environment through security gaps such as at petrol stations.”
The real danger of a hack
“In the current case, the control unit, which was originally only accessible to petrol station on-site staff, was integrated into a centralized system and connected to the Internet”, according to the expert. “Since this control unit was not designed to be connected to the Internet in conceptual design, security measures and concepts such as authorization systems and encryption are also missing.” It is also conceivable to hijack the networked control systems and use them as a springboard to other internal systems. Attackers would potentially be able to gain access to additional interfaces, manipulate fuel prices or bypass payment terminals and hijack payment traffic.
“Old online-enabled devices are too often neglected”
Aron Molnar: “When it comes to Internet-enabled devices, systems or system components, companies often focus on new and innovative devices. However, they neglect systems that were already installed many years ago and then forgotten – and thus represent a possible gateway for attackers in the corporate network.” The consequences of the resulting damage are difficult to predict. “Think of an attack on the power supply of a country – such as what happened in 2015 with the Crimean peninsula. By taking advantage of the present vulnerability someone could manipulate petrol stations so that fuel would not be reordered. This would allow an attacker to influence the fuel supply not only for vehicles, but also for emergency generators and create local bottlenecks.”
“Consider security when planning such systems”
Security expert Aron Molnar, therefore, recommends that petrol station operators have their aging petrol station networks checked for security gaps. “We also advise affected parties to consider the latest security aspects during product implementation and to regularly check the corresponding systems for their security. Systems that cannot be secured need to be sealed off – and stay that way”, says Molnar.
Four questions for Aron Molnar, a security expert at A1 Digital
When did the vulnerability become public for the first time?
Aron Molnar: This vulnerability was first discovered in early 2015 when US technology company Kachoolie, a manufacturer of products for the petroleum and natural gas industries, came across it by accident. Afterward, a US-wide survey revealed that out of approximately 150,000 petrol stations in the country, about 5,300 were connected to the Internet with no password protection.
What data can get through the security gaps? And what damage can it do?
Aron Molnar: Data can be read out, such as recent fuel levels, temperatures, and fuel deliveries. Tests can also be started and data can be changed, such as warnings that tanks are supposedly empty and fuel needs to be reordered.
What solutions does A1 Digital offer for this security issue?
Aron Molnar: Because this is a network design vulnerability, there is no one-size-fits-all solution here. We can integrate the devices into a partitioned network so that they are only accessible via the respective company system and are not public.
What do you recommend to affected customers about how they should deal with such issues?
Aron Molnar: We recommend – especially in the field of the industry – that security is already considered when planning the respective systems. Systems, such as those in the affected petrol stations, which should not be accessible to the public, have to be sealed off.