Gas Station Software Vulnerability Potentially Gives Attackers Control over the System
As malicious attacks expand beyond the traditional targets of enterprise network and home user attacks, cybercriminals have begun to move on to other potentially lucrative targets. From industrial systems and healthcare databases, to home routers and other Internet of Things (IoT) devices – practically anything can be a target as long as it’s connected to the internet.
In a recent development, Israeli researchers Ido Naor and Amihai Neiderman discovered the existence of new vulnerabilities in a gas station software that could allow attackers to pull off a variety of malicious attacks, which includes shutting down fuel pumps, hijacking credit card payments, and taking control of systems connected to a gas station or convenience store's network. In addition, an attacker could also potentially steal gas or even alter fuel prices.
These specific vulnerabilities were found in SiteOmat, an automation system created by Orpak Systems that is responsible for monitoring the amount of gas stored in the station’s tanks and the temperature and pressure of the tanks, as well as setting the prices for fuel and processing card payments. In addition, it also comes with a user interface that a gas station owner or manager can use to control and monitor different aspects of all their branches. In essence, it acts as a controller for nearly all the essential processes of a gas station’s operation.
By simple sleuthing, the researchers were able to find the default password for the user interface—on Orpak’s own website. This allowed them to access a gas station in Spain that still used the default password, after which they were able to download the file system for analysis.
They found a backdoor in the Orpak source code using a hardcoded username and password that gives users full administrative access to the user interface, allowing them to alter the settings. An attacker exploiting this backdoor could cause serious damage through malicious acts such as changing fuel prices on the fly. This is further compounded by a buffer overflow vulnerability that would allow the attacker to delete all logs, making it difficult for gas station owners to notice price changes.
The researchers also discovered addition potential security risks in the software, such as unencrypted user information as well as the use of unsigned and unencrypted firmware.
The combination of a lucrative payoff combined with relatively light security implementation in many of these kinds of systems makes them ideal targets for cybercriminals. Gas stations can be particularly vulnerable, as owners and operators do not traditionally come from backgrounds with high emphasis on security. Many of these gas stations are owned by individual owners and franchisees who do not have the same manpower or resources that larger organizations do.
Related: The Gaspot Experiment: How gas-tank-monitoring systems could make perfect targets for attackers
Security, in this particular instance, is the responsibility of both the software manufacturer and the operator. Organizations offering system software should regularly check their product for any critical vulnerabilities, and also ensure that these vulnerabilities are patched as soon as possible. Vulnerability testing is a practice that can help assess whether the device’s security can be circumvented. This is especially important in cases like these, where essential commodities are potentially compromised.
On the other hand, owners and operators can also ensure that their systems are secure as possible. Simple but effective measures such as changing the default password in the user interface of a control system will help mitigate the effects of attacks made against the system.
Trend Micro Solutions
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.