Thieves Stole 120,000 Liters of Fuel from Gas Stations That Used Default Passwords

FrenchGasAfter a yearlong investigation, Parisian authorities recently arrested five men for stealing 120,000 liters of petrol and diesel. As reported by Le Parisien, the scheme involved the use of a “miracle remote” bought online that could essentially hack a specific Total gas station pump brand. The hack was possible because some gas station managers did not change the default “0000” PIN code of their gas pumps. The access provided by the PIN code allowed the group to reset fuel prices and remove fill-up limits.

The scheme itself involved a group of men going to small isolated gas stations in two vehicles, one of which had a large empty tanker installed in the back. A man in the first vehicle would come to the station and unlock the gas pump, then the second vehicle with the tank would come in and steal thousands of liters of fuel. The group would also advertise to “customers” on social media, sending out specific times and stations where they could come and get fuel.

In 2018, Total noticed the suspicious activity and cooperated with authorities on investigating the matter. In April of that year, the French police arrested a man at a Total station in Sagy, Val-d'Oise who had the remote device in his possession. Further investigation eventually led the police to the five men who were arrested last Monday. French authorities estimate that the group made around €150,000 ($168,000) from selling their stolen fuel.

Gas pumps are a known security risk

In 2015, Trend Micro researchers looked into attacks on connected gas pumps. Even then, there were already a number of unsecured machines. Valuable and potentially sensitive data points on these pumps were easily found online, including the tank name, command issued, volume, height, water, and the temperature of the tank. At that time, there were over 1,515 connected gas pump monitoring devices exposed worldwide, all of them lacking security measures that prevent access to unauthorized entities. There was even evidence of devices that had been tampered with.

Further research into gas tank monitoring systems showed that there were hackers actively searching for exposed gas tank monitoring systems and pulling data about the machines. Motives behind such operations vary depending on the threat actors, but possible attacks on these systems include: pranks (such as changing the tank label), reconnaissance (finding out delivery schedule), extortion (blocking owners’ access for a certain sum), and even sabotage (adjusting tank limits so it overflows).

Securing smart devices

Enterprises are using more smart devices to manage and handle their products. Businesses and even cities around the world are getting smarter and more connected by the year. But, as the adoption of these devices continues, security practices also have to evolve.

Changing the default password on devices—from home routers to enterprise-level equipment — is a basic practice that all users need to adopt. Good password hygiene also involves using strong passwords or enabling two-factor authentication. There are also other security considerations for smart devices in handling basic utilities. It is particularly important for machines in critical sectors — like utilities and transportation — to implement security policies that can adequately protect their infrastructure.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.