A pair of researchers discovered vulnerabilities in an automated gas station management system that allowed them to shut down fuel pumps, steal credit card data and alter fuel prices.
The vulnerability exists in Orpak System's fuel-management SiteOmat automation software and is caused by several factors including a backdoor embedded in the product's source code that allow an attacker to gain administrative access, according to Motherboard
The faulty software is installed in more than 35,000 service stations and 7 million vehicles in 60 countries, according to Orpak System's marketing literature however, not all of the systems are connected to the internet or exposed.
“If a company with multiple gas stations has just one system connected to the internet, an attacker who gains access to that one system can then control other gas stations not accessible through the internet as well as access other systems connected to that network, such as business systems and surveillance cameras,” the report said.
In addition, passwords and usernames needed to log into the system's firmware are also stored in an unencrypted format using unsigned and unencrypted firmware.
Researchers also found that the software allows anyone with access to the system the ability to alter fuel prices without needing administrative privileges or authorization. Even though the system tracks prices in a log, a buffer overflow vulnerability would allow the attacker to delete logs making it difficult to spot the theft.
Orpak was alerted to the vulnerability last September and said that it was in the process of distributing a “hardened” version of the system, although there have been no updates since. Earlier this month, a Russian man was arrested for using gas stealing malware
. It is unclear of any of these vulnerabilities were exploited in his attacks.