A week ago, Motherboard revealed how a security researcher discovered a backdoor access to fuel stations around the world. Kaspersky, who were involved in the original research, has now disclosed more details in a blog by Ido Naor. The details show just how older accepted practices among industrial systems designers are making life easy for hackers.
Fuel stations are already good pickings for hackers. They have learned how to manipulate the “pay at pump” systems to steal credit and debit card data. This ranges from skimming cards at the pump through to malware installed on POS systems. A single operation in 2014 stole more than $2 million across three US States.
What did Orpak get wrong?
The basics of this security breach are simple. Poor security, default usernames and passwords, technical data published online and little to no security.
While fuelling his vehicle in June last year Naor noticed the system controlling the pump had crashed. In doing so it exposed an IP address. Intrigued, Naor and another researcher, Amihai Neiderman, began investigating the system. It was made by Orpak Systems, an Israeli company who has sold its fuel-management system to over 35,000 fuel stations worldwide. The system uses an embedded Linux system and can be easily connected to the Internet.
As the investigation continued the researchers were able to quickly locate product manuals. These gave detailed technical information including: “..screenshots, default credentials, different commands and a step-by-step guide on how to access and manage each of the interfaces. That alone assisted us in gaining all the information we needed, before we even wrote a single line of code.” The services for remote access also included the network architecture.
To be fair to Orpak, when it first developed this system such detailed information in manuals was pretty standard. Unfortunately, so was the use of a default username and password to access systems. And yes, that information is in the manuals. (hint: it took us less than 10 seconds to find manuals and the default credentials).
What could an attacker do?
According to the blog the researchers were quickly able to log into a shift management console. What they then did was get permission from a user of a system to allow them to access the system offline. The researchers were looking for the type of data available and what they could alter.
They discovered a system that, as expected, would allow any site owner to fully manage the pumps. That includes changing the price of fuel and managing all the other systems at the fuel station. Interestingly, Naor sees this as more of an insider threat than a threat from external hackers. But it is more complex than that.
The blog lists a number of things an attacker could do:
- Shut down all fuelling systems
- Cause fuel leakage and risk of casualties
- Change fuelling price
- Circumvent payment terminal to steal money
- Scrape vehicle license plates and driver identities
- Halt the station’s operation, demanding a ransom in exchange
- Execute code on the controller unit
- Move freely within the gas station network
A lack of security and little to no response from Orpak
The details of this breach show that the code is not signed. That means that an attacker could install their own firmware code. With a lack of other security software as part of the solution it is also possible for an attacker to use the pumps to spread malware. This opens up an interesting new attack vector. Many large fuel station chains now provide free Wi-Fi for customers. If an attacker can store malware on the pump and then push it out to customers across the Wi-Fi network it would be difficult to detect.
Of all the security failings none is more worrying than the discovery of a hardcoded username and password. This means that even if a site owner changed the default username and password, there is a single hardcoded equivalent that will get into any Orpak SiteOmat system. All it would require is a fuel station owner allowing a hacker free access to their system for a short period.
Orpak was apparently alerted to the problem back in September 2017. In October they were sent an email saying Orpak was distributing a hardened version of its system. Apart from that, the company, which is now owned by Gilbarco Veeder-Root, is making no comment.
How many systems can be seen online?
Using the Shodan search engine, we simply typed in Orpak and got a list of 617 results. We randomly tried 60 different IP addresses and in every case were presented with the logon screen. We then selected a smaller number of sites and tried the default credentials. None were successful showing that some owners, at least, had changed their default details.
When we tried credentials several times there was no lockout on the login screen. This implies that the system could be open to a brute force attack. This was not identified in the details provided by the researchers.
What does this mean
This is just one of many embedded systems that were designed to last for several years and even decades. They were designed at a time when cybersecurity was not seen as a concern. The technical details in manuals were often published to make life easier for customers. However, even where access to those manuals was restricted, people often copied them and posted them online.
There is, as yet, no evidence that this situation has led to any Orpak SiteOmat system leaking significant data. That may partly be down to the problem of identifying where credit card data was stolen from. It could also be that hackers have overlooked this system. However, Shodan has proven itself a good tool for researchers and hackers alike and it would be foolish to think that nobody had previously attempted any hack on this system.