This article is more than 1 year old
Cops suspect Detroit fuel station was hacked before 10 drivers made off with 2.3k 'free' litres
But experts aren't convinced...
Updated Police suspect that high-tech thieves may have hacked into a Detroit petrol station before stealing about 600 US gallons (+-2,300 litres) of fuel.
Fox News affiliate WJBK reported that the clerk was unable to shut off a pump that dispensed free fuel for 90 minutes. Ten vehicles took advantage of the security hole to fuel up without paying, leaving the outlet down $1,800 (about £1,360).
The clerk said the system was unresponsive, but he eventually managed to shut it down using "emergency kit" before calling the cops.
Officers reckon the perps used a "remote device" to hack the pump and pull off the scam, which took place in broad daylight at around 1pm on June 23 at a suburban gas station about 15 minutes from downtown Detroit in the US. Police are investigating the drivers involved, whose cars may have been caught on CCTV.
The cops told reporters that whatever device allowed the pumps to dispense fuel without charging customers was also used to stop the pump from being switched off from the petrol station system-side.
Technical details are scant. In the absence of anything solid, cybersecurity experts offered a more prosaic explanation.
"It could just be a faulty pump," computer security researcher David Litchfield told El Reg.
Nigel Tolley added, dismissively: "A six-foot long drillbit and a pump with a hose would've got way more."
Elsewhere in petrol-pump-tech-gone-wrong news, many BP stations across the UK experienced a three-hour point-of-sale system outage on Sunday afternoon. Customers were asked to pay by cash during the incident, which has now been resolved.
The cause of the outage has become the focus of an investigation. ®
Updated to add
A Reg reader, who says he worked 10 years in tech support for the gas station industry, told us the suspected crooks may have put the pumps into a diagnostics-like mode, so that the equipment stopped reporting fuel pumping to the sales terminals. Our tipster explained:
What the perps will have done is put the pump into standalone mode – this is the removal of communications control, and every pump has it – it's like an engineering mode, allows dispensing without point-of-sale control.
Here in the UK, I have remote handsets that could easily do the same to most pumps here. It's only in recent years that some manufacturers have implemented the disabling of standalone mode while the comms cables running proprietary communication protocol are connected. It’s a small industry, and largely self-policed, with rare occurrences of engineers going rogue or letting out the passcodes and handsets.
The shop owner in this case should have simply hit the emergency stop. This would have killed the power, and stopped anything further occurring – it's likely they weren’t paying full attention.
Bootnote
Security researchers have demonstrated hacks on petrol management systems before. TrendMicro warned more than three years ago that gas-monitoring systems used in petrol stations were easy to find using Shodan, the Internet of Things search engine. Many system were not password-protected, as El Reg reported at the time.
More recent research by Ido Naor, a senior researcher at Kaspersky Lab, and Amihai Neiderman, formerly of Azimuth Security, warned that petrol station software vulnerabilities created a means for hackers to steal fuel, change prices and erase audit logs.
Biting the hand that feeds IT
