The Executive Committee of the Mediterranean Association of ICT Experts (ASPERTIC), meeting at its winter assembly in Barcelona on 16 and 17 February 2018, revealed a detailed report commissioned to several of the association members.
This report reveals the gravity that constitutes a certain risk of an ecological disaster of serious proportions, which can be caused by lack of skill, bad faith, organized crime and/or terrorism and agree to raise the authorities and make public said report.
This report reveals concerning issues about the state of industrial security but centers mostly on two very known issues regarding gas stations.
The first issue largely discussed in the report was already published on GBHackers “Globally Gas Stations are Extremely Vulnerable to an Internet of Things (“IoT”) Cyber Attacks” and it’s a very known issue by the security community since at least 2015.
The second issue that the report refers to and the main focus of this article is related to several gas station design flaws that allow attackers to CHANGE THE PRICE on the gas pumps remotely but not that.
What can a remote intruder actually do? Take full control of the gas station with minimal knowledge since the maker of the pumps has published very well detailed manuals for operating the systems.
- But more specifically we are talking about flaws that will allow attackers to steal credit cards, hijack payments, take control of surveillance cameras, scrape vehicle license plates and driver identities, shut down all fueling systems, halt the station’s operation, demanding a ransom in exchange, execute code on the controller unit and maybe the most concerning one can cause fuel leaks with the risk of casualties.
The top 10 countries affected by a number of detected systems by this Gas Station Design Flaws
- India 526
- United States 369
- Chile 242
- Singapore 188
- Israel 156
- Turkey 105
- Spain 98
- Netherlands 48
- Czech Republic 44
- United Kingdom 26
Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities and reserved the following CVE with MITRE:
- CVE-2017-14728 Hardcoded Administrator Credentials
- CVE-2017-14850 Persistent XSS
- CVE-2017-14851 SQL Injection
- CVE-2017-14852 Insecure Communication
- CVE-2017-14853 Code injection
- CVE-2017-14854Buffer Overflow allows RCE
Kaspersky and Motherboard published very detailed articles regarding the flaws. These systems have been exposed to the internet for more than a decade and is very much worrying that we can locate them with a simple search using only one keyword.
Any security professional expects these systems to be off the internet or at least behind VPN and it is clearly not the case.
As we see not only default unchanged admin credentials is a usual flaw by an integrator, also the problem is in the development phase “hardcoding” them.
We want to remark the HIGH IMPORTANCE of these botched jobs while IoT is increasing in Critical Infrastructures.
Nowadays, the 80’s myth about Russian pipeline sabotage that leads to an explosion could be real, back in 2009 a storage tank at Bayamon (Puerto Rico) burns due to a glitch in the facility’s monitoring system.
Here we talk only about Gas Stations, something that we have near our homes and becomes familiar. But the risk is all along the production and distribution chain in Oil & Gas Industry. Extraction, Processing, Transporting and Selling.
In 2008 cybercriminals already intentionally manipulates alarms and communications in a Turkish pipeline inducing an explosion and spill of 5.000.000 liters of oil.
In 2012 some cyber criminals break into Telvent to steal the project files of their SCADA software, probably to find “holes” to attack directly Oil & Gas Companies.
There are only some cases that we had already suffered. We must be prepared and apply all the security resource we have in our hands… S-SLDC, Security-in-Depth, Red vs Blue Team strategies and of course, community sharing and awareness.