Why Researchers Tricked Hackers into Attacking Fake Gas Pumps
More than 2,000 gas station monitoring devices are easy to find and hack, researchers warn.
In January of this year, a security researcher warned that thousands of gas station monitoring systems were exposed on the internet. Soon after, someone hacked into one changing the name of the system from "DIESEL" to "WE ARE LEGION," in reference to the motto of the hacking collective Anonymous.
This incident motivated Kyle Wilhoit and Stephen Hilt, two security researchers at Trend Micro, to make an experiment. They set up 10 fake gas station monitoring systems and put them online as honeypots. To hackers, or anyone looking for these systems, they looked exactly like regular gas monitoring devices known as Guardian AST, which are made to check and control fuel levels in gas station tanks, and alert operators whenever they get too low.
Over the span of six months, Wilhoit and Hilt saw a series of attacks against their honeypots. Given the nature of the systems—Guardian ASTs only allow for monitoring, and don't directly control the fuel levels—most of these attacks were harmless.
But a fake gas pump set up in DC received a denial of service attack lasting two days. Wilhoit and Hilt saw that the attack traced back to Syrian IP addresses previously associated with the Syrian Electronic Army, the researchers said during their talk at the Black Hat security conference in Las Vegas on Thursday.
Moreover, a string in the attack code, "SEAcannngo," seemed to refer to the group's initials. Th3 Pr0, a member of the Syrian Electronic Army, denied having anything to do with this attack.
"No, it's not us," he told me in an email.
"Time and again, a scan of sites like Shodan exposes systems that shouldn't even be internet connected."
In another instance, the name of a gas pump set up to look like it was in Jordan was changed to display the message "H4CK3D by IDC-TEAM." That same message appears on websites defaced by a hacktivist group known as the Iranian Dark Coders Team, according to the researchers.
Attacking a fake device is harmless, but having access to gas pump devices like the Guardian ASTs could give malicious attackers a way to disrupt fuel distribution by making it look like tanks are full when they're actually empty, or perhaps even tricking operators into overflowing gas tanks, the researchers warned.
The big problem is that hackers are targeting these systems "because it's easy," as Wilhoit told me. But it shouldn't be.
When the researchers scanned for real Guardian ASTs connected to the internet a couple of weeks ago, they told me that they found that there were around 2,000.
"Time and again, a scan of sites like Shodan exposes systems that shouldn't even be internet connected," the researchers wrote in their research white paper.
And that's the point, some things should not be connected to the internet, or if they are, they should be in a way that only the people who are supposed to control them could access them. There's no need to have wind turbines or gas stations openly exposed on the internet. Showing how easy it is to hack them is "the only way this will change," Wilhoit told me after the talk.
"Security will start to happen," he said. "Because right these devices are being deployed on the internet—it's a joke."
This story has been updated to include Th3 Pro's comment.