Gas stations lose millions of dollars annually to gas fraud. Most of this fraud occurs when thieves use stolen credit and debit cards to fuel vehicles, resulting in chargebacks to service stations.
But gas station owners in the US and elsewhere may have to worry about a new kind of fraud after two security researchers in Israel discovered multiple vulnerabilities in one automated system used to control fuel prices and other information at thousands of gas stations around the world.
The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. An attacker could also simply alter fuel prices and steal petrol.
Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities after the computer screen on a gas pump in Israel crashed one day last June as Naor was filling his tank and exposed a local IP address. The system turned out to belong to an Israeli company named Orpak Systems, which makes fuel-management software. Orpak’s system is used by commercial gas stations in Israel as well as by the military and large corporations to track gas consumption for their fleets of vehicles, to ensure employees and soldiers aren’t siphoning gas from work vehicles to fuel personal ones.
But Orpak, which makes both RFID vehicle-tracking systems and fuel-management systems, doesn’t just sell its systems in Israel; its software is installed in more than 35,000 service stations and 7 million vehicles in 60 countries, according to marketing literature. And last year, Orpak was acquired by Gilbarco Veeder-Root, a large North Carolina-based maker of gas pump and point-of-sale systems for convenience stores in the US and elsewhere.