Turns out pumps at gas stations are controlled via Bluetooth, and that the connections are insecure. No details in the article, but it seems that it’s easy to take control of the pump and have it dispense gas without requiring payment.
It’s a complicated crime to monetize, though. You need to sell access to the gas pump to others.
EDITED TO ADD (10/13): Reader Jeff Hall says that story is not accurate, and that the gas pumps do not have a Bluetooth connection.
Clive Robinson • October 3, 2023 8:17 AM
@ Bruce, ALL,
“Turns out pumps at gas stations are controlled via Bluetooth, and that the connections are insecure.”
I suspect it’s not all pumps at gas stations, but “Bluetooth” is in effect an Open Use Standard with many low cost chip sets, or microcontroller based “System On a Chip”(SoC) components that are in the “less than pocket change” price range that contain Bluetooth as a “freebie”.
I suspect that the designers of these forecourt pump systems are looking for little more than the old equivalent of an “RS232 Serial link”, and the code to support that is across USB / WiFi / Bluetooth and others like Zigbee are “easily available”.
The designers might put a few “magic numbers” in but authentication is likely to be rudimentary at best and encryption quite unlikely…
We see similar issues with GSM mobile phone moduals used in large equipment such as site cranes and even stock yard train controlers. The mobile phone network is not just available it works, trying to do the same with “Private Mobile Radio”(PMR) systems could run into half a million dollars per site with little dificulty before you talk about licencing fees and maintainance as significant on going costs.
The problem is that the design engineers will “Keep It Simple Stupid” whilst they develop, so neither,
1, Sensible Authentication.
2, Adequate Encryption.
Will be used, and won’t get put in unless there is a legislation, regulation or contractual obligation. Even then it will be the lowest of the low they can scrape through with…
Oh and don’t think those producing specifications have a clue.
I was back last century involved with the design of bomb disposal robots. One problem with them was the long control cables that got fairly easily damaged one way or another.
So a spec came up that included,
1, Remote control by radio
2, High power jammer to stop remote detonation by bomb placers.
You’ld be surprised just how difficult it was to explain to them that the reality of the situation was that the two requirments were realy mutually exclusive… Oh and one or two other realities of life that even “National Security” exemptions would not get you around.
Joe D • October 3, 2023 8:22 AM
It’s a complicated crime to monetize, though.
Unless your goal is free gas for yourself. If you keep a low profile, you could probably get away with it for a while.
bl5q sw5N • October 3, 2023 10:16 AM
What other aspects of the dispensing unit are hackable this way ?
Peter A. • October 3, 2023 10:36 AM
@Joe D: the article says the clerks could clearly see that gas is being dispensed without payment and they could not stop the pump from the console save by cutting power (aka emergency stop) This is open theft in broad daylight, not low profile.
I just wonder: if it is possible to hack the pump to start dispensing without payment, it’s probably possible to hack the dispensed volume and payment amount. Half-price gas may not seem as attractive as free gas, but it’ll be much less detectable – probably only after fuel truck arrives and total amount is checked, and you still don’t know how that gas ‘leaked’.
bennie s • October 3, 2023 10:49 AM
The linked story is… not well-written, to say the least. They call this a “scam”, when it’s nothing of the sort (merely theft based on a security exploit; no person was tricked). It also says “Paying at the pump is for chumps – when you can get gas for free – and illegal”—no, paying at the pump is not illegal in Michigan. The use of the term “guys” seems much too informal for news reporting, when not quoting a person (or referencing an earlier quote). The use of en-dashes and hyphen-minus where an em-dash would be called for. Quoting a person as speaking a decimal price (possible, but almost unheard of). Including a trailing space in the link for the author’s name…
I agree with Joe that if we consider free gas “monetization”, it could be pretty easy to do. Whatever’s taking these thieves so long—presumably, typing commands—could probably be automated such that they’d just need to have their phone nearby for a few seconds. I imagine a lot of people stand around staring at their phones, or holding them to pumps for near-field-communication payments, so that wouldn’t be suspicious. It doesn’t seem like the attendants watch to see that each person pays, or get any kind of alert when the pump is switched to “free operation”; they just notice someone loitering, or one pump being unusually popular. Drive up, tap your phone, pump your free gas, and reset the pump back to normal before leaving. And maybe avoid the “Detroit police-patrolled ‘Project Green Light’ gas station[s]”, and don’t brag to your friends.
As for Bruce’s comment statement “that the connections are insecure”, is anyone surprised? Of course it’s insecure. It’s always insecure, because what store owner hires pen-testers to evaluate prospective devices? The pumps probably all use the same keys and/or have easily pickable locks, too. Though I’d love to see Bruce post a story about non-consumer embedded software that can be summarized as “…and the developers seem to have done a reasonably good job: we couldn’t find any memory exploits, and the crypto looks reasonable.” If we ever actually find an example like that.
Clive Robinson • October 3, 2023 11:58 AM
@ bennie s, ALL,
Re : For retail use can not be secure by default.
“If we ever actually find an example like that.”
We won’t for the simple reason such systems such ad e-POS terminals/devices,need to be as inexpensively made as possible.
But also consider there are “Hardware Security Modules”(HSMs) that have cost tens of thousands and supposadly tested against various standards, that are later found to be easily susceptible to often quite simple attacks…
So the old,
“Every thing has it’s price”
Appears to apply to electronic/information security systems as much as it does to anything else…
Joe • October 3, 2023 1:09 PM
Peter A
@Joe D: the article says the clerks could clearly see that gas is being dispensed without paymen
Not all stations are manned to that degree at all times of the day. Although I was thinking more of an issue in Europe where there are more self-service stations.
But it is theft nevertheless.
Not Really Anonymous • October 3, 2023 4:53 PM
This is a stupid way to steal. The reward versus risk is terrible.
You’d better be filling up a vehicle that doesn’t have a visible license plate that can be associated with you.
This method also competes with just pumping gas out of the tanks in the ground. At least in times past, those weren’t secured.
Mags • October 3, 2023 4:58 PM
There was another scam to do with pumping fuel reported fairly widely in last few weeks, this one low tech. When you are almost finished filling ‘er up, the scammer approaches you and offers to hang up the pump for you, so you can save a couple of seconds of your life. He then doesn’t replace the pump, but offers to fill up the next person’s tank for $10-20, then the next, and the next, all without replacing the pump. All of the fuel pumped goes into one transaction, on your credit card.
lurker • October 3, 2023 5:32 PM
@Clive and I were brought up on Radio/Wireless. Many RS232/serial bus designers would not have in front of their minds the basic fact we know: All your signals are visible to us. Even though the product is valuable and becoming more so, pumping gas remains a low margin business. So pump control systems are bought from the lowest bidder, and the spec writers (if any) are also blind to wireless promiscuity.
This story is yet another “Oh no, not again?”
Sean • October 3, 2023 6:51 PM
Yes, likely the BT connection was used to “update” the pumps, so they no longer needed to have a conduit from each pump to the payment centre, and could use an off the shelf PC with a BT dongle in it, to emulate all the serial ports needed, instead of needing to use a multidrop RS 232 card, which originally used an ISA bus, and later on PCI, while cheap motherboards no longer provide PCI bus sockets. So you need to spend a few dollars more to get a more upmarket motherboard. No $100 PC you bought from anywhere, but now you need a $200 name brand PC. Plus a $100 card as well.
Would have been a better thing to have gone and gotten a multiple input industrial adaptor, that has typically 3 to 8 RS232 and RS244 inputs, and serves them over ethernet, using a built in tiny web server to set it up, and then a driver on the PC to interface with it to the software, emulating the serial ports almost flawlessly, with only a slight lag. That just needs a single cable pulled down, and a simple switch connection to interface.
Exxon • October 3, 2023 6:57 PM
Give me a break. The real criminals are those operating the Gas Pumps (proprietaries). Most of countries there is a rounding error being introduced in price per liter, that is basically a tax evasion. Besides that con tactic when prices go up that reflects immediately on stocked material, previously purchased at a lower price. I would say Hack the Planet and Hack a Gas pump.
P Coffman • October 4, 2023 5:32 AM
I ordered the latest book.
Sometimes, I do not understand the policy of the site. Sometimes, it is like the software is broken. I thought a recent attempt was not violating anything. OTOH, what are the alternatives?
Ron • October 4, 2023 6:02 AM
I just want to know if this technique, or some other, can be used to create an app that I could use to stop those damn ads that some stations force on you.
As a courier I have to use a certain gas station at the end of every shift to top off the car, and I have to enter the car’s odometer and a pin, and those ads can make it hard to keep that string of numbers in short term memory. It’s also just damn annoying. Advertising is so outdated – I actively boycott businesses that advertise, when I can.
And if they could get the key press feedback noise to actually beep when you press the key and not some random time later, that would be great too. How in the heck is key press feedback not immediate?
Jeff Hall • October 4, 2023 8:59 AM
I did testing of Wayne and Gilbarco pumps around 2012 and did not see any Bluetooth with them at that time, so this is something new in the industry. However, the keys from gas stations I worked at in high school in the early 1970s still unlocked all of the pumps I tested. Something I have complained to the pump vendors about for years.
As Clive Robinson pointed out, it’s probably some sort of diagnostic access to the pump so that a technician can diagnose issues without dismantling the whole pump to figure out an issue. As usual, whomever was charged with creating the diagnostic port neglected to ensure the security of it and here we are.
That said, the local convenience store just got new pumps, so I’ll have to run a scan of them to see what I can see.
bennie s • October 4, 2023 10:51 AM
@ Jeff Hall,
However, the keys from gas stations I worked at in high school in the early 1970s still unlocked all of the pumps I tested.
Dammit! I called it, but I was half-kidding with that “prediction”. Even the average workplace filing cabinet has, like, a set of one hundred possible keys (to its easily-pickable lock with the keycode printed right on it). If they’re that dumb, the attack is probably as simple as logging in with username “admin” and password “admin”.
P Coffman • October 4, 2023 8:26 PM
How about a bumper sticker, “Running off of Bluetooth”?
Jeff Hall • October 5, 2023 11:59 AM
I am calling BS on this whole concept.
Just got word back from my contacts that just got back from training at Dover Fueling Solutions (Wayne) and they stated the pumps have ZERO Bluetooth and believe that to be the case with Gilbarco as well. I will not go into all of the specifics about what it takes to get into a pump, but it does involve MFA, so it is not as simple as you would think even if you have a pump key.
I am waiting on confirmation from Gilbarco that their gear also does not have Bluetooth.
I think this is why there is so little information in the news report is because it is NOT true. Bluetooth is just a technological excuse for people stealing gas the old fashioned way by just stealing it.
BTW The pump manufacturers will change the keys on their pumps but the merchant MUST REQUEST that to be done. Otherwise, the keys sent out are the same keys they have been using since, I guess, day one.
Jeff Hall • October 5, 2023 12:01 PM
And as I wrote my last comment word came in from Gilbarco and they also do NOT have any Bluetooth in their gear as well.
So this news report is a total crock. No truth to it.
Christopher Drake • October 15, 2023 9:51 PM
Pretty simple to test – run a bluetooth scanner on your phone, and walk around a station when there’s no cars there. Every pump would need one, so they should all show up.
Smells beyond bogus to me though – there’s a lot of rules and laws about safety around fuel vapors, and sticking a radio transmitter in the middle of all that is 99.99% sure to be illegal for safety reasons.
There’s a reason why “no mobile phones” is plastered all over those things (yes, small risk, but, non-zero – hence the laws).
Clive Robinson • October 16, 2023 7:24 AM
@ Christopher Drake,
Re : Energy and petrochemicals.
“sticking a radio transmitter in the middle of all that is 99.99% sure to be illegal for safety reasons.”
Actually you can do it…
I’ve been sticking even quite high power radio transmitters in “Hazardous Zones” since the 1980’s, amoungst many other “ignition hazzard devices”.
Remember you can put arc lights in such areas if you know what you are doing and it was done back in the early 1900’s. Look up the “Davy Lamp”[1] if you want to know the trick behind doing that.
The trick is “managing energy density” to stay on the right side of the curve amoungst other things.
For my sins I designed the first 16bit Zone 1 “Remote Telemetry Unit”(RTU) last century, and it’s still in operation in the middle east (and it may well outlive me).
Look up “Intrinsic Safety” and the “Ex” codes and standards.
[1] Sir Humphrey Davy invented his safety lamp for miners to prevent the “wick/candle flame lights” they used from ignighting “firedamp” back in 1815. Importantly though it indirectly became a hazardous gas detector, because the gases would change the colour of the flame thus if noticed by the users of the lamp give early warning.
stated the pumps have ZERO Bluetooth and believe that to be the case with Gilbarco as well.
What’s the “pump” here? Just a small device that moving – i.e. pumping – the liquid from one place to another, or the whole system that includes the actual pump, displays, control center, buttons, card reader, etc.?
Out of curiosity, checked bluetooth when fueling at the nearest gas station this morning. One of new modern ones with fancy displays and so on. The 4 nearest displays showed up as “[TV] Samsung” under “Other Devices” 🙂
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Ian C> • October 3, 2023 7:27 AM
Is this something new, or, as previously reported, pumps are modified with a BT module?