BREAKING INTO GAS STATIONS

COCON 2016

#WHOAMI

• SURAJ PRATAP• WORK AS A SR. SECURITY ANALYST• BOUNTY HUNTER• WRITE CODE IN FREE TIME•

WHY HACK INTO GAS STATION

OUTLINE

• 5000 GAS STATIONS ACROSS THE WORLD CONNECTED TO THE INTERNET DIRECTLY

• 3000 GAUGE METER CONTROLLER CONNECTED TO THE INTERNET DIRECTLY

GAS STATION

NO THERE ARE LOT MORE

• POS SYSTEM• OPT TERMINAL• PTS CONTROLLER• DISPENSER• ATG PROBES• INTERFACE CONVERTOR

Pic Credit: Nefta

FULLY AUTOMATICGAS STATIONS

Pic credit: Nefta

COMMUNICATION PROTOCOLS

• DISPENSER1. S4-DART2. SPDC-13. DEVELCO4. PUMPCONTROL GC215. RS-485 FLEET6. SS-LAN7. (TOTAL : 54)

• ATG 1. PD-300 Communication

Protocol2. ENRAF Height protocol3. HECTRONIC HLS4. MTS USTD5. UNIPROBE6. (total : 21)

HOW THESE COMPONENTS IDENTIFIED (BANNER GRABBING )

• SHODAN 5000 RESULT (VARY FEW FALSE POSITIVE)1. PARAMETER : “DIESEL* “ RESULT : 1831 DEVICES

2. PARAMETER: “IN-TANK INVENTORY” RESULT : 1,941 DEVICES

3. PARAMETER: “I20100” RESULT: “3374” DEVICES

4. PARAMETER : “SOFTWARE VERSION V6.7.0.1” RESULT: “972” DEVICES.

5. PARAMETER: “PBT POWERAGENT” RESULT:”4791” DEVICES

6. PARAMETER: “I20100 JET-A” RESULT: 2 DEVICE.(AIRLINE FUEL)

• CENSYS 21000 RESULT (NO OF FALSE POSITIVE ARE BIT HIGHER)1. PARAMETER : “GAS STATION “  RESULT : 13553 DEVICES

SHODAN

•  

 

AIRLINE FUEL

CENSYS

ISSUE

• CONFIGURATION ISSUE• VULNERABLE COMPONENTS• TENET CLEAR TEXT – NO SSH• REVERSE ENGINEERED• LOGS ARE STORED IN DEVICE ITSELF (SOMETIME PUBLICALLY

ACCESSIBLE)

CONFIGURATION ISSUE

• NO ACCOUNT LOCKOUT (BOTH WEB AND COMMAND)• 60% TELNET DIRECT ACCESS • 30% DEFAULT CREDENTIALS• CONFIGURATION FILE ACCESSIBLE

DEMO TIME

DEMO TIME

VULNERABLE COMPONENTS

• DOS• SOME TIME A NMAP SCAN (UDP SCAN) IS MORE THEN ENOUGH FOR DOS

ATTACK• PERMANENT DOS• LIGHTWEIGHT HTTP SERVERS• VULNERABLE TFTP

REVERSE ENGINEERED

• REALLY EASY TO PERFORM REVERSE ENGINEERING1. THEY USE CUSTOM PACKAGING METHODOLOGY (SECURITY BY

OBSCURITY) 2. FARK TOOL HELPS IN BREAKING CUSTOM PACKAGING 3. TOOL USED {RADARE2, RASM2 (DISSEMBLER), RAX2 (CONVERT B/W

FORMATS)}• CREDENTIALS ARE HARD-CODED (USED FOR UPDATE)

LOGIN & UPDATE FIRMWARE

PATCH

• SOME VENDORS DON’T KNOW • FEW VENDOR RARELY (VARY RARELY) APPLY PATCH

GAUGE METERS & PTS CONTROLLER ARE USED IN

• GAS STATIONS• THERMAL PLANTS• NUCLEAR PLANTS• GAS REFINERY• AND MANY MORE• THERE ARE MANY THINGS DEPENDS ON THE OUTPUT OF THESE DEVICE.

PROFIT

• DISPENSER SEND READING TO PTS CONTROLLER• PTS SEND READING TO OPT• CAPTURE TRAFFIC BETWEEN OPT AND PTS CONTROLLER IS EASY • PETROL FOR FREE.

FIXES

• PATCH• SEGREGATE THE NETWORK

SPECIAL THANKS

• ANIRUDH DUGGAL

REFERENCES• WWW.SHODAN.IO • HTTPS://WWW.CENSYS.IO/ • HTTPS://EN.WIKIPEDIA.ORG/ • HTTP://WWW.DELIVERYPRODUCTS.COM/• HTTP://WWW.EMERSONPROCESS.COM/• HTTP://WWW.GAUGINGSYSTEMSINC.COM/• HTTP://RAPIDSCADA.ORG/