BREAKING INTO GAS STATIONS
COCON 2016
#WHOAMI
• SURAJ PRATAP• WORK AS A SR. SECURITY ANALYST• BOUNTY HUNTER• WRITE CODE IN FREE TIME•
WHY HACK INTO GAS STATION
OUTLINE
• 5000 GAS STATIONS ACROSS THE WORLD CONNECTED TO THE INTERNET DIRECTLY
• 3000 GAUGE METER CONTROLLER CONNECTED TO THE INTERNET DIRECTLY
GAS STATION
NO THERE ARE LOT MORE
• POS SYSTEM• OPT TERMINAL• PTS CONTROLLER• DISPENSER• ATG PROBES• INTERFACE CONVERTOR
Pic Credit: Nefta
FULLY AUTOMATICGAS STATIONS
Pic credit: Nefta
COMMUNICATION PROTOCOLS
• DISPENSER1. S4-DART2. SPDC-13. DEVELCO4. PUMPCONTROL GC215. RS-485 FLEET6. SS-LAN7. (TOTAL : 54)
• ATG 1. PD-300 Communication
Protocol2. ENRAF Height protocol3. HECTRONIC HLS4. MTS USTD5. UNIPROBE6. (total : 21)
HOW THESE COMPONENTS IDENTIFIED (BANNER GRABBING )
• SHODAN 5000 RESULT (VARY FEW FALSE POSITIVE)1. PARAMETER : “DIESEL* “ RESULT : 1831 DEVICES
2. PARAMETER: “IN-TANK INVENTORY” RESULT : 1,941 DEVICES
3. PARAMETER: “I20100” RESULT: “3374” DEVICES
4. PARAMETER : “SOFTWARE VERSION V6.7.0.1” RESULT: “972” DEVICES.
5. PARAMETER: “PBT POWERAGENT” RESULT:”4791” DEVICES
6. PARAMETER: “I20100 JET-A” RESULT: 2 DEVICE.(AIRLINE FUEL)
• CENSYS 21000 RESULT (NO OF FALSE POSITIVE ARE BIT HIGHER)1. PARAMETER : “GAS STATION “ RESULT : 13553 DEVICES
SHODAN
•
AIRLINE FUEL
CENSYS
ISSUE
• CONFIGURATION ISSUE• VULNERABLE COMPONENTS• TENET CLEAR TEXT – NO SSH• REVERSE ENGINEERED• LOGS ARE STORED IN DEVICE ITSELF (SOMETIME PUBLICALLY
ACCESSIBLE)
CONFIGURATION ISSUE
• NO ACCOUNT LOCKOUT (BOTH WEB AND COMMAND)• 60% TELNET DIRECT ACCESS • 30% DEFAULT CREDENTIALS• CONFIGURATION FILE ACCESSIBLE
DEMO TIME
DEMO TIME
VULNERABLE COMPONENTS
• DOS• SOME TIME A NMAP SCAN (UDP SCAN) IS MORE THEN ENOUGH FOR DOS
ATTACK• PERMANENT DOS• LIGHTWEIGHT HTTP SERVERS• VULNERABLE TFTP
REVERSE ENGINEERED
• REALLY EASY TO PERFORM REVERSE ENGINEERING1. THEY USE CUSTOM PACKAGING METHODOLOGY (SECURITY BY
OBSCURITY) 2. FARK TOOL HELPS IN BREAKING CUSTOM PACKAGING 3. TOOL USED {RADARE2, RASM2 (DISSEMBLER), RAX2 (CONVERT B/W
FORMATS)}• CREDENTIALS ARE HARD-CODED (USED FOR UPDATE)
LOGIN & UPDATE FIRMWARE
PATCH
• SOME VENDORS DON’T KNOW • FEW VENDOR RARELY (VARY RARELY) APPLY PATCH
GAUGE METERS & PTS CONTROLLER ARE USED IN
• GAS STATIONS• THERMAL PLANTS• NUCLEAR PLANTS• GAS REFINERY• AND MANY MORE• THERE ARE MANY THINGS DEPENDS ON THE OUTPUT OF THESE DEVICE.
PROFIT
• DISPENSER SEND READING TO PTS CONTROLLER• PTS SEND READING TO OPT• CAPTURE TRAFFIC BETWEEN OPT AND PTS CONTROLLER IS EASY • PETROL FOR FREE.
FIXES
• PATCH• SEGREGATE THE NETWORK
SPECIAL THANKS
• ANIRUDH DUGGAL
REFERENCES• WWW.SHODAN.IO • HTTPS://WWW.CENSYS.IO/ • HTTPS://EN.WIKIPEDIA.ORG/ • HTTP://WWW.DELIVERYPRODUCTS.COM/• HTTP://WWW.EMERSONPROCESS.COM/• HTTP://WWW.GAUGINGSYSTEMSINC.COM/• HTTP://RAPIDSCADA.ORG/