IoT security: Now dark web hackers are targeting internet-connected gas pumps

As more and more devices get connected to the Internet of Things, researchers say compromising pumps has become a hot topic on cyber criminal forums.
Written by Danny Palmer, Senior Writer

Cyber criminals are increasingly turning their attention to hacking Internet of Things devices as connected products proliferate – and there's one smart device in particular that is catching hackers' attention.

While routers remain the top target for IoT-based cyberattacks, there's a lot of discussion in underground forums about compromising internet-connected gas pumps.

This new target was uncovered by by researchers at Trend Micro, which carried out an examination of dark web marketplaces in five different languages – Russian, Portuguese, English, Arabic, and Spanish.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The Internet of Things in the Cybercrime Underground report describes how the Russian market is the most sophisticated of the underground communities and one in which cyber criminals are keen to make money from attacks and exploits.

One way this is already being achieved is by hackers selling modified smart meters, following on from Russian government legislation mandating that all electricity meters in the country should be replaced by online smart meters.

Criminals are already modifying the firmware of these devices – although currently these alterations appear to be based around exploiting the devices to trick them into recording lower readings, meaning users will have lower bills.

However, users of Russian underground forums are also requesting information on how to hack gas pumps, with tutorials available on the inner workings of commercial pumps, including those with programmable logic controllers. These controllers are often found in factories and other industrial environments and can be used to help with managing equipment remotely.

Researchers also note that posts on gas pump hacking also frequently appear in Portuguese language forums, even featuring an in-depth, step-by-step technical tutorial on how to hack gas pumps for Brazilian users. In one case, a user demonstrates how they were able to remotely change the name of a pump.

While it's possible that these attacks are being discussed for similar reasons to those on smart meters – to receive resources at a cheaper price – it's entirely possible that gas pumps could be compromised for more destructive purposes.

Like any unsecured connected device, there's the possibility that internet-facing gas pumps could be roped into botnets for use in Distributed Denial of Service (DDoS) attacks, with attackers using them to help overload online services.
However, a previous Trend Micro report outlines how remotely accessible and unsecured gas pumps could be abused by hackers to cause errors or physical damage – and the rise in interest in gas pumps could mean that attacks like this are on the way.

"There are a number of additional threat scenarios that could possibly play out. This includes reconnaissance to find out the delivery schedule, extortion that involves blocking the owner's access in exchange for a certain sum, and even sabotaging the gas pump by adjusting tank limits so that it overflows," Bharat Mistry, principal security strategist at Trend Micro told ZDNet.

The report also warns that IoT attacks remain in their early stages and with billions more devices expected to enter homes and workplaces over the coming years – especially as 5G helps provide faster, more reliable connections for devices – cyber criminals will increasingly turn to IoT as a means of attack.

SEE MORESmart home maker leaks customer data, device passwords

However, there are ways to help protect gas pumps and similar devices, even if they're connected to the internet, including ensuring that devices have their default passwords changed, so brute-force attacks aren't as effective.

"Operators of these devices should also think about using features such as VPNs to encrypt the traffic, and mutual authentication, whereby both the device and the user validate one other before continuing," said Mistry.

"That's not to mention software must continuously be updated and patched, and operators should always have a manual override at the ready in case of a compromised machine," he added.


Editorial standards