Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station::undefined
So, how would this work exactly? For curiosity’s sake.
Not sure about this specific pump but this same thing happened in my town several months back and BT was used then too.
When it happened we found out that the pumps at the station in particular (and probably most) have a BT receiver tied to whatever little processor that runs the pump so either a station manager or someone servicing the pumps can access them with the right equipment, make internal adjustments etc.
In the case that happened locally to us. Someone hacked them the same way, then posted to Facebook and other social media sites to come get some free gas, etc.
All the pumps I’ve seen have a physical key protecting them too. They’re supposed to unlock it in the morning and lock it when staff leave for the night. I’d guess these stations didn’t do that?
From everything I know about locks in important places, all pumps probably use the same key. You can probably buy that key online. I know this is true for elevators and those boxes for entering buildings, and Crown Vic police cars (and the taxis they’ve become after being sold), and many other things.
those boxes for entering buildings
do you mean doors ?
I wish he meant doors 😂
It’s a lockbox that is mounted near the door that contains a key to said door or an override used by emergency services such as the fire department. The boxes are all keyed the same.
Knox Box maybe
I can’t think of the term for them, but they have a keypad and other buttons to call in and unlock the door, often along with things for postal and emergency services to get in if required.
Lol this is not true for crown Vic cop cars at all. I used to own one. They have car keys just like anything else from the era
Yes, they do have car keys. They’re all keyed to the same key.
https://www.calguns.net/calgunforum/showthread.php?t=1516023
It’s not all the “same” key like you make out out to be. Yes it’s a fleet vehicle, and yes all vehicles in the same fleet may have the same key. But no, not all ignitions of all Vic cop cars are not the same at all.
Now you’re just being pedantic. Sure, not every one of them used the same key, but each municipality used the same key for their vehicles most of the time. One of then in particular was very common.
Was this article written by AI, because it’s disjointed as fuck.
I doubt AI would have that poor grammar and spelling.
They asked an intern to rewrite it
That was my thought too
I asked my AI and that was its thought also.
My also thought AI too
Can’t have shit in Detroit… Not even coherent written articles.
Off topic but the right crowd is here, would anyone be interested in starting a hardware security community? Edit: https://lemmy.world/c/hardwarehacking is live! It’s still a work in progress but all are welcome to join.
Be the change you wanna see. If you make it ill join it.
Yeah okay.
My hardware knowledge is limited to ruining many sets of alligator chips trying to dump a virus from an infected UEFI/rewrite the chip so that I’d have a usable motherboard and a nasty virus to poke and prod at.
I guess I’ve always managed to set an esxi server to route internet traffic through a PC so my IPS can get at it and drop the bad stuff. Still trying to figure out the SIEM piece.
And smart lights / plugs. Many, many many of those.
I’ve got a decade of experience as an AE in a very techy field though.
If it’s a choice between me and a homeless guy then I’m definitely the guy.
Use commas so we can understand you, please.
n,o
, 😭 ,
I, don’t, think, i, will, use, c,o,m,m,a,s corrEcTlY Th@nk yœú
🙄
This exemplifies Fox - they provided a lengthy article, and a 3 person video with interviews, and yet the listener/reader knows no more about what actually happened than before they began. Its well produced hearsay.
Gas pumps have Bluetooth? That’s news to me.
You would be surprised, and then very worried, to find out what things needlessly have bluetooth
I saw a guy detail how to hack a house through a fridge.
I get unreasonably angry at salespeople when they brag about Bluetooth and wifi on appliances.
I know I shouldn’t. But wtf do you want your toaster to have internet access?
because idiots with more money than sense think its “neat” to pay an extra hundred dollars to be told their toaster is done toasting while they are in the other room, instead of listening for the loud ass KERSHINKLUNK
Imagine eating cold toast because your phone ran out battery.
Wrong. It’s because smart people making toasters realize they can add a $0.50 piece of hardware and charge $100 more for the whole thing now that it’s “IoT enabled”… then have it call back to a server with everyone’s daily toasting routines which they can sell to data aggregators who will “anonymously” derive things like geographic power usage and breakfast hours split by demographics, to allow marketers better target ads at you.
…and they do it because idiots with more money than sense think its “neat” to pay an extra hundred dollars blah blah blah.
If the final price was the same, they’d still do it, that statistical data pays for itself. Some idiots wanting to pay extra for the privilege of being tracked… is just a happy coincidence.
Look at what happened to SmartTVs: in the beginning, that “Smart” was an “extra”; now, the TVs without tracking cost extra (and have fewer features).
the only company I know of that still makes dumb TVs is Scepter… Which can be a dice roll, with how they acquire their panels.
besides, Smart TVs are indeed dangerous, but only if you give them an internet connection.
Things like blutooth toasters, though? They connect to the internet through your phone via their app, cause “smart” devices like that always require an app to use, so they can send all that data back home.
When my toaster can put in bread via WiFi, I’ll be using it.
I like my toast on a schedule and one day when they invent the robot that moves the bread from the pantry and into the toaster I’ll have my dream. One Bluetooth device at a time.
Pee Wee Herman had a whole ass breakfast made for him way back in the 80’s.
I mean I really like getting push notifications when the dishwasher or laundry is done, or the kids leave the fridge door slightly open…but a toaster is a bit excessive. I’m thinking about turning off notifications on my microwave as it is.
I have to wonder if the are confusing NFC with Bluetooth? Many newer pumps have smart chip tap pads now. I suspect they have found an exploit for this now.
Maybe they use Bluetooth for management and configuration.
That guy has saved …… so much money! I’m jealous
Wait so they haven’t caught them yet? The article gave no names. And why do these pumps have Bluetooth? You might as well put in a USB service port.
USB is way safer lol.
Bluetooth is notoriously bad with security. Especially Bluetooth 4 and earlier. I’d put money on a gas station pumps Bluetooth to not be using the most up to date protocol.
It’s like saying TCP has bad security. That is to say, pointless comparison. Bluetooth is just transport layer and security is done on higher level. This is most likely the classic example of “security through obscurity”. Meaning they did nothing special and hoped no one will figure it out, just like recent TETRA vulnerability.
Come on now! The pumps required you to enter the secret pairing code: “12345”
You fool! It was 00000, now you’ll never have free gas!
Transport layer is absolutely a security vulnerability vector.
TCP is absolutely low security if not configured correctly.
I don’t know what it is you’re trying to say. I agree that this instance was probably security through obscurity failing, but to say that Bluetooth, TCP, and other transport layer protocols are not security considerations is absolutely ridiculous (see for example, heartbleed). It’s exactly the reason there are multiple versions of Bluetooth. It’s why FTP is (should be) all but deprecated and SFTP and FTPS are standard. It’s why Google doesn’t index webpages without an SSL certificate.
USB is way safer
that’s not how this works
Ah, brilliant. Another expert.
Yes, it is how it works. Cheers.
This is the kind of rigorous debate I’m here for.
At least you can lock a usb port behind an access panel
Is it really theft? Considering how much of his tax dollars have gone to subsidize the oil and gas industry?
Yes, considering the oil company doesn’t own the gas station and still gets paid for the fuel. The person you’re stealing from is the owner of the gas station who purchases the fuel and then in many areas sells fuel with very low margin in hopes of you coming into the store for snacks and drinks to make money on higher margin products. So even if they are selling a large amount of fuel, they aren’t making a lot of profit to make up for the theft.
Yes
I mean, that already is used to significantly lower at-the-pump gas prices from what they actually are, and raising gas prices is an easy way to lose an election in America, so that probably won’t change. Notice that in many other countries gas prices are way higher than in the US.
How much is it in the US right now? In Germany it is around $9 per gallon.
In my area it’s around $3.20
Depends on the cost of living and state taxes in an area. Usually it’s $3.50-$5.00 a gallon/~4 liters. At the gas stations in Germany on American military bases it’s about $4.50 a gallon right now.
arent yall making NEW coal strip mines lol
Good point
User name checks out.
This article has so few details. How do we think they’re pulling this off? Phones? A Flipper maybe? And then what?
possession of flippers and 🐬 is illegal and punishable by up to 25 years to life /s adly
Huh? Where?
Bullshit. The world’s a big place and your rules don’t apply here
i was being sarcastic man i apologize for not clarifying but im pretty sure its true in a municipality
I was also confused by the commenter waking up on the wrong side of the bed
Lol
The grammar in this article is horrendous. It’s almost as if Fox isn’t a reputable source for news!
Removed by mod
deleted by creator
Some places let you pump THEN pay inside. You could just fill and leave. Is that not basically the same thing? Thay can catch them the same way.
This is every petrol station in Australia, don’t think I’ve every seen anybody do a runner, not like it’s hard to catch up
It’s how it used to work in most of the US. Every once in awhile, you’d be in a rough area and have to pay ahead of time but it was rare. When they switched to credit/debit cards, it generally became “Pay inside if you can’t use a card.”
It wasn’t much of a problem even when crime peaked in the U.S. (late 80’s and 90’s) and you could theoretically get away with it. Gas stations have always had security cameras.
Australian pumps all have the capability to pay at the pump.
It’s almost always restricted to fleet buyers (taxis, delivery vans, etc). If you’re a regular consumer they force you walk past a tasty array of chocolates and other addictive high margin products before you’re allowed to pay. They even give you a a couple bucks off your gas if you spend ten bucks on chocolate.
Sold! Lol, I’m just that into chocolate.
This is very much the default in the Netherlands. Yes theft happens, but your license plate will be clearly visibly on CCTV meaning you will get a visit by police soon after.
Yeh, thinking the same thing. The reg is what gives it away.
Why is that even possible?
Because people think security and privacy are a joke, and it’s times like this where it shows.
Is that the Polish train thing where you can literally send an emergency stop command with a walkie talkie?
That is funny lol but annoying for the passengers
Yeah.
Annoying for NATO, moving supplies to Ukraine through Poland, too.
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Hardware security is still overlooked a lot in the tech industry, hence there are a ton of hardware and mechanical stuff out there that are made “smarter” but still barely have any security controls. That’s why there’s the saying “The S in IoT stands for security”. Bluetooth in itself is not secure, and they probably have a very basic control where the pump is unlocked remotely via a bluetooth device.
I very distinctly remember early bluetooth amongst other interfaces explicitly discussed in college as an example of “enabling things to understand eachother, including things that shouldn’t.” It’s up to the developer to protect their data.
There is a problem here that isn’t just a hardware/software issue, it’s a “I’m not gonna worry about it” problem that leads to security issues.
