Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station::undefined
So, how would this work exactly? For curiosity’s sake.
Not sure about this specific pump but this same thing happened in my town several months back and BT was used then too.
When it happened we found out that the pumps at the station in particular (and probably most) have a BT receiver tied to whatever little processor that runs the pump so either a station manager or someone servicing the pumps can access them with the right equipment, make internal adjustments etc.
In the case that happened locally to us. Someone hacked them the same way, then posted to Facebook and other social media sites to come get some free gas, etc.
All the pumps I’ve seen have a physical key protecting them too. They’re supposed to unlock it in the morning and lock it when staff leave for the night. I’d guess these stations didn’t do that?
From everything I know about locks in important places, all pumps probably use the same key. You can probably buy that key online. I know this is true for elevators and those boxes for entering buildings, and Crown Vic police cars (and the taxis they’ve become after being sold), and many other things.
those boxes for entering buildings
do you mean doors ?
I wish he meant doors 😂
Knox Box maybe
It’s a lockbox that is mounted near the door that contains a key to said door or an override used by emergency services such as the fire department. The boxes are all keyed the same.
He likely means card readers.
In buildings in some cities, entry ways for big buildings often have an emergency access box somewhere near the door. If police or the fire department need to gain entry, they have a master key that will let them access the lockbox and the lockbox will contain keys to the door.
deleted by creator
I can’t think of the term for them, but they have a keypad and other buttons to call in and unlock the door, often along with things for postal and emergency services to get in if required.
Lol this is not true for crown Vic cop cars at all. I used to own one. They have car keys just like anything else from the era
Yes, they do have car keys. They’re all keyed to the same key.
https://www.calguns.net/calgunforum/showthread.php?t=1516023
It’s not all the “same” key like you make out out to be. Yes it’s a fleet vehicle, and yes all vehicles in the same fleet may have the same key. But no, not all ignitions of all Vic cop cars are not the same at all.
Now you’re just being pedantic. Sure, not every one of them used the same key, but each municipality used the same key for their vehicles most of the time. One of then in particular was very common.
I don’t know about that part. Just that it was all over the news when it happened here and I later read about the details as to how they did it.
I would have assumed the makers of the pumps would had put into them a little tighter security but then again look at some of these password and other web hacks we routinely see.
There’s a convergence of issues. First, and probably foremost, users are idiots. So it has to be able to be operated by a 5 year with a learning disability. Second, implementing security costs money up front. It is cheaper to let the customer deal with the fall out, then do damage control on the cheap, and keep going. Third, users can’t be assed to access things that a 5 year old with learning and physical disabilities and a peanut butter and jelly sandwich in one hand can’t access. These are all typical issues stuff is engineered towards. This is why you see this same basic issue crop up over and over again.
You’d be surprised how many times “good enough” is considered “good enough” when it comes to IT and security, even when it’s really the bare minimum.
Off topic but the right crowd is here, would anyone be interested in starting a hardware security community? Edit: https://lemmy.world/c/hardwarehacking is live! It’s still a work in progress but all are welcome to join.
Be the change you wanna see. If you make it ill join it.
Yeah okay.
My hardware knowledge is limited to ruining many sets of alligator chips trying to dump a virus from an infected UEFI/rewrite the chip so that I’d have a usable motherboard and a nasty virus to poke and prod at.
I guess I’ve always managed to set an esxi server to route internet traffic through a PC so my IPS can get at it and drop the bad stuff. Still trying to figure out the SIEM piece.
And smart lights / plugs. Many, many many of those.
I’ve got a decade of experience as an AE in a very techy field though.
If it’s a choice between me and a homeless guy then I’m definitely the guy.
deleted by creator
n,o
, 😭 ,
I, don’t, think, i, will, use, c,o,m,m,a,s corrEcTlY Th@nk yœú
🙄
Was this article written by AI, because it’s disjointed as fuck.
I doubt AI would have that poor grammar and spelling.
They asked an intern to rewrite it
That was my thought too
I asked my AI and that was its thought also.
My also thought AI too
Can’t have shit in Detroit… Not even coherent written articles.
Wait so they haven’t caught them yet? The article gave no names. And why do these pumps have Bluetooth? You might as well put in a USB service port.
USB is way safer lol.
Bluetooth is notoriously bad with security. Especially Bluetooth 4 and earlier. I’d put money on a gas station pumps Bluetooth to not be using the most up to date protocol.
It’s like saying TCP has bad security. That is to say, pointless comparison. Bluetooth is just transport layer and security is done on higher level. This is most likely the classic example of “security through obscurity”. Meaning they did nothing special and hoped no one will figure it out, just like recent TETRA vulnerability.
Come on now! The pumps required you to enter the secret pairing code: “12345”
You fool! It was 00000, now you’ll never have free gas!
Transport layer is absolutely a security vulnerability vector.
TCP is absolutely low security if not configured correctly.
I don’t know what it is you’re trying to say. I agree that this instance was probably security through obscurity failing, but to say that Bluetooth, TCP, and other transport layer protocols are not security considerations is absolutely ridiculous (see for example, heartbleed). It’s exactly the reason there are multiple versions of Bluetooth. It’s why FTP is (should be) all but deprecated and SFTP and FTPS are standard. It’s why Google doesn’t index webpages without an SSL certificate.
USB is way safer
Of course wired connection is inherently safer than wireless. There’s no question about it. And yes you can absolutely exploit at every layer of communication, but this here is not the case of exploiting Bluetooth as transport layer. It’s simply someone not configuring anything or adding any additional verification and just hoping no one finds out.
Okay, but your claim that my comparing Bluetooth to USB being like comparing Bluetooth to TCP is misinformed at best.
My comment had nothing to do with Bluetooth vs. USB comparison. I only said Bluetooth is a transport layer and claiming it’s “notoriously bad security” is not all that correct since most of the security parts come on top of it. So in many ways Bluetooth is quite similar to TCP, at least from point of communication. From the software point of view, both with Bluetooth and TCP, you create a socket then send and receive data through it. Literally the same interface. Protecting data that goes through either method is meant to be done at that point be it with encryption, identity verification, whatever.
Same thing applies to USB, but being physical it has added benefit of having to connect to it but that opens whole set of new potential issues. So it’s easier to physically protect it, but should that protection fail, you might end up in even more trouble.
You can disable a USB port and require remote SSH to enable it.
USB is way safer.
that’s not how this works
Ah, brilliant. Another expert.
Yes, it is how it works. Cheers.
This is the kind of rigorous debate I’m here for.
At least you can lock a usb port behind an access panel
This exemplifies Fox - they provided a lengthy article, and a 3 person video with interviews, and yet the listener/reader knows no more about what actually happened than before they began. Its well produced hearsay.
Gas pumps have Bluetooth? That’s news to me.
You would be surprised, and then very worried, to find out what things needlessly have bluetooth
I saw a guy detail how to hack a house through a fridge.
I get unreasonably angry at salespeople when they brag about Bluetooth and wifi on appliances.
I know I shouldn’t. But wtf do you want your toaster to have internet access?
because idiots with more money than sense think its “neat” to pay an extra hundred dollars to be told their toaster is done toasting while they are in the other room, instead of listening for the loud ass KERSHINKLUNK
Wrong. It’s because smart people making toasters realize they can add a $0.50 piece of hardware and charge $100 more for the whole thing now that it’s “IoT enabled”… then have it call back to a server with everyone’s daily toasting routines which they can sell to data aggregators who will “anonymously” derive things like geographic power usage and breakfast hours split by demographics, to allow marketers better target ads at you.
…and they do it because idiots with more money than sense think its “neat” to pay an extra hundred dollars blah blah blah.
If the final price was the same, they’d still do it, that statistical data pays for itself. Some idiots wanting to pay extra for the privilege of being tracked… is just a happy coincidence.
Look at what happened to SmartTVs: in the beginning, that “Smart” was an “extra”; now, the TVs without tracking cost extra (and have fewer features).
the only company I know of that still makes dumb TVs is Scepter… Which can be a dice roll, with how they acquire their panels.
besides, Smart TVs are indeed dangerous, but only if you give them an internet connection.
Things like blutooth toasters, though? They connect to the internet through your phone via their app, cause “smart” devices like that always require an app to use, so they can send all that data back home.
Imagine eating cold toast because your phone ran out battery.
I mean I really like getting push notifications when the dishwasher or laundry is done, or the kids leave the fridge door slightly open…but a toaster is a bit excessive. I’m thinking about turning off notifications on my microwave as it is.
When my toaster can put in bread via WiFi, I’ll be using it.
I like my toast on a schedule and one day when they invent the robot that moves the bread from the pantry and into the toaster I’ll have my dream. One Bluetooth device at a time.
Pee Wee Herman had a whole ass breakfast made for him way back in the 80’s.
I have to wonder if the are confusing NFC with Bluetooth? Many newer pumps have smart chip tap pads now. I suspect they have found an exploit for this now.
Maybe they use Bluetooth for management and configuration.
That guy has saved …… so much money! I’m jealous
Is it really theft? Considering how much of his tax dollars have gone to subsidize the oil and gas industry?
Yes, considering the oil company doesn’t own the gas station and still gets paid for the fuel. The person you’re stealing from is the owner of the gas station who purchases the fuel and then in many areas sells fuel with very low margin in hopes of you coming into the store for snacks and drinks to make money on higher margin products. So even if they are selling a large amount of fuel, they aren’t making a lot of profit to make up for the theft.
Yes
I mean, that already is used to significantly lower at-the-pump gas prices from what they actually are, and raising gas prices is an easy way to lose an election in America, so that probably won’t change. Notice that in many other countries gas prices are way higher than in the US.
How much is it in the US right now? In Germany it is around $9 per gallon.
In my area it’s around $3.20
Depends on the cost of living and state taxes in an area. Usually it’s $3.50-$5.00 a gallon/~4 liters. At the gas stations in Germany on American military bases it’s about $4.50 a gallon right now.
arent yall making NEW coal strip mines lol
Good point
User name checks out.
The grammar in this article is horrendous. It’s almost as if Fox isn’t a reputable source for news!
Removed by mod
deleted by creator
This article has so few details. How do we think they’re pulling this off? Phones? A Flipper maybe? And then what?
possession of flippers and 🐬 is illegal and punishable by up to 25 years to life /s adly
Bullshit. The world’s a big place and your rules don’t apply here
i was being sarcastic man i apologize for not clarifying but im pretty sure its true in a municipality
I was also confused by the commenter waking up on the wrong side of the bed
Lol
Huh? Where?
Some places let you pump THEN pay inside. You could just fill and leave. Is that not basically the same thing? Thay can catch them the same way.
This is every petrol station in Australia, don’t think I’ve every seen anybody do a runner, not like it’s hard to catch up
It’s how it used to work in most of the US. Every once in awhile, you’d be in a rough area and have to pay ahead of time but it was rare. When they switched to credit/debit cards, it generally became “Pay inside if you can’t use a card.”
It wasn’t much of a problem even when crime peaked in the U.S. (late 80’s and 90’s) and you could theoretically get away with it. Gas stations have always had security cameras.
Australian pumps all have the capability to pay at the pump.
It’s almost always restricted to fleet buyers (taxis, delivery vans, etc). If you’re a regular consumer they force you walk past a tasty array of chocolates and other addictive high margin products before you’re allowed to pay. They even give you a a couple bucks off your gas if you spend ten bucks on chocolate.
Sold! Lol, I’m just that into chocolate.
I’m sure I’ve seen ads at the pump to pay with apps though?
This is very much the default in the Netherlands. Yes theft happens, but your license plate will be clearly visibly on CCTV meaning you will get a visit by police soon after.
Yeh, thinking the same thing. The reg is what gives it away.
Not if its a stolen car, car without plates in some area they aren’t likely to be caught or one of those cars that has that thing that can change numberplates
The car with the changeable numberplate would be harder to catch if it was a super common car in the area as well
So that’s how Bond managed to fill up the DB5 on a civil servant’s salary.
all those things are risky as fuck with police AI number plate recognition these days. it would take no time at all to track someone down over $50 theft
$50 for the gas theft… how much for the tampering with government mandated ID, or whatever they’d call swapping plates?
exactly. its a crime from a different era, risks far outweigh reward now
4$ per gallon that’s approximately 1$ per litre.
I hope it will at least double for you so you know what it’s like to pay for petrol in Europe…
I hope it will at least double to shock the system into prioritizing clean energy.
Ah yes, hurt the poor people to make the rich wake up. That’ll definitely work!
That would be quite a boost on top of how cheap solar is getting. Just need a good and cheap storage solution for the grid to run on more and more solar later and later into the evening.
That’s lovely idea but I don’t have even money to buy a newly made car. Where I’m supposed to get money for significantly more expensive (price and repair coat) and unreliable electric car? Now I can repair my car on my own cause it’s old and easy, also easy to refill. Electric cars is not the way. Also it’s not that green as everybody thinks…
The perspective is fun, buying a new car in Denmark is a big investment, for many people it’s around what they make in a year after taxes, and even then it’s a relatively small car. I’m not saying electric is the golden bullet people want it to be, far from it as of right now, but we need to change something in order to have a chance of saving ourselves from destroying the planet. Perhaps a higher fuel cost will incentivice smaller cars, and thus better milage, for our American friends?
Something needs to happen to get us Americans off of the ridiculously oversized and overpriced pickups.
Oh, I definitely agree with that one. Sometimes there is a genuine need for a car of that size, but whether it being media propaganda or not, I feel like there is a lean towards cars of that class, and usually not in a “I need this for a specific purpose, and not just to show the world how small my donger is” kind of way.
You guys have cheap gas and cars in comparison to my country (the Czech Republic) considering the average wage, which is ~ 22 200$ here. And the prices of cars (and mostly everything) are higher here than in the USA. Whole last year we had inflation of 17% and now it’s not particularly lower.
Our politicians instead of aiding people are taking money from them in taxing more basic stuff like water, food and also more tax on income, taking money from elderly people, not supporting families (it’s cheaper here to not be married) while raising their salaries and buying fcking military planes and gear in value higher than is our yearly GDP.
When people demonstrate in Prague on the main square (usually over 100k people, which is 1% people of our whole country, 2x quarterly) their bought mainstream media mitigate the impact and label the people as pro-rusian idiots, even though the demonstration is about unhappiness of people with government not about Russia at all.
Our government is lead by a party which didn’t even win the elections, not even closely. They put together 5 parties (of which other 4 basically betrayed their voters by merging with the other parties of different ideas) to create a majority in order to do as they wish.
They created new laws like that nobody in parlament can talk for more than 5 minutes cause they didn’t like obstructions from other parties to fight their program. They don’t even talk to unions and take interviews anymore about topics which mostly concerns the people.
It’s as bad as it sounds…
Over half of Americans live paycheck-to-paycheck. Between sky high rent/mortgage, student loans and medical bills, getting a new car is often unrealistic.
The point of expensive fuel is to stop manufacturers from making gas guzzling monstrosities. If fuel was $2 a litre would you be looking for a tiny-penis truck or a more efficient car?
Manufacturers follow the market
I drive around a country the size of Texas in a 1.2 litre hatchback and have no issues with that
Fuel just went over $3 a litre here.
Apparently the small dick energy of ute owners offsets the cost, they’ve never been more popular
Electric cars will become cheaper and hit the used car market once they become more common.
There already is a used market. Old evs with ranges between 75 and 100 miles can be had for less than $10k. For any homeowners already driving 2 cars, using one of these for daily commutes and local errands makes a lot of sense.
I’m sorry but I don’t want used ev. Battery will be degraded and buying new one is like buying a new cheap petrol car. If you don’t buy new one, you’ll have a shity range, which is already shity and heavily exaggerated by manufacturers, especially in high and low temps which are for example in Europe where I live almost 50% time of whole year. There is no infrastructure to charge ev cars and it’s decades away from being build, especially in my country.
If evs should be reality it has to have range at least 600km in worst temp scenario while being able to charge fully in 15 mins tops.
And even than I wouldn’t want it. I wanna have car which I can easily repair myself, without electrical shenanigans and bulshit like changing whole fcking light instead of just bulb, or having to ask to access software of my car, jeez…
I don’t want my car to have displays instead of buttons. I don’t even understand how that can be legal, when you obviously don’t watch the road to adjust fcking air conditioning. Or that stupid hold the line function which has car in my work. You can’t even turn that shit off and it steers instead of you. When I overtake a cyclists it’s a living nightmare and not talking about state of roads which have like multiples lines over and the cars is fcked.
I’m 29 and I don’t want to have over-electroniseid everything…
Europe […] There is no infrastructure to charge ev cars and it’s decades away from being build, especially in my country.
Which country is that?
Just the other day I got a taxi trip in a Tesla, with a guy showing photos of how he’d gone from Spain to Ukraine with a bunch of other Tesla taxi drivers to bring back some refugees. That sounds like he could get a recharge, across most of Europe?
So much wrong with this one.
But on the “i can’t afford” one. Yes, you might not be able to afford a new electric car. They are a luxury still and will probably stay that until we see enough teslas on the used market.
But you also dont have to buy a new car. if you can not afford your car right now and doubling the gas prices will worsen that condition then something entirely different is wrong.Might be multiple things. Either you are American and you live in a nice-ish house in the suburbs: Your politicians and the car industry have failed you for a long time. I would say go vote but i doubt that even a fully dem senate and ruling party would change a lot.
Might be that you don’t earn enough money at all. This one is a bad one, because it means your politicians have failed you deeply. Agin, voting might change it a bit to the better but if you cannot demand a bigger wage to fund your only way to get to work then you’re out of luck.Even if you could buy an electric now, it would not save you any money if you don’t or can’t change something else drastically.
Drive less, earn more, move closer to work if that’s even possible.
I get what you’re saying, but I’m not sure you realize just how much that would hurt people. Europe is much more densely concentrated and has far better public transit options. Many parts of the US are extremely rural. My nearest grocery store is a 30 minute drive away. There are no stores in walking distance at all. There are no sidewalks. There are no busses, trains, or cabs in my area, and that is not wildly uncommon.
If costs of gas doubled, at least without viable alternatives, it would absolutely bankrupt people. And it would disproportionately impact poor people in rural areas where it’s very common to commute to work 30-60 minutes of driving is a common commute. While it varies by state, US federal minimum wage in the US is $7.25/hour. Many people commute for work, and an hour drive one way is also not uncommon.
Let’s take 7.25 an hour x 40 hours = $290 before taxes.
We’ll keep it simple and say a person uses only 1 gallon of gas per day to get to and from work which, at $8 a gallon x 5 days a week = $40. Just that travel to and from work and no other travel at all (or maintenance on the vehicle) would be 14% of pre-tax income.
So many things need to change so I understand the perspective, but I think it’s really important to consider the widespread impact. Obviously the US has a lot of issues contributing to this situation.
petrol is about 1.5x the price in Australia compared to America with similar geographies to deal with
Geography maybe, but the population distribution is still quite different.
yeah, if anything we are more spread out in australia
I agree but will counter, maybe people should be prioritizing buying motorcycles and heated jackets over trucks and suvs that make up 80% of new sales. I think gas price should be based off mpg MORE than now. If you get 15 mpg than you pay 15 per gallon. Get 30mpg you pay 7 per gallon. Only exceptions are for vehicles used for operational work, not commuting.
maybe people should be prioritizing buying motorcycles and heated jackets
Tell me you’ve never been to the US without telling me.
I’m an avid motorcycle rider. I’ve been riding for over 20 years. I’ve ridden in all sorts of weather. I once had to lie in a muddy ditch next to my harley while the tornado went by. More than once I’ve ridden 30 miles (48.6 kilometers for those who can’t multiply by 1.62) in the snow.
The issue is, snow, ice, and tornadoes aren’t good for most people on a motorcycle. I’m one of the few completely crazy people who does ride in all weather. But the US is a place with some pretty crazy weather, and many parts of the country str too cold or too icy to ride in for half the year. So even if we collectively bought a Grom and a nice riding suit with a heated vest, most people couldn’t ride it for a big chunk of the year.
A much better suggestion, until we can get some sort of public transport, is small cars, but every time someone makes a small economy car in the US, most people act like it’s an affront to their very testicles and they spend a weirdly large chunk of their time complaining about said cars, even if they dont own one. For examples, see opinions on: Toyota Prius, Chevy Spark, Mitsubishi Mirage.
deleted by creator
I mean that was exactly my point. I lived in denver and ny and I dont ride under 35 degrees F unless its only 5 min. Going careless wasnt my real reccomendation, but its a huge answer for a huge swath of population. I live in socal now and its trucks and suvs as far as the eye can see. And If even this crowd is going to downvote me, then its even more dire than I realized. People are crazy car centric, and its irresponsible way to live
That’s a fair counter, and I definitely agree there are many things that could be changed to improve the situation.I also think the US needs to move away from large vehicles, and it’s a huge problem that so many people are purchasing vehicles that get poor mileage and are ultimately bad for the environment.
I would argue though that there are some issues with the motorcycle suggestion. First, in many areas of the country it’s only feasible to ride a motorcycle about half the year due to weather. In the New England area, it’s only feasible in the summer. Otherwise, the snow and ice make it far too dangerous. Plus, if you have a family/children, then you also need some kind of car, so now you have to buy, register, inspect, and maintain two vehicles. There are also costs for getting a motorcycle endorsement on your license and an additional fee each time you renew your license to maintain that motorcycle endorsement on your license.
The problem with the “pay per mpg” would be older cars. I used to drive a very old car with very bad gas mileage. I also lived in that car. There’s risk of disproportionately impacting people with low income. Of course, that could be countered based off the the year of the car, or income, or some other thing – but I’m sure there would be loopholes and other issues there.
Anyways, really interesting topic to consider. Thanks for the respectful discourse!
Good reply, id fully support the exception for those living in vehicles and having the cost decay over time like registration does.
As for the cold, thats only a part of the country for a part of the year. I can buy 2 reliable cars and a motorcycle for the cost of 1 new luxury truck. People want new big and flashy to feel self important, ita sad. But I guess that acceptance of debt is what keeps America going now idk.
In that case I hope your health care is reformed to imitate what we have here.
they do have some private healthcare dont they
I wouldn’t wish that on anybody it sucks to pay a lot of money for gas
Canada just north of the border it’s about $1.92/L where I live.
I hope your country multiples in size to match the US and you can see what it’s like to have to drive long distances.
They do, it’s called the European Union and they have publicly-funded means of transportation through it. They can freely move through the borders of any nation in the Schengen Zone without need of a passport. You can travel through most of Europe by many different means besides automobiles.
Our country is just too stubborn and individualistic to ever elect politicians that would see through the time and money required for the types of projects needed to make the US no longer reliant on cars and trucks. On top of that, it could take decades. Say if we ever did, it would just get shut down when the next conservative blow hard convinces enough people that it isn’t worth it.
Long term projects like that just aren’t in the cards for the US any more.
Yeah, no shit. Not surprised no one here grasps concepts that aren’t spelled out in blinking neon but my comment wasn’t glorifying American waste. It was mocking their self-centered and needlessly dickish bs. But go off.
fucking clown 🤡 I just can’t aaaaa
Fuck off. I hope the price gets cut in half. It’s expensive enough here
You have 3x higher average yearly salary than in the czech republic while having 2x lower price of gas/petrol. And we are considered developed country… You have nothing to complain about. Get yourself 1.2 litre hatchback like I have…
I would ban every engine above 2l in citizen commute cars cause there is no need for more power.
Breach Protocol
1C 1C E9 55 55
Why is that even possible?
Because people think security and privacy are a joke, and it’s times like this where it shows.
Is that the Polish train thing where you can literally send an emergency stop command with a walkie talkie?
That is funny lol but annoying for the passengers
Yeah.
Annoying for NATO, moving supplies to Ukraine through Poland, too.
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Hardware security is still overlooked a lot in the tech industry, hence there are a ton of hardware and mechanical stuff out there that are made “smarter” but still barely have any security controls. That’s why there’s the saying “The S in IoT stands for security”. Bluetooth in itself is not secure, and they probably have a very basic control where the pump is unlocked remotely via a bluetooth device.
I very distinctly remember early bluetooth amongst other interfaces explicitly discussed in college as an example of “enabling things to understand eachother, including things that shouldn’t.” It’s up to the developer to protect their data.
There is a problem here that isn’t just a hardware/software issue, it’s a “I’m not gonna worry about it” problem that leads to security issues.