Petrol stations left wide open to security flaw, says Kaspersky

String of security flaws found in embedded fuel station controller running Linux

Service stations around the world have been left exposed to cyber attacks as a result of a security vulnerability that operators have failed to address for a decade or more.

Researchers at Kaspersky Lab said they found a string of security flaws in an embedded fuel station controller, with more than 1,000 of these devices currently active.

They have since contacted the manufacturer, but this problem may have existed for years. Ido Naor, senior security researcher at Kaspersky Lab, led the study.

After researching devices with open connections to the internet, he came across the controller. It has been used in service stations for more than a decade.

Running on the Linux operating system, it runs on high privileges and can easily fall victim to attacks. Hackers can do a variety of things, including monitoring and configuring service station settings.

They have to bypass the login screen first, but once this is overcome at attacker enjoys full system privileges. Hackers can shut down systems, change fuel prices, steal money, remotely execute code and move freely within the network.

Kaspersky explained that the research is still ongoing, although it has reported its fundings to MITRE and other organisations that may be affected.

The Russia-based cyber security firm urged "manufacturers of connected internet-of-thing devices to consider the security of their products from the very first moment of development and design".

It added that they should also "review legacy devices for possible security vulnerabilities", and "users of connected devices are urged to review regularly the security of these devices and not to rely on factory settings".

Naor said there could be devastating consequences if hackers managed to control of a service station.

"When it comes to connected devices it is easy to focus on the new and to forget about products installed many years ago that might be leaving the business wide open to attack," said Naor.

"The damage that could be done by sabotaging a petrol station doesn't bear thinking about. We have shared our findings with the manufacturer."