this post was submitted on 03 Oct 2023
666 points (97.4% liked)

Technology

59374 readers
6250 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station::undefined

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 99 points 1 year ago (1 children)

So, how would this work exactly? For curiosity's sake.

[–] [email protected] 84 points 1 year ago (1 children)

Not sure about this specific pump but this same thing happened in my town several months back and BT was used then too.

When it happened we found out that the pumps at the station in particular (and probably most) have a BT receiver tied to whatever little processor that runs the pump so either a station manager or someone servicing the pumps can access them with the right equipment, make internal adjustments etc.

In the case that happened locally to us. Someone hacked them the same way, then posted to Facebook and other social media sites to come get some free gas, etc.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (4 children)

All the pumps I've seen have a physical key protecting them too. They're supposed to unlock it in the morning and lock it when staff leave for the night. I'd guess these stations didn't do that?

[–] [email protected] 23 points 1 year ago (6 children)

From everything I know about locks in important places, all pumps probably use the same key. You can probably buy that key online. I know this is true for elevators and those boxes for entering buildings, and Crown Vic police cars (and the taxis they've become after being sold), and many other things.

[–] [email protected] 15 points 1 year ago (7 children)

those boxes for entering buildings

do you mean doors ?

[–] [email protected] 9 points 1 year ago

I wish he meant doors 😂

load more comments (6 replies)
load more comments (5 replies)
load more comments (3 replies)
[–] [email protected] 52 points 1 year ago* (last edited 1 year ago) (7 children)

Off topic but the right crowd is here, would anyone be interested in starting a hardware security community? Edit: https://lemmy.world/c/hardwarehacking is live! It's still a work in progress but all are welcome to join.

load more comments (7 replies)
[–] [email protected] 50 points 1 year ago (4 children)

Was this article written by AI, because it's disjointed as fuck.

[–] [email protected] 20 points 1 year ago (1 children)

I doubt AI would have that poor grammar and spelling.

load more comments (1 replies)
load more comments (3 replies)
[–] [email protected] 36 points 1 year ago

Can't have shit in Detroit... Not even coherent written articles.

[–] [email protected] 32 points 1 year ago (2 children)

Wait so they haven't caught them yet? The article gave no names. And why do these pumps have Bluetooth? You might as well put in a USB service port.

[–] [email protected] 35 points 1 year ago (4 children)

USB is way safer lol.

Bluetooth is notoriously bad with security. Especially Bluetooth 4 and earlier. I'd put money on a gas station pumps Bluetooth to not be using the most up to date protocol.

[–] [email protected] 51 points 1 year ago (2 children)

It's like saying TCP has bad security. That is to say, pointless comparison. Bluetooth is just transport layer and security is done on higher level. This is most likely the classic example of "security through obscurity". Meaning they did nothing special and hoped no one will figure it out, just like recent TETRA vulnerability.

[–] [email protected] 29 points 1 year ago (1 children)

Come on now! The pumps required you to enter the secret pairing code: “12345”

[–] [email protected] 19 points 1 year ago

You fool! It was 00000, now you'll never have free gas!

[–] [email protected] 18 points 1 year ago* (last edited 1 year ago) (11 children)

Transport layer is absolutely a security vulnerability vector.

TCP is absolutely low security if not configured correctly.

I don't know what it is you're trying to say. I agree that this instance was probably security through obscurity failing, but to say that Bluetooth, TCP, and other transport layer protocols are not security considerations is absolutely ridiculous (see for example, heartbleed). It's exactly the reason there are multiple versions of Bluetooth. It's why FTP is (should be) all but deprecated and SFTP and FTPS are standard. It's why Google doesn't index webpages without an SSL certificate.

USB is way safer

load more comments (11 replies)
load more comments (3 replies)
[–] [email protected] 18 points 1 year ago

At least you can lock a usb port behind an access panel

[–] [email protected] 31 points 1 year ago

This exemplifies Fox - they provided a lengthy article, and a 3 person video with interviews, and yet the listener/reader knows no more about what actually happened than before they began. Its well produced hearsay.

[–] [email protected] 28 points 1 year ago

That guy has saved ….. so much money! I’m jealous

[–] [email protected] 28 points 1 year ago (3 children)

Gas pumps have Bluetooth? That's news to me.

[–] [email protected] 22 points 1 year ago (1 children)

You would be surprised, and then very worried, to find out what things needlessly have bluetooth

I saw a guy detail how to hack a house through a fridge.

[–] [email protected] 15 points 1 year ago (10 children)

I get unreasonably angry at salespeople when they brag about Bluetooth and wifi on appliances.

I know I shouldn't. But wtf do you want your toaster to have internet access?

load more comments (10 replies)
[–] [email protected] 10 points 1 year ago

I have to wonder if the are confusing NFC with Bluetooth? Many newer pumps have smart chip tap pads now. I suspect they have found an exploit for this now.

load more comments (1 replies)
[–] [email protected] 22 points 1 year ago (9 children)

Is it really theft? Considering how much of his tax dollars have gone to subsidize the oil and gas industry?

[–] [email protected] 21 points 1 year ago* (last edited 1 year ago)

Yes, considering the oil company doesn't own the gas station and still gets paid for the fuel. The person you're stealing from is the owner of the gas station who purchases the fuel and then in many areas sells fuel with very low margin in hopes of you coming into the store for snacks and drinks to make money on higher margin products. So even if they are selling a large amount of fuel, they aren't making a lot of profit to make up for the theft.

load more comments (8 replies)
[–] [email protected] 22 points 1 year ago (3 children)

The grammar in this article is horrendous. It’s almost as if Fox isn’t a reputable source for news!

load more comments (2 replies)
[–] [email protected] 21 points 1 year ago (6 children)

This article has so few details. How do we think they're pulling this off? Phones? A Flipper maybe? And then what?

load more comments (6 replies)
[–] [email protected] 21 points 1 year ago (8 children)

Some places let you pump THEN pay inside. You could just fill and leave. Is that not basically the same thing? Thay can catch them the same way.

[–] [email protected] 29 points 1 year ago (1 children)

This is every petrol station in Australia, don't think I've every seen anybody do a runner, not like it's hard to catch up

[–] [email protected] 21 points 1 year ago (1 children)

It’s how it used to work in most of the US. Every once in awhile, you’d be in a rough area and have to pay ahead of time but it was rare. When they switched to credit/debit cards, it generally became “Pay inside if you can’t use a card.”

It wasn’t much of a problem even when crime peaked in the U.S. (late 80’s and 90’s) and you could theoretically get away with it. Gas stations have always had security cameras.

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (2 children)

Australian pumps all have the capability to pay at the pump.

It's almost always restricted to fleet buyers (taxis, delivery vans, etc). If you're a regular consumer they force you walk past a tasty array of chocolates and other addictive high margin products before you're allowed to pay. They even give you a a couple bucks off your gas if you spend ten bucks on chocolate.

load more comments (2 replies)
[–] [email protected] 11 points 1 year ago

This is very much the default in the Netherlands. Yes theft happens, but your license plate will be clearly visibly on CCTV meaning you will get a visit by police soon after.

load more comments (6 replies)
[–] [email protected] 18 points 1 year ago (11 children)

4$ per gallon that's approximately 1$ per litre.

I hope it will at least double for you so you know what it's like to pay for petrol in Europe..

[–] [email protected] 23 points 1 year ago (17 children)

I hope it will at least double to shock the system into prioritizing clean energy.

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago)

Ah yes, hurt the poor people to make the rich wake up. That'll definitely work!

load more comments (16 replies)
[–] [email protected] 19 points 1 year ago* (last edited 1 year ago) (9 children)

I get what you're saying, but I'm not sure you realize just how much that would hurt people. Europe is much more densely concentrated and has far better public transit options. Many parts of the US are extremely rural. My nearest grocery store is a 30 minute drive away. There are no stores in walking distance at all. There are no sidewalks. There are no busses, trains, or cabs in my area, and that is not wildly uncommon.

If costs of gas doubled, at least without viable alternatives, it would absolutely bankrupt people. And it would disproportionately impact poor people in rural areas where it's very common to commute to work 30-60 minutes of driving is a common commute. While it varies by state, US federal minimum wage in the US is $7.25/hour. Many people commute for work, and an hour drive one way is also not uncommon.

Let's take 7.25 an hour x 40 hours = $290 before taxes.

We'll keep it simple and say a person uses only 1 gallon of gas per day to get to and from work which, at $8 a gallon x 5 days a week = $40. Just that travel to and from work and no other travel at all (or maintenance on the vehicle) would be 14% of pre-tax income.

So many things need to change so I understand the perspective, but I think it's really important to consider the widespread impact. Obviously the US has a lot of issues contributing to this situation.

load more comments (9 replies)
[–] [email protected] 18 points 1 year ago (1 children)

In that case I hope your health care is reformed to imitate what we have here.

load more comments (1 replies)
[–] [email protected] 13 points 1 year ago

I wouldn't wish that on anybody it sucks to pay a lot of money for gas

[–] [email protected] 9 points 1 year ago

Canada just north of the border it's about $1.92/L where I live.

load more comments (6 replies)
[–] [email protected] 14 points 1 year ago (1 children)
load more comments (1 replies)
[–] [email protected] 9 points 1 year ago (2 children)

Why is that even possible?

[–] [email protected] 49 points 1 year ago (4 children)

Because people think security and privacy are a joke, and it’s times like this where it shows.

load more comments (4 replies)
[–] [email protected] 30 points 1 year ago (1 children)

Hardware security is still overlooked a lot in the tech industry, hence there are a ton of hardware and mechanical stuff out there that are made “smarter” but still barely have any security controls. That’s why there’s the saying “The S in IoT stands for security”. Bluetooth in itself is not secure, and they probably have a very basic control where the pump is unlocked remotely via a bluetooth device.

[–] [email protected] 9 points 1 year ago

I very distinctly remember early bluetooth amongst other interfaces explicitly discussed in college as an example of "enabling things to understand eachother, including things that shouldn't." It's up to the developer to protect their data.

There is a problem here that isn't just a hardware/software issue, it's a "I'm not gonna worry about it" problem that leads to security issues.

load more comments
view more: next ›