Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station

So, how would this work exactly? For curiosity's sake.

Not sure about this specific pump but this same thing happened in my town several months back and BT was used then too.

When it happened we found out that the pumps at the station in particular (and probably most) have a BT receiver tied to whatever little processor that runs the pump so either a station manager or someone servicing the pumps can access them with the right equipment, make internal adjustments etc.

In the case that happened locally to us. Someone hacked them the same way, then posted to Facebook and other social media sites to come get some free gas, etc.
- All the pumps I've seen have a physical key protecting them too. They're supposed to unlock it in the morning and lock it when staff leave for the night. I'd guess these stations didn't do that?

Off topic but the right crowd is here, would anyone be interested in starting a hardware security community? Edit: https://lemmy.world/c/hardwarehacking is live! It's still a work in progress but all are welcome to join.

Be the change you wanna see. If you make it ill join it.
Yeah okay.

My hardware knowledge is limited to ruining many sets of alligator chips trying to dump a virus from an infected UEFI/rewrite the chip so that I'd have a usable motherboard and a nasty virus to poke and prod at.

I guess I've always managed to set an esxi server to route internet traffic through a PC so my IPS can get at it and drop the bad stuff. Still trying to figure out the SIEM piece.

And smart lights / plugs. Many, many many of those.

I've got a decade of experience as an AE in a very techy field though.

If it's a choice between me and a homeless guy then I'm definitely the guy.

Was this article written by AI, because it's disjointed as fuck.

I doubt AI would have that poor grammar and spelling.
- They asked an intern to rewrite it
That was my thought too
- I asked my AI and that was its thought also.
- My also thought AI too

Can't have shit in Detroit... Not even coherent written articles.

Wait so they haven't caught them yet? The article gave no names. And why do these pumps have Bluetooth? You might as well put in a USB service port.

USB is way safer lol.

Bluetooth is notoriously bad with security. Especially Bluetooth 4 and earlier. I'd put money on a gas station pumps Bluetooth to not be using the most up to date protocol.
- It's like saying TCP has bad security. That is to say, pointless comparison. Bluetooth is just transport layer and security is done on higher level. This is most likely the classic example of "security through obscurity". Meaning they did nothing special and hoped no one will figure it out, just like recent TETRA vulnerability.
- that's not how this works
At least you can lock a usb port behind an access panel

This exemplifies Fox - they provided a lengthy article, and a 3 person video with interviews, and yet the listener/reader knows no more about what actually happened than before they began. Its well produced hearsay.

Gas pumps have Bluetooth? That's news to me.

You would be surprised, and then very worried, to find out what things needlessly have bluetooth

I saw a guy detail how to hack a house through a fridge.
- I get unreasonably angry at salespeople when they brag about Bluetooth and wifi on appliances.
  
  I know I shouldn't. But wtf do you want your toaster to have internet access?
I have to wonder if the are confusing NFC with Bluetooth? Many newer pumps have smart chip tap pads now. I suspect they have found an exploit for this now.
Maybe they use Bluetooth for management and configuration.

That guy has saved ….. so much money! I’m jealous

The grammar in this article is horrendous. It’s almost as if Fox isn’t a reputable source for news!

Is it really theft? Considering how much of his tax dollars have gone to subsidize the oil and gas industry?

Yes, considering the oil company doesn't own the gas station and still gets paid for the fuel. The person you're stealing from is the owner of the gas station who purchases the fuel and then in many areas sells fuel with very low margin in hopes of you coming into the store for snacks and drinks to make money on higher margin products. So even if they are selling a large amount of fuel, they aren't making a lot of profit to make up for the theft.
Yes
I mean, that already is used to significantly lower at-the-pump gas prices from what they actually are, and raising gas prices is an easy way to lose an election in America, so that probably won't change. Notice that in many other countries gas prices are way higher than in the US.
- How much is it in the US right now? In Germany it is around $9 per gallon.
Good point
User name checks out.

This article has so few details. How do we think they're pulling this off? Phones? A Flipper maybe? And then what?

possession of flippers and 🐬 is illegal and punishable by up to 25 years to life /s adly
- Bullshit. The world's a big place and your rules don't apply here
- Huh? Where?

Some places let you pump THEN pay inside. You could just fill and leave. Is that not basically the same thing? Thay can catch them the same way.

This is every petrol station in Australia, don't think I've every seen anybody do a runner, not like it's hard to catch up
- It’s how it used to work in most of the US. Every once in awhile, you’d be in a rough area and have to pay ahead of time but it was rare. When they switched to credit/debit cards, it generally became “Pay inside if you can’t use a card.”
  
  It wasn’t much of a problem even when crime peaked in the U.S. (late 80’s and 90’s) and you could theoretically get away with it. Gas stations have always had security cameras.
This is very much the default in the Netherlands. Yes theft happens, but your license plate will be clearly visibly on CCTV meaning you will get a visit by police soon after.
Yeh, thinking the same thing. The reg is what gives it away.
Not if its a stolen car, car without plates in some area they aren't likely to be caught or one of those cars that has that thing that can change numberplates

The car with the changeable numberplate would be harder to catch if it was a super common car in the area as well
- So that's how Bond managed to fill up the DB5 on a civil servant's salary.
- all those things are risky as fuck with police AI number plate recognition these days. it would take no time at all to track someone down over $50 theft

4$ per gallon that's approximately 1$ per litre.

I hope it will at least double for you so you know what it's like to pay for petrol in Europe..

I hope it will at least double to shock the system into prioritizing clean energy.
- Ah yes, hurt the poor people to make the rich wake up. That'll definitely work!
- That would be quite a boost on top of how cheap solar is getting. Just need a good and cheap storage solution for the grid to run on more and more solar later and later into the evening.
- That's lovely idea but I don't have even money to buy a newly made car. Where I'm supposed to get money for significantly more expensive (price and repair coat) and unreliable electric car? Now I can repair my car on my own cause it's old and easy, also easy to refill. Electric cars is not the way. Also it's not that green as everybody thinks..
I get what you're saying, but I'm not sure you realize just how much that would hurt people. Europe is much more densely concentrated and has far better public transit options. Many parts of the US are extremely rural. My nearest grocery store is a 30 minute drive away. There are no stores in walking distance at all. There are no sidewalks. There are no busses, trains, or cabs in my area, and that is not wildly uncommon.

If costs of gas doubled, at least without viable alternatives, it would absolutely bankrupt people. And it would disproportionately impact poor people in rural areas where it's very common to commute to work 30-60 minutes of driving is a common commute. While it varies by state, US federal minimum wage in the US is $7.25/hour. Many people commute for work, and an hour drive one way is also not uncommon.

Let's take 7.25 an hour x 40 hours = $290 before taxes.

We'll keep it simple and say a person uses only 1 gallon of gas per day to get to and from work which, at $8 a gallon x 5 days a week = $40. Just that travel to and from work and no other travel at all (or maintenance on the vehicle) would be 14% of pre-tax income.

So many things need to change so I understand the perspective, but I think it's really important to consider the widespread impact. Obviously the US has a lot of issues contributing to this situation.
- petrol is about 1.5x the price in Australia compared to America with similar geographies to deal with
- I agree but will counter, maybe people should be prioritizing buying motorcycles and heated jackets over trucks and suvs that make up 80% of new sales. I think gas price should be based off mpg MORE than now. If you get 15 mpg than you pay 15 per gallon. Get 30mpg you pay 7 per gallon. Only exceptions are for vehicles used for operational work, not commuting.
In that case I hope your health care is reformed to imitate what we have here.
- they do have some private healthcare dont they
I wouldn't wish that on anybody it sucks to pay a lot of money for gas
Canada just north of the border it's about $1.92/L where I live.
I hope your country multiples in size to match the US and you can see what it's like to have to drive long distances.
- They do, it's called the European Union and they have publicly-funded means of transportation through it. They can freely move through the borders of any nation in the Schengen Zone without need of a passport. You can travel through most of Europe by many different means besides automobiles.
  
  Our country is just too stubborn and individualistic to ever elect politicians that would see through the time and money required for the types of projects needed to make the US no longer reliant on cars and trucks. On top of that, it could take decades. Say if we ever did, it would just get shut down when the next conservative blow hard convinces enough people that it isn't worth it.
  
  Long term projects like that just aren't in the cards for the US any more.
- fucking clown 🤡 I just can't aaaaa
Fuck off. I hope the price gets cut in half. It's expensive enough here
- You have 3x higher average yearly salary than in the czech republic while having 2x lower price of gas/petrol. And we are considered developed country.. You have nothing to complain about. Get yourself 1.2 litre hatchback like I have..
  
  I would ban every engine above 2l in citizen commute cars cause there is no need for more power.

Breach Protocol

1C 1C E9 55 55

Why is that even possible?

Because people think security and privacy are a joke, and it’s times like this where it shows.
- For example.
Hardware security is still overlooked a lot in the tech industry, hence there are a ton of hardware and mechanical stuff out there that are made “smarter” but still barely have any security controls. That’s why there’s the saying “The S in IoT stands for security”. Bluetooth in itself is not secure, and they probably have a very basic control where the pump is unlocked remotely via a bluetooth device.
- I very distinctly remember early bluetooth amongst other interfaces explicitly discussed in college as an example of "enabling things to understand eachother, including things that shouldn't." It's up to the developer to protect their data.
  
  There is a problem here that isn't just a hardware/software issue, it's a "I'm not gonna worry about it" problem that leads to security issues.

That's a lot...

He were thirsty
It's only a couple thousand dollars worth of gas.