Tuesday, August 11, 2015

Killer Gas Gauges

Slow news week it must be my young apprentice.

Related article:  Hackers are attacking US gas stations


Breaking news: Misfits rename the equipment of local service stations to funky names.

That is what the title should have been in this news regurgitation.

Sadly, that is not what is being reported.

So hackers (there is that term again), are being reported as potentially exposing gas stations to huge risks because the telemetry system that monitors the gas level in the underground tanks is vulnerable to some form of abuse.

If we keep believing the news reporters, hackers will be able to:


  • Push out premium gas when you select the cheap stuff
  • Push out leaded gas because hackers are just that good
  • Make your wife/husband more attractive by pushing out more fumes while you pump (effect will be temporary)
  • And it seems, make the staff who refuels the tanks complete idiots.


The theory behind the "security issue" is that if we think the tank is empty, then the truck that will come to refill the underground tank will overfill it and the resulting overflow will be a "significant" danger for the lives of nearby habitants.

So when it comes to bullshit, I have seen a lot, but this extract here could become the gold standard in my future teachings;


"However, the Trend Micro researchers warn that ATG cyberattacks could still cause serious issues. Hackers can monitor one to find out when a facility is expecting the next fuel delivery or hold it hostage and ask for ransom. They can also fake fuel levels to induce overflow and put the lives of people in the area in danger."

Lets dissect this golden turd as an educational exercise.

CAUSE SERIOUS ISSUES   

So this one paragraph has at least 3 major issues.  Here they are for your entertainment pleasure:

#1 Knowing when the fuel truck is expected is not a serious issue.  Perhaps one has to understand how the fuel industry works.  Perhaps I am expecting too much from a "reporter".  Gas stations rarely run out of fuel.  That is because they know the trend.  The fuel truck already comes on a fixed schedule.  If terrorists wanted to blow one up, they do not need to hack the fuel level gauge to have the truck come and fill her up early.  They already know the truck comes each Wednesday after rush hour.  Are our terrorists now so anxious that they can't wait a few hours.

#2 Taking the gas station hostage.  Security researchers are supposed to stay off the white stuff.  I cannot envision a scenario (especially in the US) that ends well for the "hacker" who attempts to take a gas station hostage by manipulating their FUEL LEVEL READINGS.  For the love of god, my dad had an aging Buick with a broken fuel gauge for years, no one died.  Someone walk me through the SERIOUS ISSUE hidden behind this gem and how one would go about taking a service station hostage?

#3 INDUCING OVERFLOW !  This one is the icing on top of the cake.  Certainly the staff that drives the truck and connects the big huge hose to the ground has something called..... two working hemispheres ......  Perhaps they would notice that things are overflowing, and stop the pump.  Perhaps the system is already designed to stop back flow, after all, the pump you use on your car has this basic countermeasure, and spilling fuel on the ground is such an expensive waste to clean up.  And another thing, how do you INDUCE something by simply misleading someone that the fuel level is low ?

One thing fuel companies are really good at is accounting.  Surely they must "account" for fuel quantity sold versus fuel quantity in the tanks.  They probably have environmental regulations to respect with these "numbers" to prove that their underground tanks aren't leaking into the local drinking water.  I guess reporting the news only means talking to one side of the story and trying to spin it into breaking news. 

So MSN news, get real reporters who focus on the actual value of the story first.

Trend Micro, I love you guys, but you need new research guys, or someone to screen the inappropriate use of adjectives.  Because it is a fact that something which is vulnerable does not equate to a "serious" security risk.

My face is vulnerable to being slapped, and sadly, that rarely happens.

So, this is not really a news story after all.  Nothing of interest to the general public.  In fact, what the news is doing, is spreading the word that any misfit could "play" around with their local service station.

So fuel corp executives might decide to address this issue, which might not even be an issue.  The price of gas will go up a few cents to offset the cost of the entire monitoring system overhaul.  No one will have done an adequate risk analysis, they will just have acted to shut the reporters up.   

Well, I'm an optimist.  I have hope that the fuel giants have better management then we have reporters.









No comments:

Post a Comment

Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...