Thieves hack Marathon gas station, steal $1,800 of gas

An hour past high noon, hackers allegedly used a “remote device” to control a prepaid gas pump at a Marathon gas station in Detroit, allowing 10 vehicles to steal $1,800 of gas over a 90-minute period.

How many gallons of gas can your vehicle hold? Surely not 60? Yet the Detroit gas “hack” reportedly included a “convoy” of 10 vehicles, pulling in and pumping one after another for an hour and a half, managing to steal 600 gallons of gas. That implies each vehicle stole 60 gallons. There is no mention of people in those vehicles also filling up gas cans, barrels or other storage, so the total of 10 vehicles filling up for free to make off with 600 gallons doesn’t seem quite right.

A simple search showed that the gas tanks for minivans typically hold 16 to 20 gallons, with cars holding 12 to 16 gallons and mid-sized trucks holding between 21 to 38 gallons. While that doesn’t mean there are not bigger gas tanks on vehicles, it does seem to show that most vehicles won’t hold 60 gallons.

It’s also not the only thing about this “hack” of the fuel management system that doesn’t smell quite right. The “pump hijackers” pulled this off on June 23. Since then, the Detroit Police have been looking for “high-tech thieves who somehow hacked into a gas pump.” The cops said the device used by the men took control of the pump away from the clerk who supposedly didn’t realize he no longer had control of the system.

So, as these 10 vehicles pulled in one after another and filled up, the clerk eventually noticed that no one was paying at the prepaid pump. He also reportedly noticed that he couldn’t remotely control that pump — that his screen was unresponsive.

The clerk, Aziz Awadh, told Fox 2 Detroit, “I tried to stop it, but it didn’t work. I tried to stop it here from the screen, but the screen’s not working. I tried to stop it from the system; nothing working (sic).”

Sure, that would be freaky, and there’s no telling how a person might react. But Awadh claims he couldn’t shut down the pump until he got an “emergency kit.” Only then, 90 minutes later, did he opt to call the cops.

Although Detroit Police confirmed that whatever “device” the “hackers” used did prevent the clerk from using the gas station’s system to shut down the prepaid pump, Slashdot readers pointed out that the clerk could have resorted to old school remedies such as placing an “Out of Order” sign on the pump. Then again, if you were hacked, freaking out, and trying to regain control from inside of the building, that might not occur to you.

Vulnerabilities in gas station automated systems

Back in January, Kim Zetter wrote about vulnerabilities in an automated system used by thousands of gas stations that “would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. An attacker could also simply alter fuel prices and steal petrol.”

Of course, that doesn’t necessarily mean that’s what happened at the Marathon in Detroit. The police aren’t quite sure what happened. It is also unclear if all the vehicles that filled up for free were in on it or if they just took advantage of the free gas. Detroit Police have the surveillance video and are still investigating.