This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

HIGH POINT, N.C. (WGHP) – You may have wondered: How could someone override a gas pump and get away with 400 gallons while a station was closed?

That happened Monday night in High Point, when the Bizzy Bee Grocery and BP on Main Street was struck on a 45-minute siege that store owner Hardik Patel told WGHP cost him about $1,600.

Like a lot of other scams, this is not the first time such thievery has happened, and it’s not even the biggest theft you can find in a casual search.

Thieves in Paris in 2019 took 26,000 gallons – yes, thousand – from multiple outlets and were believed to have made roughly $168,000 from their spree. In that case, the thieves brought in vans that carried tanks that could carry roughly 660 gallons of fuel.

400 gallons of fuel stolen from High Point gas station
400 gallons of fuel stolen from High Point gas station (WGHP)

In June of 2017, a BP employee in New Jersey was arrested and charged with manipulating gas pump computers to steal more than $300,000, Yahoo News reported.

Unlike the culprits in High Point, these thieves knew the access code for a specific brand of fuel pump, which allowed them to set the price at zero.

In 2010, thieves in West Palm Beach, Florida, opened up a pump and stole 500 gallons. In 2012, a group in nearby Port St. Lucie, Florida, used a device to bypass the counter. In 2018, a group thieves in Detroit took 600 gallons by getting inside the pump and installing a hacking device.

Just Thursday morning, two men from Orlando were arrested for getting inside the pump and stealing from a station in the Tampa area.

But in High Point, it was more like changing the channel on your television, holding up a remote device that could change the flow process on the machine, petroleum expert Trey Barker told WGHP.

Access to gas pumps

Prices for various grades of gas are posted on the digital readouts of a pump. (AP Photo/David Zalubowski)

In 2018, researchers at Kaspersky Lab, a software company that provides the firewall you may employ to protect your PC, found some gas pumps were vulnerable to takeover by hackers because there was an embedded controller in that gas pump.

“The device we investigated was not just a tiny web interface. It was an embedded box running a Linux-based controller unit that was installed with a tiny httpd server,” Ido Naor wrote for Kaspersky. “According to its manufacturer, the controller’s software is a site automation device that is responsible for managing every component of the station, including dispensers, payment terminals and more.

“More specifically, the controller is at the heart of the station and if an intruder finds a way to take over the box, the results could be catastrophic. Another worrying detail, discovered later in the research, was when the solution was installed – many instances were embedded in fueling systems over a decade ago and have been connected to the internet ever since.”

This graphic published by Kaspersky shows the interacting devices in the gas pump system. (KASPERSKY)

Surprising path

Like you might have thought, Naor and his researchers said they believed that gas pumps were outside the internet and monitored. But he wrote that he found that a skilled hacker “could access a fueling system from anywhere in the world.”

Attempts to reach Naor, who lives in Israel, were not immediately successful. He no longer is employed by Kaspersky, and he runs his own security company. And software and hardware surely have been changed since his investigation.

But his report does share to illuminate how the culprits were able to gain a path to free fuel at Bizzy Bee.

Dangerous vulnerability

Naor’s research showed that he could with one internet search find more than 1,000 gas stations across the globe that used the same hardware and were “far more dangerous than webcams” for hackers. Understanding this system, he said, required no special hacking skills.

Researchers also found that many of the systems had “default credentials,” which means they might have similar access codes unless an employee took the time to change them.

What an intruder can do

According to Naor’s work for Kaspersky, an intruder accessing a gas system could:

  • Shut down all fueling.
  • Cause fuel leakage and risk of casualties.
  • Change price.
  • Circumvent payment to steal money.
  • Scrape vehicle license plates and driver identities.
  • Halt the station’s operation, demanding a ransom in exchange.
  • Execute code on the controller unit.
  • Move freely within the gas station network.