卡巴斯基实验室帮助发现导致加油站容易成为黑客攻击目标的漏洞

卡巴斯基实验室的研究人员帮助发现了多个未知漏洞，这些漏洞曾导致全球的加油站多年以来一直面临远程接管(攻击)。被发现的漏洞位于嵌入式的加油站控制器，这种控制器的安装和在线数量超过1,000多家。在确认威胁后，卡巴斯基实验室将相关信息通知了设备制造商。

Ido Naor, senior security researcher at Kaspersky Lab, together with another researcher found the controller during unrelated research into devices with open connections to the internet. In many cases the controller had been placed in the fuel station over a decade ago and had been connected to the internet ever since.

卡巴斯基实验室高级安全研究员Ido Naor与另外一位研究人员在研究开放连接到互联网的设备时无意间发现了这种控制器。很多情况下，这些控制器在十多年前就被放置在加油站中，并且自那时以来一直连接到互联网。

The controller, which runs a Linux machine, operates with high privileges and the researchers discovered a number of vulnerabilities that leave the device and the systems it is connected to open to cyberattack. For example, the researchers were able to monitor and configure many of the gas station settings. An intruder able to bypass the login screen and gain access to the main interfaces would be able to do any of the following:

这种控制器是一种运行Linux系统的机器，其运行的权限非常高，研究人员发现该系统包含多个漏洞，能够导致这些联网的设备和系统遭受攻击。例如，研究人员能够监控和配置很多加油站的设置。入侵者能够绕过登陆界面，访问主界面，并且可以采取以下操作：

· Shut down all fueling systems

· 关闭左右加油系统

· Change the fuel prices

· 更改汽油的售价

· Cause fuel leakages

· 造成油料泄露

· Circumvent payment terminals to steal money (the controller connects directly to the payment terminal, so payment transactions could be hijacked)

· 欺骗支付终端，窃取资金(控制器直接与支付终端相连，所以攻击者可以劫持支付交易)

· Scrape vehicle license plates and driver identities

· 盗取车辆的牌照信息和驾驶员的身份

· Execute code on the controller unit

· 在控制器组件执行代码

· Move freely within the gas station network

· 自由在加油站网络内活动

“When it comes to connected devices it is easy to focus on the new and to forget about products installed many years ago that might be leaving the business wide open to attack. The damage that could be done by sabotaging a gas station doesn’t bear thinking about. We have shared our findings with the manufacturer,” said Ido Naor, Senior Security Researcher at Kaspersky Lab.

在联网设备方面，人们总是容易关注最新的设备，忘记很多年前就已经安装的产品，但这些设备却可能会导致企业或组织遭受攻击。对加油站造成的破坏是无法想象的。我们已经将我们的发现分享给了这些设备的制造商，“卡巴斯基实验室资深安全研究员Ido Naor说。

The vulnerabilities have also been reported to MITRE and the research is ongoing.

相关漏洞已经报告给MITRE，针对其的研究仍在进行。

Kaspersky Lab advises manufacturers of connected internet-of-thing devices to consider the security of their products from the very first moment of development and design, and to review legacy devices for possible security vulnerabilities. Users of connected devices are urged to review regularly the security of these devices and not to rely on factory settings.

卡巴斯基实验室建议物联网设备制造商在产品设计和开发之时就优先考虑产品的安全性，同时要评估已有产品是否存在安全漏洞。同时建议联网设备用户定期查看这些设备的安全性，不要依赖其出厂设置。

More information on the research is available on Securelist.

有关这次研究的更多信息，请访问Securelist.