ABC7 I-Team Investigation
Gas stations have always been popular targets for armed robbers. Now savvy crooks don't need guns to make off with full tanks. "Gas Jackers" are armed with inside information.
Thieves are outsmarting gas stations and security specialists are concerns. The I-Team has learned of a glitch that could expose those underground storage tanks to potential cyber attacks.
At a gas station in Kankakee, surveillance video captured the unusual hacking theft in action.
Last month, on a busy weekday evening, cars lined up for gas. But from inside the station, owners said their monitor showed no activity. No pre-pay, no credit card activated, no gas being pumped. Or so it seemed.
"I noticed gas was being pumped but nothing was indicating on the register. Right away, my instincts kicked in that something was going on," said Fadi Mohammad, a gas station co-owner.
Kankakee police told the I-Team that this is an unusual heist. The thief, shown on video, was apparently from the Chicago area.
Investigators suspect he picked the lock on this terminal and entered a default security code allowing him to put the pump into "test mode" --- essentially pumping gas for free.
Police said his goal was cash and that he told customers he would fill up their tank for just $20.
"We believe he hit more than one gas station in the Kankakee area," said Detective Steven Hunter, of the Kankakee Police Department.
A Chicago area pump service company that did not want to be identified told the I-Team these thefts have increased for months -- with stations hit from suburban Naperville to Michigan City, Ind.
Inspector John Lucki is a fraud expert at St. Xavier University.
"You find the manufacturers initial set password on the processor punch in the manufacturers password and you have a 50/50 chance you are going to override the electronic control system on the pump," Lucki said.
Security experts say station owners may be oblivious that their old, ineffective computer passwords put their pumps and underground storage tanks at risk.
"The petroleum industry needs to basically do a review of their controls and change default passwords. Without that, any attacker who has rudimentary information on their systems can gain access to them," said David Bryan, a security consultant at Trustwave.
Recent reports from industry insiders reveal cyber hackers have messed with gas tank gauges, which are used to monitor the massive amounts of fuel stored underground.
Worst-case senerio is that a hacker or terrorist could cause catastrophic problems by shutting down the flow of fuel in a wide area or allow tanks to overflow.
So far there are no reports of tanks being hacked this way.
Jack Chadowitz, of Boston-based Kachoolie, is in the fuel logistics business.
He points to documents that show the recent internet hacking of a U.S. gas station. The product name was changed to "power to the people" and levels set to zero.
"If one wanted to disrupt the economy be it for a short period it would be an easy way of doing it," Chadowitz said.
Back in Kankakee, above ground, security codes at the gas station hit last month have been changed.
Kankakee police tracked down those who took the gas deal and most paid up for what was pumped.
Other stations have been less fortunate.
Kankakee police are still looking for the mastermind behind the gas jacking.
The Association for Convenience & Fuel Retailing told the I-Team that internet and systems security is still an issue and that they are currently trying to raise awareness among gas station owners.
An association spokesman stresses there are human back-ups to help keep overfills and related environmental disasters from happening.