this post was submitted on 03 Oct 2023
666 points (97.4% liked)

Technology

59632 readers
2834 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station::undefined

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 32 points 1 year ago (2 children)

Wait so they haven't caught them yet? The article gave no names. And why do these pumps have Bluetooth? You might as well put in a USB service port.

[–] [email protected] 35 points 1 year ago (2 children)

USB is way safer lol.

Bluetooth is notoriously bad with security. Especially Bluetooth 4 and earlier. I'd put money on a gas station pumps Bluetooth to not be using the most up to date protocol.

[–] [email protected] 51 points 1 year ago (2 children)

It's like saying TCP has bad security. That is to say, pointless comparison. Bluetooth is just transport layer and security is done on higher level. This is most likely the classic example of "security through obscurity". Meaning they did nothing special and hoped no one will figure it out, just like recent TETRA vulnerability.

[–] [email protected] 29 points 1 year ago (1 children)

Come on now! The pumps required you to enter the secret pairing code: “12345”

[–] [email protected] 19 points 1 year ago

You fool! It was 00000, now you'll never have free gas!

[–] [email protected] 18 points 1 year ago* (last edited 1 year ago) (1 children)

Transport layer is absolutely a security vulnerability vector.

TCP is absolutely low security if not configured correctly.

I don't know what it is you're trying to say. I agree that this instance was probably security through obscurity failing, but to say that Bluetooth, TCP, and other transport layer protocols are not security considerations is absolutely ridiculous (see for example, heartbleed). It's exactly the reason there are multiple versions of Bluetooth. It's why FTP is (should be) all but deprecated and SFTP and FTPS are standard. It's why Google doesn't index webpages without an SSL certificate.

USB is way safer

[–] [email protected] 2 points 1 year ago (1 children)

Of course wired connection is inherently safer than wireless. There's no question about it. And yes you can absolutely exploit at every layer of communication, but this here is not the case of exploiting Bluetooth as transport layer. It's simply someone not configuring anything or adding any additional verification and just hoping no one finds out.

[–] [email protected] -2 points 1 year ago (1 children)

Okay, but your claim that my comparing Bluetooth to USB being like comparing Bluetooth to TCP is misinformed at best.

[–] [email protected] 1 points 1 year ago (1 children)

My comment had nothing to do with Bluetooth vs. USB comparison. I only said Bluetooth is a transport layer and claiming it's "notoriously bad security" is not all that correct since most of the security parts come on top of it. So in many ways Bluetooth is quite similar to TCP, at least from point of communication. From the software point of view, both with Bluetooth and TCP, you create a socket then send and receive data through it. Literally the same interface. Protecting data that goes through either method is meant to be done at that point be it with encryption, identity verification, whatever.

Same thing applies to USB, but being physical it has added benefit of having to connect to it but that opens whole set of new potential issues. So it's easier to physically protect it, but should that protection fail, you might end up in even more trouble.

[–] [email protected] 0 points 1 year ago (2 children)

You can disable a USB port and require remote SSH to enable it.

USB is way safer.

[–] [email protected] 0 points 1 year ago (1 children)

That then in turn complicates things and requires maintenance people to be educated, etc. It's possible to do authentication and handshakes properly without complicating matters. It just wasn't done.

[–] [email protected] 2 points 1 year ago (1 children)

It does not complicate things in a way that makes things less secure than using Bluetooth 4.0 or earlier.

USB is way safer.

It's amusing that you won't just give up and admit that the blanket statement is 100% accurate. But you do you; just remind me not to use any services that you're on the opsec team for.

[–] [email protected] 0 points 1 year ago (1 children)

Am just telling you there are ways to do security properly and make it good, be it Bluetooth, WIFI, GSM, LAN or USB. There's no such thing as blanket 100% correct statements. I distinctly remember security issues with USB when protocol allowed DMA access which was used to leak all kinds of important data. Luckily it was patch fast, but that is the doing security properly part. There's nothing completely secure in this world.

[–] [email protected] 1 points 1 year ago (1 children)

And you still won't agree to the simple and obvious truth that USB is way safer than Bluetooth 4.0 or earlier. Nice.

You do you.

[–] [email protected] 0 points 1 year ago (1 children)

Why would I agree to something that's not correct. You just pulled that out of your ass and claiming it's true.

[–] [email protected] 0 points 1 year ago

You can disable Bluetooth and require remote SSH to enable it... 🙄

BTW, have you heard about BadUSB?

[–] [email protected] -4 points 1 year ago (1 children)
[–] [email protected] -1 points 1 year ago (1 children)

Ah, brilliant. Another expert.

Yes, it is how it works. Cheers.

[–] [email protected] 5 points 1 year ago

This is the kind of rigorous debate I’m here for.

[–] [email protected] 18 points 1 year ago

At least you can lock a usb port behind an access panel