Much ado was made over the Labor Day weekend about a University of Oklahoma football player stealing gas from a local convenience store. Seems that he was caught after hours with a key to open the gas pump, allowing him to enter an access code into the pumps electronic keypad and pump free gas. Internet sports junkies immediately began to conspiracy-theorize that the convenience store owner was somehow handing out gas pump keys and access codes to football players.
Had these graduates from the Jethro Bodine School for Double-naught Spies done a bit of research, they would have discovered that gas station rip-offs using the techniques that were allegedly employed are nothing new. If they had seen the public demonstration that I saw at Defcon 2007 of a twelve year-old girl bypassing the same locks that are used in the Pentagon, they might have thought, as did I, “Key? Key? You don’t need no stinkin’ key” (“Amateur locksmiths stump the experts,” 8-18-07).
As recently as last February, police in Flower Mound, Texas busted thieves at a Payless Fuel station who were helping themselves to free, after-hours gasoline. Dallas TV station NBC5 reported that the crooks had a key and used a generic password to override the pumps programming code to unlock the pumps.
In a story about gas-pump credit card fraud, Eric Hamilton, chief of Floridas Bureau of Petroleum Inspection was quoted by the Orlando Sun-Sentinal as saying that gas-pump keys are “the same keys you’d use for your shed or garage doors.” Access to the electronic keypad located inside the pump is relatively easy, as many pumps use common keys that are easily duplicated or bought on the Internet. The story went on to quote officials as saying that convenience is the reason for common keys; it’s easier for oil companies, pump manufacturers and gas stations if they have common keys. This allows one common or “master” key to unlock a large number of different pumps.
Beaumont, Texas newspaper The Enterprise has also reported on similar gas station thefts occurring in the Beaumont area. The Enterprise story explains how thieves are able to get into Gilbarco pumps, a popular brand used in about 70 percent of the gas stations in southeast Texas. The pumps come from the manufacturer programmed with a generic access code and many times gas station owners don’t even know that it’s there. Word of this code has leaked out, and along with a black market-purchased key, and sometimes an additional keypad, thieves are helping themselves to free gas.
USA Today reported in 2006 that thieves in Baltimore and St. Louis used factory-issued master keys to open gas pumps and use the electronic keypad to reprogram the pump, allowing them to pump gas for free. The story stated “To make it easier on service technicians, each manufacturer’s pumps can all be opened using a common key.” Once a master key makes its way onto the black market, it’s just a matter of time before copies are available around the world. With the cheap locks that are used on gas pumps, sometimes all that is needed is a “bump” key, an easily-purchased or home-made device that allows the user to defeat a wide variety of locks.
Regarding the electronic keypad access codes, my research led me to the websites of two different major manufacturers of gas station pumps. There on their websites for the entire world to see are the owners manuals for their pumps. Each manual describes in detail how to program the pump using the keypad, how to set the price for gas (such as, $0.00) and what the default master codes are for each type of pump. For one very popular pump, the highly-secure default 4-digit master code is 1234. Many pump installers and gas station owners never change the master code (if they even know that it exists), figuring that, since the pump has a lock requiring a key, the master code is safe. If gas pump manufacturers don’t want the general public to know how their pumps are programmed, then they shouldn’t put the owners manuals on the Internet. Duh.