Murphy Oil (Walmart) Fueling Stations
max_9909 (max_9909@yahoo.com)
I recently had the displeasure of being contracted to install Point of Sale (POS) and back office PCs and peripherals for a Murphy Oil location in my area about six months ago.
Murphy Oil is the partner that runs all of the fueling stations at Walmart and Sam's Club superstores. I did not get a chance to play with all the goodies because I was on a time frame for the installation. However, the information could be useful to someone out there, so here it goes. <standard disclaimer> This is for information purposes only. </standard disclaimer>
The Hardware
Dell is the main supplier of technology for these locations and I was directed to inform anyone interested that I was a "Dell Service Provider" when doing an install.
All of the associated hardware first goes to a staging area where they mount the POS system, phone line protector, "The Stick" phone line adapter (not exactly sure what this does), and a Dell PowerConnect switch to a wire rack for a clean, easy install.
The POS system, along with the back office PC, are Dell SX720 small form factor PCs. Another wire rack receives two Belkin surge protectors, an Isobar surge protector, two serial switches, and an USRobotics 56 kbps external modem. The modem is for Net-Op dial-in, utilizing pcAnywhere to login to the POS for support, etc. Sorry, could not get a password. Out of the serial switches are connections to the "DBox," an interface for the fuel pumps. The serial switches connect to the POS system by way of USB.
Connected to one of the Belkin surge protectors are the power bricks for the POS display pole, the media converter for the fiber optic link to the Walmart store's internal network, and "The Stick."
The fiber channel carries requests for purchases with a Walmart gift card, along with Internet connectivity. The cash drawer is connected to the receipt printer, which acts like a bridge. The receipt printer connects by USB to the POS system. The cashier uses a touchscreen monitor for most activities. The keyboard is purposely left unplugged, but the mouse is connected and sitting on top of the cash drawer.
The back office system is the same Dell computer, just with some other software to run reports, etc. on the POS (they connect via Cat 5 to the PowerConnect switch).
Located above this system is the PES/Brighton Satellite System, which provides connectivity to another internal network for the company to process credit card transactions among other things. Did not get a chance to play with the satellite system because they were not installed at the time I installed my side of the work. They connect to the PowerConnect switch along with the fiber patch cable and both PCs.
The back office PC connects to a two port KVM switch, with another PC being in the storage room directly behind the main room. This PC only runs the security cameras, of which there are four - one on the cashier, one in the storage room, and two on the fuel pumps. This system also has motion-sensing capabilities.
There is, to my knowledge, no connectivity to the outside world for the PC running the cameras. They connect to the PC via a four-port RCA card. I did not install this system, but it appears to be a homebrew computer made especially for Murphy, probably by internal technicians. There is no login for this system, as it loads the security camera software automatically. Maybe you could head off the loading of the software by three-finger-saluting and shutting the program down before it loads. You will have about 20 seconds to do this. After that, all keyboard input is disabled. Sometimes these types of software have a web-based interface.
How cool would that be? All three PCs are on APC battery-backup systems as well.
The Software
The POS, back office, and security camera PC all run Windows 2000.
The POS software is headlined by Majestic, which interfaces with all the hardware to run the whole shebang, including setting fuel prices. The default user ID number and PIN were: 1993
Also heavily used was a program called the MAS control panel, which did all of the hardware related connectivity, such as checking the BIOS versions of the fuel pumps. A series of scripts were used to check the connections to the pumps, loading the graphics to the pump LCD, etc.
These connections to the pumps are carried over IPXpackets. The POS system has the entire C: drive shared to the back office PC. This back office PC runs software by a company called Yokogawa (gas station client). I'm not sure of the function of this software, but the password is: Yoko
Exploits
Obviously, dialing into the POS system and exploiting either pcAnywhere or social engineering is very doable. Just think of the possibilities.
You can change gasoline prices, shut down pumps mid-fueling, all kinds of chaos.
To get the dial-in number, you could probably call the Murphy Help Desk at 877-237-8306 (Option #1) and social engineer your way to getting the Net-Op dial-in number. Have the name of the teller and the store number ready (the number for the fueling station, not the Walmart store; just check a receipt). Or call the teller and try to get the number. They have two drops for each line usually, one in the teller station and one in the storage room. The numbers are usually written in the boxes.
Maybe call the teller representing the Murphy Oil help desk and tell them to visit this site to receive a software upgrade. Then, record the IP address and work backwards. There may be a proxy, firewall, or VPN involved in these connections, but maybe not. I had to run a script that would ping Walmart for connectivity, so obviously there could be a way in from the Internet.
Social engineering will work better at newer stores, when they are still trying to work out kinks.
Some IP Addresses
- 156.87.x.x
- 156.92.x.x
- 156.82.x.x
- 55.131.x.x
- 55.132.x.x
This information was gleaned from a document sent to me.
I did not check any of these yet, but will explore them when I get a chance. I'm not sure what subnets are what.