The price of gas may have recently dropped well below the highs consumers have seen in recent years, but the cost of leaving an Internet-connected gas pump exposed can still be high.
Researchers at Trend Micro say they found evidence hackers have already turned their attention to these devices. Their finding follows reports last month that many automatic tank gauges used at gas stations were accessible over the web without any authentication. Automatic tank gauges (ATGs) are used to monitor fuel level, temperature and other parameters in a tank and are used to alert operators if there is a problem such as a fuel leak.
According to Kyle Wilhoit, senior threat researcher at Trend Micro, the firm found evidence an attacker had modified a pump-monitoring system in the U.S. The pump system was found to be Internet-facing and had implemented no security measures, he blogged.
“The Guardian AST Monitoring System is a device designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations,” he explained. “The pump systems support a variety of products and data points to monitor within the device, which are often easily accessed through the Internet. These are typically deployed online for easy remote monitoring and management of gas providers.”
When investigating possible attacks, the researchers turned to the Shodan search engine and quickly uncovered evidence of tampered devices.
“The pump name was changed from “DIESEL” to “WE_ARE_LEGION,”” Wilhoit noted. “The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.”
According to Wilhoit, overall statistics from Shodan showed that more than 1,515 gas pump monitoring devices were exposed over the Internet worldwide, all of them lacking security controls to prevent unauthorized access. Ninety-eight percent of these devices are in the U.S.
“An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems,” he blogged. “For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations have no fuel.”
Last month, researchers at Rapid7 noted that ATG vulnerabilities could be used to potentially shut down thousands of fueling stations in the United States with minimal effort.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board,” Rapid7’s HD Moore blogged Jan. 22. “In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001.”
The finding underscores the ongoing challenges of securing the Internet of Things. In a recent survey by Atomik Research and Tripwire, 88 percent of the respondents who work in IT in the energy industry said they were not confident in the secure configuration of industrial controllers, though only eight percent said they were concerned about those controllers being compromised by cyber-attackers.
“Our investigation shows that the tampering of an Internet-facing device resulted in a name change,” Wilhoit added. “But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices.”