Connect with us

Hi, what are you looking for?


M&A Tracker

US Gas Stations Exposed to Cyberattacks: Researchers

Malicious actors could theoretically shut down more than 5,300 gas stations in the United States because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet.

Malicious actors could theoretically shut down more than 5,300 gas stations in the United States because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet.

ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank. The devices alert operators in case there is a problem with the tank, such as a fuel leak.

The ATG vulnerabilities were discovered by Jack Chadowitz, founder of Kachoolie, a division of BostonBase, Inc. Chadowitz reached out to the security firm Rapid7, which used its Project Sonar infrastructure to conduct a scan of ATGs on January 10.

“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001,” Rapid7’s HD Moore noted in a blog post.

The problem is that while these systems allow operators to set a password for the serial interface, in many cases this port remains unprotected.

Most of the affected gas stations are in the US

Based on an Internet-wide scan targeting the TCP port 10001, Rapid7 has determined that roughly 5,800 ATGs are accessible via the Internet and without a password to protect them against unauthorized access. Approximately 5,300 of these ATGs are at gas stations in the United States, most of which are located in New York, Texas, Florida, Virginia, Illinois, Maryland, California, Pennsylvania, Connecticut and Tennessee.

Advertisement. Scroll to continue reading.

“The affected stations appear to be either independently operated stores or franchises for the most part. Without listing names, most of the ‘big name’ convenient stores and truck stops are represented, but there are some notable exceptions, and sometimes only a handful of stores are listed for a given chain,” Moore told SecurityWeek. “This spread is likely the result of M&A activities and some stores not being integrated with the parent company’s operations. The dataset also includes private fuel depots for municipal and university campus motor pools. The ~5,300 stations represent approximately 3% of the total US stations (somewhere between 112k-150k total), so it seems like vast majority of gas stations are not affected.”

In addition to the US, vulnerable ATGs were also discovered in Spain, Puerto Rico, Canada, Germany, Italy, New Zealand, Uruguay, France and Slovenia.

Attackers could shut down gas stations

According to Moore, malicious hackers who have access to the serial interface of an ATG can spoof reported fuel levels, generate false alarms, and perform other actions that could lead to the gas station being shut down.

“In our opinion, remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank. An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown,” Moore explained.

While there is no evidence of attacks against vulnerable ATGs, experts have pointed out that a malicious actor could easily pull off such an operation because no special tools are required to interact with the ATG and information on how to manipulate the device is in many cases publicly available. Furthermore, it’s difficult to tell the difference between a system failure and an attack.

“The information that I found most surprising was that a large number of gas stations are using consumer broadband services, including consumer routers. These devices may pose a more serious risk to the public than the tank gauges in that the store point-of-sale and management systems are often only protected by the router, which often provides wireless access to the network,” Moore told SecurityWeek. “Given the attack surface of these devices and ubiquity of WPS and weak WPA2 keys, gas stations in general may be much more exposed than the public realizes. I haven’t had a chance to correlate other data against the station IPs that we found, but all signs so far point to a fragile security model at these stores.”

Affected ATGs and mitigations

Most of the vulnerable ATGs are manufactured by petroleum equipment service company Veeder-Root. The firm has pointed out that its customers have not reported any unauthorized access incidents.

“Security, accuracy and reliability are top priorities at Veeder-Root. We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges,” Andrew Hider, president of Veeder-Root, told SecurityWeek. “It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.”

Kachoolie provides a service that allows users to test if their tank gauges are secure.

Operators are advised to use a VPN gateway or a dedicated hardware interface for connecting ATGs to monitoring services.

Related: Learn More at the 2015 ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Thirty-five cybersecurity-related M&A deals were announced in February 2023


Forty cybersecurity-related M&A deals were announced in January 2023.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Seventeen cybersecurity-related M&A deals were announced in the first half of February 2023.