Malicious actors could theoretically shut down more than 5,300 gas stations in the United States because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet.
ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank. The devices alert operators in case there is a problem with the tank, such as a fuel leak.
The ATG vulnerabilities were discovered by Jack Chadowitz, founder of Kachoolie, a division of BostonBase, Inc. Chadowitz reached out to the security firm Rapid7, which used its Project Sonar infrastructure to conduct a scan of ATGs on January 10.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001,” Rapid7’s HD Moore noted in a blog post.
The problem is that while these systems allow operators to set a password for the serial interface, in many cases this port remains unprotected.
Most of the affected gas stations are in the US
Based on an Internet-wide scan targeting the TCP port 10001, Rapid7 has determined that roughly 5,800 ATGs are accessible via the Internet and without a password to protect them against unauthorized access. Approximately 5,300 of these ATGs are at gas stations in the United States, most of which are located in New York, Texas, Florida, Virginia, Illinois, Maryland, California, Pennsylvania, Connecticut and Tennessee.
“The affected stations appear to be either independently operated stores or franchises for the most part. Without listing names, most of the ‘big name’ convenient stores and truck stops are represented, but there are some notable exceptions, and sometimes only a handful of stores are listed for a given chain,” Moore told SecurityWeek. “This spread is likely the result of M&A activities and some stores not being integrated with the parent company’s operations. The dataset also includes private fuel depots for municipal and university campus motor pools. The ~5,300 stations represent approximately 3% of the total US stations (somewhere between 112k-150k total), so it seems like vast majority of gas stations are not affected.”
In addition to the US, vulnerable ATGs were also discovered in Spain, Puerto Rico, Canada, Germany, Italy, New Zealand, Uruguay, France and Slovenia.
Attackers could shut down gas stations
According to Moore, malicious hackers who have access to the serial interface of an ATG can spoof reported fuel levels, generate false alarms, and perform other actions that could lead to the gas station being shut down.
“In our opinion, remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank. An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown,” Moore explained.
While there is no evidence of attacks against vulnerable ATGs, experts have pointed out that a malicious actor could easily pull off such an operation because no special tools are required to interact with the ATG and information on how to manipulate the device is in many cases publicly available. Furthermore, it’s difficult to tell the difference between a system failure and an attack.
“The information that I found most surprising was that a large number of gas stations are using consumer broadband services, including consumer routers. These devices may pose a more serious risk to the public than the tank gauges in that the store point-of-sale and management systems are often only protected by the router, which often provides wireless access to the network,” Moore told SecurityWeek. “Given the attack surface of these devices and ubiquity of WPS and weak WPA2 keys, gas stations in general may be much more exposed than the public realizes. I haven’t had a chance to correlate other data against the station IPs that we found, but all signs so far point to a fragile security model at these stores.”
Affected ATGs and mitigations
Most of the vulnerable ATGs are manufactured by petroleum equipment service company Veeder-Root. The firm has pointed out that its customers have not reported any unauthorized access incidents.
“Security, accuracy and reliability are top priorities at Veeder-Root. We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges,” Andrew Hider, president of Veeder-Root, told SecurityWeek. “It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.”
Kachoolie provides a service that allows users to test if their tank gauges are secure.
Operators are advised to use a VPN gateway or a dedicated hardware interface for connecting ATGs to monitoring services.
Related: Learn More at the 2015 ICS Cyber Security Conference