A recent research conducted by HD Moore of Rapid7 revealed a disconcerting truth, the Automated tank gauges (ATGs) used to prevent fuel leaks at more than 5,000 gas stations in the US are vulnerable to remote cyber attacks that could completely shut down the stations using vulnerable ATGs.
Fortunately, according to Rapid7, hackers haven’t yet exploited the vulnerabilities in the wild.
The gauges are manufactured by Veeder-Root that once informed about the risks confirmed that is working to introduce additional security features.
“We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.” said Andrew Hider, president of Veeder-Root.
The Automated tank gauges (ATGs) are used to monitor the level of fuel in the gas station storage tanks and trigger alarms when the fuel tanks are overfilled.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board,” explained Moore in a post published Security Street blog. “In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001.”
According to Moore, there are 5,800 ATGs worldwide connected to the Internet without password protection, and 5,300 of those are located in the US.
An attacker could easily hack into ATGs remotely, but Moore also explained that a bad actor with access to the serial port interface interferes with the information reported by the Automated tank gauges, in this way the attacker can trigger false alarms and shut the stations down.
The greatest number of vulnerable Automated tank gauges is in New York, Texas and Florida.
The experts at Rapid7 discovered the vulnerable gauges by scanning the Internet searching for services exposing port 10001.
“An unknown number of ATGs are exposed through modem access,” Moore wrote. “The majority of the ATGs appear to be manufactured by Vedeer-Root, one of the largest vendors in this space, and were identified on IP ranges associated with consumer broadband services.”
Moore also provides a series of recommendations to protect the Automated tank gauges:
“Operators should consider using a VPN gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” Moore said. “Less-secure alternatives including applying source IP address filters or setting a password on each serial port.”
(Security Affairs – Automated tank gauges, hacking)