More than 5,000 devices used to operate gas stations across the United States were found vulnerable to dangerous Internet attacks, revealed a security researcher this week.
The flaw was found in the gas stations’ automated tank gauges, or ATGs, which raise alarms indicating an issue with the tank or gauge, such as a fuel spill. The devices also serve to monitor fuel tank inventory levels, track deliveries, as well as perform leak tests for environmental regulatory purposes.
After running an Internet-wide scan on January 10, Moore discovered that nearly 5,800 ATGs were exposed to the Internet with no password set. Furthermore, Moore found that 5,300 of these ATGs are located in the United States.
Several major brands and franchises were amongst the list of affected systems, and stations, which has since been shared with ICS-CERT.
Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax or modem, or a TCP/IP circuit board, explained security researcher HD Moore in a blog post.
“In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001. Although some systems have the capability to password protect the serial interfaces, this is not commonly implemented.”
“Remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank,” warned Moore.
“An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown. Theoretically, an attacker could shut down over 5,300 fueling stations in the United States with little effort.”
Tripwire security analyst Ken Westin said this instance is another reminder that when everything is connected, everything is vulnerable:
“Many industrial sensors are increasingly becoming connected to the Internet, either through embedded systems or through add-on components, which increases the risk substantially particularly when proper care is not taken with regards to securing the device and network they connect to.”
Although the attack doesn’t appear to be currently exploited in the while, the security researcher recommends operators take action to help mitigate or remediate the issue, such as using a VPN (virtual private network) gateway or other dedicated hardware interface to connect the ATG with their monitoring service. Other less-secure options include applying source IP address filters or setting a password on each serial port.