Rapid7 researchers recently found that approximately 5,800 automated tank gauges (ATGs), which are used to monitor fuel tanks at gas stations, were exposed online without a password. More than 5,300 of those are in the U.S., meaning that ATGs at about 3 percent of the approximately 150,000 gas stations nationwide are exposed.
"In our opinion, remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank," Rapid7 chief research officer HD Moore wrote in a blog post detailing the issue. "An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown."
"Theoretically, an attacker could shut down over 5,300 fueling stations in the United States with little effort," Moore added.
The majority of the exposed ATGs, according to Moore, are manufactured by leading vendor Veeder-Root, and are located in California, Connecticut, Florida, Illinois, Maryland, New York, Pennsylvania, Tennessee, Texas and Virginia.
While the researchers don't think the issue is being exploited in the wild, Moore said it would be hard to tell the difference between an attack and a system failure. "Public documentation from Vedeer-Root provides detailed instructions on how to manipulate ATGs using the serial interface, which also applies to the TCP/IP interface on port 10001," he wrote. "No special tools are necessary to interact with exposed ATGs."
Rapid7 is advising operators to consider using a VPN gateway or other dedicated hardware interface to connect ATGs with monitoring services. Less secure alternatives, the researchers note, including applying source IP address filters or setting a password on each serial port.
In response to Rapid7's announcement, Andrew Hider, president of ATG vendor Veeder-Root, told Kaspersky Lab's Brian Donohue that security, accuracy and reliability are key priorities for his company. "We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges," he said.
"It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers," Hider added.