Thousands of automated tank gauges (ATGs) used by fuel stations around the US are at risk of malicious attacks because they are connected to the Internet without any password protection.

Dangerously Vulnerable Automated Tank Gauges

An attacker with access to these devices would be able to reset the system, report erroneous data, generate false alarms and lock others out, security vendor Rapid7 said in a blog post.

“An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown,” Rapid7 Chief Security Officer HD Moore wrote in the post.

Kachoolie, a company that helps fuel stations enable the Internet on ATGs, alerted Rapid7 of this vulnerability earlier this month. In response, Rapid7 conducted a global Internet scan for exposed ATGs and discovered 5,800 of them could be freely accessed on the Internet without any passwords to protect them.

Of that number, 5,300 were located in retail fuel stations, truck stops and convenience stores scattered around the United States. Vulnerable pumps were found in locations belonging to several major brands and franchises.

Asset Management and Alerting System

An ATG is a fuel asset management system that helps operators keep tabs on fuel levels in a tank and warns them about leaks and other potentially hazardous conditions. Veeder-Root, one of the largest ATG providers in the country, describes its ATGs as systems that help fuel stations avoid runouts and haulbacks, quickly troubleshoot and diagnose problems and issue alerts based on specific conditions.

Fuel station owners often enable their ATGs with the Internet via Transmission Control Protocol/Internet Protocol cards or a serial port server so they can be remotely controlled and managed over the Web, Moore said. However, in so doing, many do not implement any password protection, leaving the control ports on the devices completely open for anyone to access via the Web.

Big Risk

Attackers could reconfigure alarm thresholds, disrupt fuel tank operations, change access settings and simulate false-alarm conditions to prompt a manual shutdown. According to Moore, an attacker could potentially shut down more than 5,300 U.S. fueling stations with little effort.

So far, Moore said, there is no indication that any vulnerable ATGs are actually being maliciously exploited. However, it would be hard for anyone to tell the difference between fuel tank problems caused by a malicious attack and one resulting from a system failure.

Internet of Things Will Exacerbate Problems

Such issues could become much more prevalent as more devices and “things” are connected to the Internet in coming years. Analyst firms such as Gartner and IDC estimate that anywhere between 26 billion and a staggering 212 billion devices — from connected cars, smart meters and intelligent lighting systems to smart watches and jewelry — will be IP-enabled by 2020.

Many of these devices will have embedded operating systems and use a diverse range of communication protocols to connect to the Internet. Some systems will have built-in connectivity out of the box while others will need to be activated. “Ghost” devices with unused Internet connectivity will be common, according to Gartner. The challenges associated with managing these devices in a secure manner will be enormous and often beyond the capabilities of traditional IT departments, the analyst firm warned in an alert last year on the security concerns associated with the Internet of Things (IoT).

The IoT trend will force chief information security officers (CISOs) to reevaluate current approaches to IT security and drive sweeping changes in areas such as application testing, identity and access management and vulnerability testing. To secure the IoT, CISOs will have to blend mobile and cloud security strategies as well as approaches used to protect industrial control, physical security and automation equipment.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…