January 26, 2015 By Jaikumar Vijayan 3 min read

Thousands of automated tank gauges (ATGs) used by fuel stations around the US are at risk of malicious attacks because they are connected to the Internet without any password protection.

Dangerously Vulnerable Automated Tank Gauges

An attacker with access to these devices would be able to reset the system, report erroneous data, generate false alarms and lock others out, security vendor Rapid7 said in a blog post.

“An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown,” Rapid7 Chief Security Officer HD Moore wrote in the post.

Kachoolie, a company that helps fuel stations enable the Internet on ATGs, alerted Rapid7 of this vulnerability earlier this month. In response, Rapid7 conducted a global Internet scan for exposed ATGs and discovered 5,800 of them could be freely accessed on the Internet without any passwords to protect them.

Of that number, 5,300 were located in retail fuel stations, truck stops and convenience stores scattered around the United States. Vulnerable pumps were found in locations belonging to several major brands and franchises.

Asset Management and Alerting System

An ATG is a fuel asset management system that helps operators keep tabs on fuel levels in a tank and warns them about leaks and other potentially hazardous conditions. Veeder-Root, one of the largest ATG providers in the country, describes its ATGs as systems that help fuel stations avoid runouts and haulbacks, quickly troubleshoot and diagnose problems and issue alerts based on specific conditions.

Fuel station owners often enable their ATGs with the Internet via Transmission Control Protocol/Internet Protocol cards or a serial port server so they can be remotely controlled and managed over the Web, Moore said. However, in so doing, many do not implement any password protection, leaving the control ports on the devices completely open for anyone to access via the Web.

Big Risk

Attackers could reconfigure alarm thresholds, disrupt fuel tank operations, change access settings and simulate false-alarm conditions to prompt a manual shutdown. According to Moore, an attacker could potentially shut down more than 5,300 U.S. fueling stations with little effort.

So far, Moore said, there is no indication that any vulnerable ATGs are actually being maliciously exploited. However, it would be hard for anyone to tell the difference between fuel tank problems caused by a malicious attack and one resulting from a system failure.

Internet of Things Will Exacerbate Problems

Such issues could become much more prevalent as more devices and “things” are connected to the Internet in coming years. Analyst firms such as Gartner and IDC estimate that anywhere between 26 billion and a staggering 212 billion devices — from connected cars, smart meters and intelligent lighting systems to smart watches and jewelry — will be IP-enabled by 2020.

Many of these devices will have embedded operating systems and use a diverse range of communication protocols to connect to the Internet. Some systems will have built-in connectivity out of the box while others will need to be activated. “Ghost” devices with unused Internet connectivity will be common, according to Gartner. The challenges associated with managing these devices in a secure manner will be enormous and often beyond the capabilities of traditional IT departments, the analyst firm warned in an alert last year on the security concerns associated with the Internet of Things (IoT).

The IoT trend will force chief information security officers (CISOs) to reevaluate current approaches to IT security and drive sweeping changes in areas such as application testing, identity and access management and vulnerability testing. To secure the IoT, CISOs will have to blend mobile and cloud security strategies as well as approaches used to protect industrial control, physical security and automation equipment.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today