January 26, 2015 By Jaikumar Vijayan 3 min read

Thousands of automated tank gauges (ATGs) used by fuel stations around the US are at risk of malicious attacks because they are connected to the Internet without any password protection.

Dangerously Vulnerable Automated Tank Gauges

An attacker with access to these devices would be able to reset the system, report erroneous data, generate false alarms and lock others out, security vendor Rapid7 said in a blog post.

“An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown,” Rapid7 Chief Security Officer HD Moore wrote in the post.

Kachoolie, a company that helps fuel stations enable the Internet on ATGs, alerted Rapid7 of this vulnerability earlier this month. In response, Rapid7 conducted a global Internet scan for exposed ATGs and discovered 5,800 of them could be freely accessed on the Internet without any passwords to protect them.

Of that number, 5,300 were located in retail fuel stations, truck stops and convenience stores scattered around the United States. Vulnerable pumps were found in locations belonging to several major brands and franchises.

Asset Management and Alerting System

An ATG is a fuel asset management system that helps operators keep tabs on fuel levels in a tank and warns them about leaks and other potentially hazardous conditions. Veeder-Root, one of the largest ATG providers in the country, describes its ATGs as systems that help fuel stations avoid runouts and haulbacks, quickly troubleshoot and diagnose problems and issue alerts based on specific conditions.

Fuel station owners often enable their ATGs with the Internet via Transmission Control Protocol/Internet Protocol cards or a serial port server so they can be remotely controlled and managed over the Web, Moore said. However, in so doing, many do not implement any password protection, leaving the control ports on the devices completely open for anyone to access via the Web.

Big Risk

Attackers could reconfigure alarm thresholds, disrupt fuel tank operations, change access settings and simulate false-alarm conditions to prompt a manual shutdown. According to Moore, an attacker could potentially shut down more than 5,300 U.S. fueling stations with little effort.

So far, Moore said, there is no indication that any vulnerable ATGs are actually being maliciously exploited. However, it would be hard for anyone to tell the difference between fuel tank problems caused by a malicious attack and one resulting from a system failure.

Internet of Things Will Exacerbate Problems

Such issues could become much more prevalent as more devices and “things” are connected to the Internet in coming years. Analyst firms such as Gartner and IDC estimate that anywhere between 26 billion and a staggering 212 billion devices — from connected cars, smart meters and intelligent lighting systems to smart watches and jewelry — will be IP-enabled by 2020.

Many of these devices will have embedded operating systems and use a diverse range of communication protocols to connect to the Internet. Some systems will have built-in connectivity out of the box while others will need to be activated. “Ghost” devices with unused Internet connectivity will be common, according to Gartner. The challenges associated with managing these devices in a secure manner will be enormous and often beyond the capabilities of traditional IT departments, the analyst firm warned in an alert last year on the security concerns associated with the Internet of Things (IoT).

The IoT trend will force chief information security officers (CISOs) to reevaluate current approaches to IT security and drive sweeping changes in areas such as application testing, identity and access management and vulnerability testing. To secure the IoT, CISOs will have to blend mobile and cloud security strategies as well as approaches used to protect industrial control, physical security and automation equipment.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today