The Internet of Gas Station Tank Gauges:
The author of Metasploit, HD Moore, revealed more than 5,800 publicly accessible Automated Tank Gauges (ATGs) at gas stations in a 2015 post. These systems are essential for measuring fluid levels, tank temperature, and alerting operators when tank volumes are excessively high or critically low in addition to keeping an eye out for leaks. Nearly all-American filling stations and tens of thousands of other systems across the world use ATGs. Veeder-Root, a manufacturer of fuel dispensers, payment systems, and forecourt merchandise, is the company that produces them most frequently. Operators frequently configure the ATG serial interface to an internet-facing TCP port for remote monitoring of these fuel systems (generally set to TCP 10001).
The procedure for gaining access to these systems is pretty straightforward: simply telnet to the port and issue documented TLS-350 or TLS-250 commands to carry out tasks like modifying sensor setups, setting alarm thresholds, and doing tank checks. Although scripts for enumerating these devices are included in tools like Nmap and Metasploit, the functionality is often restricted to In-Tank Inventory Reports and System Status Reports. These scripts are useful for reconnaissance, but what if an attacker chose to disable the fuel tank completely by altering access settings and creating fictitious circumstances that led to a manual shutdown? Could a widespread attack of this size harm the country? I went out to find out how the attack surface of these devices has changed since 2015 with this question in mind.
Understanding the Potential Attack Surface:
Shodan, a search engine for internet-connected devices, was as usual my first destination. I quickly eliminated the false positives by looking for systems that were listening on TCP port 10001 and responding to Shodan’s crawler with In-Tank Inventory Reports. In August 2022, this showed approximately 11,000 ATGs; the graph below shows trend information from publicly available ATGs from 2017 to 2022.
I found that roughly two-thirds of the 11,000 ATGs are insecurely connected to the internet were located here!
Shodan graphically represented the relative geolocation of various systems as it dug deeper. This got me wondering: What if a malicious threat actor could simultaneously send a command to every single one of these ATGs? I started looking for a solution.
Assessing the Current Threat Landscape:
An attacker should have a solid understanding of readily available internet-connected ATGs to exploit these devices on a large scale. Over 85,000 devices using TCP port 10001 after an extensive internet scan.
Could a terrorist attack that quickly shut down more than 7,000 gas outlets in the US damage the country? I think the solution is obvious, but what can network operators and defenders do to reduce this risk? Operators should think about employing a VPN gateway or another specialized hardware interface to connect their ATGs with their monitoring service. Password-protecting each serial port or adding source IP address filters could help as a starting point.
All of them are workable answers, but knowledge is the first step in resolving the situation. It is unacceptable for the attack surface on key systems to have increased by about 100% in just 7 years. In 2015, HD Moore attempted to warn us. Let’s begin the defense.
