A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday.
The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10. While automated tank gauges are typically accessed to monitor fuel inventories, so as to know when to order gasoline, attackers could also access the settings, Chadowitz said.
“One could change the calibration and make the tank report full or empty,” he told Ars. “If you report the tank is full, no one is going to order fuel.”
In the worst case, an attacker could cause the gauge to report a leak, which would shut down the pumps, Chadowitz said.
The vulnerability of the gauges used to monitor gasoline tanks is the latest security issue plaguing consumer and industrial devices that are increasingly being connected to the Internet. Often called the Internet of Things, connecting such technology to the wider Internet poses security risks because many of the devices were created without much thought to security. Most gas stations are independently owned, have razor-thin margins, and tend to be run by owners who are not very technically savvy, said HD Moore, chief research officer at Rapid7.
“If you look at these gas stations, they are using off-the-shelf home routers from Best Buy,” he said. “By connecting them to the Internet, mom-and-pop gas station owners are going to get hit with the same problems that regular consumers have. The problem is that these devices are doing something important, moderating tank levels of these gas stations.”
Because most gas stations are not owned by gas companies but by independent operators who are very focused on the bottom line, reliable Internet connections are not common. Connecting tank gauges to the Internet allows fast monitoring of inventories, but can be complex, requiring a serial-to-TCP/IP card, configuring of port forwarding on the station’s router, and requiring a more expensive static IP. Because gas station owners use consumer-level Internet providers, the network configuration at gas stations will often change, causing operational issues for monitoring services and components, such as tank gauges, BostonBase’s Chadowitz says.
For that reason, most gas stations use a polling service that calls into a modem connected to their gas-tank gauge, rather than have the gauges always connected to the Internet. Those gauges were not detected by the Rapid7 scans, but are likely vulnerable to an attacker dialing directly into the service, Rapid7’s Moore said.
The most common type of tank gauges are manufactured by Simsbury, CT-based industrial-technology maker Veeder-Root. While they can be protected by a six-character password, most are not. Moreover, the password is communicated in the clear and can be gleaned by eavesdropping, according to BostonBase’s Chadowitz.
Veeder-Root is currently assessing the claims, but stresses that the company is serious about security and has notified customers.
“Security, accuracy and reliability are top priorities at Veeder-Root,“ Andrew Hider, president of Veeder-Root, said in a statement sent to Ars. ”We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no breaches of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.”
Like many other types of industrial control systems, the fundamental problem is that the communication protocols for the tank-monitoring equipment were created about two decades ago, a time when security was an afterthought. As more security researchers focus on operational technology and as more industrial professionals gain security expertise, similar issues will likely be found, Rapid7’s Moore said.
“I think these type of issues will become more common, especially as you see experts in these fields getting involved in security,” he said. “This is a good example of an industry that has not really grown up, security-wise.