Editörün yazısı buraya gelecek
The Internet of Gas Station Tank Gauges:
In 2015, HD Moore, the creator of Metasploit, published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fueling station in the United States and tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001).
The process for accessing these systems is quite simple: telnet to the port and issue documented TLS-350 or TLS-250 commands to execute everything from setting alarm thresholds to editing sensor configurations and running tank tests. While tools such as Nmap and Metasploit include scripts for enumerating these devices, the functionality is generally limited to In-Tank Inventory Reports and System Status Reports. These scripts are good for reconnaissance, but what if an attacker decided to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown? Could a distributed attack of this magnitude leave the nation crippled? With this question in mind, I set out to discover how these devices’ attack surface has evolved since 2015.
Understanding the Potential Attack Surface:
My first stop, as usual, was Shodan — a search engine for internet-connected devices. Searching for systems with an open TCP port on 10001, I quickly narrowed down the false positives to devices that responded to Shodan’s crawler with In-Tank Inventory Reports. This revealed over 11,000 ATGs in August of 2022; the image below displays trend data from publicly accessible ATGs from 2017 to 2022.