Skip links

A Theoretically Devastating Cyber Attack on America’s Gas Stations

Editör'ün Yazısı Yorumu

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer mi massa, elementum sit amet diam quis, posuere aliquet quam. Phasellus maximus faucibus tortor quis finibus. Proin maximus ligula in lobortis congue. Phasellus ipsum turpis, consequat sed congue vitae, tempor sed tellus. Pellentesque in erat lobortis, tempus nisl eu, varius ex. In tempor sodales purus. Donec consectetur id libero vel tristique.

Morbi justo ipsum, euismod sit amet tristique pharetra, mattis eu ipsum. Vestibulum laoreet justo a dolor tempor, eget varius nunc auctor. Integer vel pellentesque eros. Aliquam dignissim sit amet nisi ut mollis. Nullam nulla justo, maximus nec enim eget, posuere eleifend turpis. Maecenas vitae placerat risus. Cras ultrices efficitur neque, vitae volutpat dui mollis non. Vestibulum commodo lectus sed diam faucibus interdum. Phasellus ut posuere augue, at sodales justo. Aenean fermentum vestibulum consequat. Nam at turpis lacinia, vestibulum lacus sed, iaculis quam. Pellentesque eleifend sodales egestas.

In vehicula lectus ut turpis dictum, lacinia viverra risus imperdiet. Integer ut diam in tellus vehicula porta. Aliquam vestibulum metus quis ante dignissim consectetur. In pellentesque, sapien ut imperdiet pretium, ante elit iaculis arcu, in facilisis turpis nisl a urna. Morbi ut justo at nibh finibus bibendum sit amet hendrerit eros. Morbi bibendum tincidunt accumsan. Nullam id vehicula leo.

The Internet of Gas Station Tank Gauges:

In 2015, HD Moore, the creator of Metasploit, published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fueling station in the United States and tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001).

The process for accessing these systems is quite simple: telnet to the port and issue documented TLS-350 or TLS-250 commands to execute everything from setting alarm thresholds to editing sensor configurations and running tank tests. While tools such as Nmap and Metasploit include scripts for enumerating these devices, the functionality is generally limited to In-Tank Inventory Reports and System Status Reports. These scripts are good for reconnaissance, but what if an attacker decided to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown? Could a distributed attack of this magnitude leave the nation crippled? With this question in mind, I set out to discover how these devices’ attack surface has evolved since 2015.

Understanding the Potential Attack Surface:

My first stop, as usual, was Shodan — a search engine for internet-connected devices. Searching for systems with an open TCP port on 10001, I quickly narrowed down the false positives to devices that responded to Shodan’s crawler with In-Tank Inventory Reports. This revealed over 11,000 ATGs in August of 2022; the image below displays trend data from publicly accessible ATGs from 2017 to 2022.

Read More: