Internet-connected gas stations are a thing, and hackers can
remotely disable their pumps
The automated tank gauge is a huge
example of the market being ill prepared for the IoT
As additional objects join the cult of the
Internet-connected devices known as the Internet-of-Things,
the number of attack vectors accessible to hackers are
exponentially skyrocketing. One such vulnerability was
recently discovered in the link between the ATG( automated
tank gauge), a device used to monitor gasoline levels at
American gas stations, and the routers they are connected
to. Poor security protocols permits online attackers to hack
into the device and disrupt gas station service by tampering
with the fuel monitoring systems or even disabling fuel
pumps.
“One could change the calibration and make the tank report
full or empty, and if you report the tank is full, no one is
going to order fuel," stated Jack Chadowitz, founder of
control-system monitoring service BostonBase which first
identified the flaw.
The flawed setup could impact as many 115,000 fueling
stations across the US, although only 5,300 are blatantly
vulnerable, stated the security firm Rapid7, after it
conducted scans earlier in January. The underlying issue
stems from the fact that the majority of petrol stations are
independently-owned mom and pop shops with little to no
tech-savvy, often employing off-the-shelf home routers that
have been poorly setup to accommodate the ATG, states HD
Moore, chief research officer at Rapid7.
“By connecting them to the Internet, mom-and-pop gas station
owners are going to get hit with the same problems that
regular consumers have. The problem is that these devices
are doing something important, moderating tank levels of
these gas stations.”
Securely configuring the ATG requires a serial-to-TCP/IP
card, proper port forwarding, and a static IP address,
essentially, a level of technical know-how unavailable to
the majority of gas station owners. Since gas station owners
use consumer-grade Internet providers, the IP address at gas
stations will frequently change, causing operational issues
for monitoring services and components, such as tank gauges,
Chadowitz tells Ars Techncia.
To avoid complication, most operators have opted to use a
polling service that verifies tank levels by calling into a
modem connect to the tank-gauge, rather than relying on
always-connected gauges. Unfortunately, Rapid7's Moore
mentions that while modem-based gauges did not show up on
the scan, the gauges are equally vulnerable to attacks
dialing into the service.
However, the primary reason why a gas station operator would
crave an Internet-connected ATG in the first place is
because they enable a heightened level of transparency when
monitoring fuel reserves, allowing operators to accurately
quantify in real-time, and replenish stock only when the
cost is low, rather than on a steady delivery schedule.
What's more, the most common ATG — manufactured by
Veeder-Root — may be protected by a six-character password,
yet Rapid7's scans reveal that the majority have not been
configured.
According to Ars Technica, Veeder-Root's president, Andrew
Hinder, responded to Rapid7's research by immediately
notifying its customers about the importance of activating
the security features available on their gauges.