The automated tank gauge is a huge example of the market being ill prepared for the IoT

As additional objects join the cult of the Internet-connected devices known as the Internet-of-Things, the number of attack vectors accessible to hackers are exponentially skyrocketing. One such vulnerability was recently discovered in the link between the ATG( automated tank gauge), a device used to monitor gasoline levels at American gas stations, and the routers they are connected to. Poor security protocols permits online attackers to hack into the device and disrupt gas station service by tampering with the fuel monitoring systems or even disabling fuel pumps. 

“One could change the calibration and make the tank report full or empty, and if you report the tank is full, no one is going to order fuel," stated Jack Chadowitz, founder of control-system monitoring service BostonBase which first identified the flaw.

The flawed setup could impact as many 115,000 fueling stations across the US, although only 5,300 are blatantly vulnerable, stated the security firm Rapid7, after it conducted scans earlier in January. The underlying issue stems from the fact that the majority of petrol stations are independently-owned mom and pop shops with little to no tech-savvy, often employing off-the-shelf home routers that have been poorly setup to accommodate the ATG, states HD Moore, chief research officer at Rapid7.

“By connecting them to the Internet, mom-and-pop gas station owners are going to get hit with the same problems that regular consumers have. The problem is that these devices are doing something important, moderating tank levels of these gas stations.”

Securely configuring the ATG requires a serial-to-TCP/IP card, proper port forwarding, and a static IP address, essentially, a level of technical know-how unavailable to the majority of gas station owners. Since gas station owners use consumer-grade Internet providers, the IP address at gas stations will frequently change, causing operational issues for monitoring services and components, such as tank gauges, Chadowitz tells Ars Techncia. 

To avoid complication, most operators have opted to use a polling service that verifies tank levels by calling into a modem connect to the tank-gauge, rather than relying on always-connected gauges. Unfortunately, Rapid7's Moore mentions that while modem-based gauges did not show up on the scan, the gauges are equally vulnerable to attacks dialing into the service.

However, the primary reason why a gas station operator would crave an Internet-connected ATG in the first place is because they enable a heightened level of transparency when monitoring fuel reserves, allowing operators to accurately quantify in real-time, and replenish stock only when the cost is low, rather than on a steady delivery schedule. 

What's more, the most common ATG — manufactured by Veeder-Root — may be protected by a six-character password, yet Rapid7's scans reveal that the majority have not been configured. 

According to Ars Technica, Veeder-Root's president, Andrew Hinder, responded to Rapid7's research by immediately notifying its customers about the importance of activating the security features available on their gauges. 

Via Ars Technica