Medical devices, traffic light control systems, HVAC systems, programmable logic controllers, web servers, home routers, and now, automated gasoline tank gauge devices, the latest brand of device found exposed and unsecured on the public Internet.
Some 5,800 automated tank gauges, which monitor for fuel leaks and other problems with the tanks as well as fuel levels, recently were found sitting wide open on the Internet without password protection, leaving more than 5,000 gas stations in the US vulnerable to attackers who could remotely alter the alarm thresholds to simulate a leak, disrupt the fuel tank operations, and worst-case, wreak havoc by shutting down the gas stations altogether, researchers say.
Rapid 7 chief research officer HD Moore says his team scanned for the vulnerable devices after getting a heads up from Jack Chadowitz, president and CEO of Kachoolie and BostonBase Inc., who first detected the problem. "He wasn't sure if it was a serious problem" that went beyond his own clients, Moore says, so he reached out to Rapid 7, which conducted an Internet-wide scan for the devices with TCP port 10001 open to the Net.
Moore and his team sent a "get in-tank inventory report" request to all of the IPv4 addresses with an open TCP port 10001: In response, they got station names, addresses, numbers of fuel tanks, tank levels, and fuel types. While the overall discovery of vulnerable devices at 5,300 gas stations represents a mere 3% of the around 150,000 gas stations in the US, the finding is yet another example of the potential physical dangers of industrial systems and other devices exposed on the Internet.
"By swapping a metric [in the gauge], it would be easy for someone to cause some sort of havoc," Moore says.
Chadowitz, whose company provides monitoring services for gas stations and other businesses, says Vedeer-Root is the main vendor of these gauges, so it wouldn't take much for an attacker to wage a widespread assault. "Because they're so popular, if someone wanted to break in, [he] would get a lot of targets," he says. "These gauges could be a target, and could shut down 5,000 gas stations in the US."
Vedeer-Root says it has alerted all of its fuel gauge customers on how to set up existing security features in the tank gauges, and that none of its customers have reported any "unauthorized access" to their gauges.
Moore says the issue stems from tank gauge vendors not instituting security by default -- namely a VPN gateway-based connection to the devices and authentication. The affected gas stations mostly were small, independently owned ones who typically don't have the tech know-how or funds to pay for a higher-end secure system, he says. "Vendors have to charge more money for a ... VPN gateway. But customers don't want to pay more if they don't have to" or can't afford to, Moore says.
The best practice would be a VPN gateway or another dedicated hardware interface to connect the ATG devices to third parties that monitor their fuel inventory, maintenance, or environmental compliance. At the least, they should password-protect the serial port and apply source IP address filters, according to Moore.
Prior to Rapid 7's blog post on the findings going public on Friday afternoon, Kachoolie and BostonBase's Chadowitz says one of his customers had heard there was a security alert for the gauges that appeared to indicate a hack of some sort. It turned out several stations had been reporting these alerts on their devices, and a technician for the products said he had been getting calls about the alert, something that rarely if ever had been seen on the gauges.
Chadowitz says it appears the alerts appear to be from from Vedeer-Root in order to inform its customers of the security issue detected by Rapid 7. "I think they were alerting their customers this way," he says, even though it caused plenty of confusion and consternation among station owners, he says.
As of this posting, Vedeer-Root had not responded directly to a press inquiry about those reported alerts. The company did release a statement from its president:
"Security, accuracy and reliability are top priorities at Veeder-Root. We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers," said Andrew Hider, president of Veeder-Root.
Meanwhile, a Vedeer-Root document for its customers recommends either password-protecting the ATG's Internet port or placing the device behind a firewall. The catch with a password, however, is that it would need to be provided to the gas station's monitoring service providers, such as a fuel hauler or remote polling service, so they can access it for their monitoring purposes, according to the customer guidance document.