Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/26/2015
05:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Gas Stations Urged To Secure Internet-Exposed Fuel Tank Devices

Researchers find more than 5,000 US gas stations' automated tank gauges unprotected on the public Internet and open to hackers.

Medical devices, traffic light control systems, HVAC systems, programmable logic controllers, web servers, home routers, and now, automated gasoline tank gauge devices, the latest brand of device found exposed and unsecured on the public Internet.

Some 5,800 automated tank gauges, which monitor for fuel leaks and other problems with the tanks as well as fuel levels, recently were found sitting wide open on the Internet without password protection, leaving more than 5,000 gas stations in the US vulnerable to attackers who could remotely alter the alarm thresholds to simulate a leak, disrupt the fuel tank operations, and worst-case, wreak havoc by shutting down the gas stations altogether, researchers say.

Rapid 7 chief research officer HD Moore says his team scanned for the vulnerable devices after getting a heads up from Jack Chadowitz, president and CEO of Kachoolie and BostonBase Inc., who first detected the problem. "He wasn't sure if it was a serious problem" that went beyond his own clients, Moore says, so he reached out to Rapid 7, which conducted an Internet-wide scan for the devices with TCP port 10001 open to the Net.

Moore and his team sent a "get in-tank inventory report" request to all of the IPv4 addresses with an open TCP port 10001: In response, they got station names, addresses, numbers of fuel tanks, tank levels, and fuel types. While the overall discovery of vulnerable devices at 5,300 gas stations represents a mere 3% of the around 150,000 gas stations in the US, the finding is yet another example of the potential physical dangers of industrial systems and other devices exposed on the Internet.

"By swapping a metric [in the gauge], it would be easy for someone to cause some sort of havoc," Moore says.

Chadowitz, whose company provides monitoring services for gas stations and other businesses, says Vedeer-Root is the main vendor of these gauges, so it wouldn't take much for an attacker to wage a widespread assault. "Because they're so popular, if someone wanted to break in, [he] would get a lot of targets," he says. "These gauges could be a target, and could shut down 5,000 gas stations in the US."

Vedeer-Root says it has alerted all of its fuel gauge customers on how to set up existing security features in the tank gauges, and that none of its customers have reported any "unauthorized access" to their gauges.

Moore says the issue stems from tank gauge vendors not instituting security by default -- namely a VPN gateway-based connection to the devices and authentication. The affected gas stations mostly were small, independently owned ones who typically don't have the tech know-how or funds to pay for a higher-end secure system, he says. "Vendors have to charge more money for a ... VPN gateway. But customers don't want to pay more if they don't have to" or can't afford to, Moore says.

The best practice would be a VPN gateway or another dedicated hardware interface to connect the ATG devices to third parties that monitor their fuel inventory, maintenance, or environmental compliance. At the least, they should password-protect the serial port and apply source IP address filters, according to Moore.

Prior to Rapid 7's blog post on the findings going public on Friday afternoon, Kachoolie and BostonBase's Chadowitz says one of his customers had heard there was a security alert for the gauges that appeared to indicate a hack of some sort. It turned out several stations had been reporting these alerts on their devices, and a technician for the products said he had been getting calls about the alert, something that rarely if ever had been seen on the gauges.

Chadowitz says it appears the alerts appear to be from from Vedeer-Root in order to inform its customers of the security issue detected by Rapid 7. "I think they were alerting their customers this way," he says, even though it caused plenty of confusion and consternation among station owners, he says.

As of this posting, Vedeer-Root had not responded directly to a press inquiry about those reported alerts. The company did release a statement from its president:

"Security, accuracy and reliability are top priorities at Veeder-Root. We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers," said Andrew Hider, president of Veeder-Root.

Meanwhile, a Vedeer-Root document for its customers recommends either password-protecting the ATG's Internet port or placing the device behind a firewall. The catch with a password, however, is that it would need to be provided to the gas station's monitoring service providers, such as a fuel hauler or remote polling service, so they can access it for their monitoring purposes, according to the customer guidance document.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JJack154
50%
50%
JJack154,
User Rank: Apprentice
2/5/2015 | 11:25:16 AM
Re: Thermostats
Security by Obscurity is practiced on a broad scale by many industries, even though by today's best practices model, it's considered No Security at all.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2015 | 8:55:18 PM
Re: Thermostats
How silly -- especially if the contracts aren't making considerations for those that require them to front some of the security costs.  My two cents, anyway.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/29/2015 | 7:59:22 AM
Re: Thermostats
@Joe Stanganelli, their suppliers (oil companies) and partners (environmental compliance monitoring) require them, from what I understand.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2015 | 10:35:52 PM
Re: Thermostats
Which brings up the question: Why the heck are they using any sort of modern "smart" gas system that has Internet/satellite connection if they can't afford the proper security for it?  Since when do you NEED the ditgab Internet for a gas pump?!?!?!?

The "smarter" the devices become, the stupider people get.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 2:55:16 PM
Re: Thermostats
I was thinking that exact same "thing," Dave (forgive the pun)
David Wagner
50%
50%
David Wagner,
User Rank: Black Belt
1/27/2015 | 2:00:46 PM
Re: Thermostats
Thanks, Kelly. There is a business opportunity here then. Sort of like the way public cloud helps small businesses compete with larger ones. Bring secure IoT to small businesses at a cheap price. I guess that's hard work, but it is good work.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/27/2015 | 8:48:14 AM
Re: Thermostats
I'm sure that we are only scratching about  security (or lack of security) surrounding the Internet of Things. Kelly's point about small businesses -- like a mom & pop convenient store or gas station -- being the most vulnerable is absolutely true. On the other hand, perhaps the small busineses would be less of a target for hackers. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/27/2015 | 7:32:40 AM
Re: Thermostats
This is indeed a common theme of Internet of Things things, and more importantly, of industrial systems things. 

One reason for the vulnerability of these smaller gas stations is that they don't have the private WAN connections and satellite links larger gas station chains use--it's a financial issue, so they use a cheaper network connection/setup. I didn't go into this in the story, but this is a point that Jack Chadowitz brought up when I interviewed him.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2015 | 9:51:41 PM
Re: Thermostats
Even major government systems are not immune.  See, e.g., pastebin.com/Wx90LLum
impactnow
50%
50%
impactnow,
User Rank: Strategist
1/26/2015 | 9:43:46 PM
Re: Thermostats

Dave agreed. I wonder how many of the gas station owners are aware of the vulnerability and just don't think it's an issue versus those that are completely unaware.

Page 1 / 2   >   >>
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5531
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
CVE-2020-7252
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.