The Internet of Gas Station Tank Gauges:
This post is a part of Cyborg Security’s guest threat hunter series, where we invite talented threat hunting professionals to contribute interesting content for the broader cyber security community. If you would like to participate, contact us here!
In 2015, HD Moore, the creator of Metasploit, published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fuelling station in the United States and tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001).
The process for accessing these systems is quite simple: telnet to the port and issue documented TLS-350 or TLS-250 commands to execute everything from setting alarm thresholds to editing sensor configurations and running tank tests. While tools such as Nmap and Metasploit include scripts for enumerating these devices, the functionality is generally limited to In-Tank Inventory Reports and System Status Reports. These scripts are good for reconnaissance, but what if an attacker decided to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown? Could a distributed attack of this magnitude leave the nation crippled? With this question in mind, I set out to discover how these devices’ attack surface has evolved since 2015.
Understanding the Potential Attack Surface:
My first stop, as usual, was Shodan — a search engine for internet-connected devices. Searching for systems with an open TCP port on 10001, I quickly narrowed down the false positives to devices that responded to Shodan’s crawler with In-Tank Inventory Reports. This revealed over 11,000 ATGs in August of 2022; the image below displays trend data from publicly accessible ATGs from 2017 to 2022.
With potentially 11,000 ATGs insecurely connected to the internet, I discovered that nearly two out of every three devices resided in the United States!
Drilling down deeper, Shodan graphically displayed the relative geolocation of these systems. This got me thinking, what if a malicious threat actor could issue one command to all of these ATGs simultaneously? With my curiosity piqued, I set out to find the answer.
Assessing the Current Threat Landscape:
For a malicious threat actor to exploit these devices on a mass scale, the adversary would require a thorough understanding of easily accessible internet-connected ATGs. After conducting an internet wide scan, over 85,000 devices were identified to be utilizing TCP port 10001.
root@RoseSecurity# cat ATG_SCAN_COMPLETE.txt | wc -l85104
To enumerate the devices utilizing TCP port 10001 as potential ATGs, I constructed a Python script to read the output file of IP addresses before sending a Get In-Tank Inventory Report request (I20100) to every IPv4 address that had TCP port 10001 open. After determining which devices were ATGs, these IP addresses were outputted to a new file named ATG_DEVICES.txt.
After running the contents of the file against the script, lo and behold, over 11,000 publicly accessible ATGs continue to exist in the wild, but while a Get In-Tank Inventory Report request (I20100) may seem benign, what if an attacker simultaneously sent one of the other 600 documented function codes to every internet-connected ATG?
Could an attacker shutting down over 7,000 fuelling stations in the United States with little effort leave the nation crippled? I believe the answer is clear, but what can network defenders and operators do to mitigate this risk? To start, password protecting each serial port or applying source IP address filters could help, but operators should consider using a VPN gateway or other dedicated hardware interface to connect their ATGs with their monitoring service. While these are all viable solutions, the first step toward to remediating this crisis begins with awareness. For an attack surface of critical systems to increase by nearly 120% over 7 years is unacceptable. HD Moore tried to warn us in 2015. Let’s start defending!