Anonymous HACKED GAS STATIONS - and could cause FUEL SHORTAGES

WE_ARE_LEGION features in high-octane exploit


Hackers – possibly affiliated with Anonymous – have already attacked at least one internet-connected gas (petrol) station pump monitoring system.

Evidence of malfeasance, uncovered by Trend Micro, comes three weeks after research about automated tank gauge vulnerabilities from Rapid7, the firm behind Metasploit.

Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge (such as a fuel spill). The technology can also be used to perform leak tests. ATGs are used by nearly every fuelling station in the United States and tens of thousands of systems internationally.

ATGs can typically be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to facilitate remote monitoring over the internet, ATG serial interfaces are often mapped to an internet-facing port. This opens door to potential trouble, especially since serial interfaces are rarely password protected.

Rapid7 estimates that 5,800 ATGs are exposed to the internet without a password. Over 5,300 of these ATGs are located in the US. Put another way, around one in 30 of the 150,000 fuelling stations in the country are exposed to attack, leaving the door open to all sorts of mischief.

“An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” Rapid7’s HD Moore warns. “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply."

But what’s actually happening at the pump?

Independent researcher Stephen Hilt and Kyle Wilhoit, a senior threat researcher at Trend Micro, teamed up to investigate whether or not attackers were actively attempting to compromise these internet-facing gas pump monitoring systems.

In particular the duo looked at deployments of the Guardian AST Monitoring System, internet-ready kit designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations. Shodan, the well-known search engine for Internet-connected devices, and popular port-scanning tool Nmap create a ready mechanism for interested parties to hunt for inter-connected petrol pump kit.

Hilt and Wilhoit discovered more than 1,515 vulnerable gas pump monitoring devices worldwide, less than a third of the figure logged by HD Moore last month. That would be reason for cautious optimism – except that the duo also uncovered evidence of tampered Guardian AST devices. The US-located system, left wide open on the net, had been hacked, apparently by mischief-makers, referencing one of ragtag hacker group Anonymous’s favourite catch phrases.

An attacker had modified one of these pump-monitoring systems in the US. This pump system was found to be internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.

An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems. For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations having no fuel.

The insecure gas pump monitoring system issue is part of the wider problem of insecure SCADA (industrial control) devices.

“Our investigation shows that the tampering of an internet-facing device resulted in a name change,” a blog post by Trend Micro on the research concludes. “But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices.” ®


Other stories you might like

  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading

Biting the hand that feeds IT © 1998–2022