Hackers – possibly affiliated with Anonymous – have already attacked at least one internet-connected gas (petrol) station pump monitoring system.
Evidence of malfeasance, uncovered by Trend Micro, comes three weeks after research about automated tank gauge vulnerabilities from Rapid7, the firm behind Metasploit.
Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge (such as a fuel spill). The technology can also be used to perform leak tests. ATGs are used by nearly every fuelling station in the United States and tens of thousands of systems internationally.
ATGs can typically be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to facilitate remote monitoring over the internet, ATG serial interfaces are often mapped to an internet-facing port. This opens door to potential trouble, especially since serial interfaces are rarely password protected.
Rapid7 estimates that 5,800 ATGs are exposed to the internet without a password. Over 5,300 of these ATGs are located in the US. Put another way, around one in 30 of the 150,000 fuelling stations in the country are exposed to attack, leaving the door open to all sorts of mischief.
“An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” Rapid7’s HD Moore warns. “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply."
But what’s actually happening at the pump?
Independent researcher Stephen Hilt and Kyle Wilhoit, a senior threat researcher at Trend Micro, teamed up to investigate whether or not attackers were actively attempting to compromise these internet-facing gas pump monitoring systems.
In particular the duo looked at deployments of the Guardian AST Monitoring System, internet-ready kit designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations. Shodan, the well-known search engine for Internet-connected devices, and popular port-scanning tool Nmap create a ready mechanism for interested parties to hunt for inter-connected petrol pump kit.
Hilt and Wilhoit discovered more than 1,515 vulnerable gas pump monitoring devices worldwide, less than a third of the figure logged by HD Moore last month. That would be reason for cautious optimism – except that the duo also uncovered evidence of tampered Guardian AST devices. The US-located system, left wide open on the net, had been hacked, apparently by mischief-makers, referencing one of ragtag hacker group Anonymous’s favourite catch phrases.
An attacker had modified one of these pump-monitoring systems in the US. This pump system was found to be internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.
An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems. For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations having no fuel.
The insecure gas pump monitoring system issue is part of the wider problem of insecure SCADA (industrial control) devices.
“Our investigation shows that the tampering of an internet-facing device resulted in a name change,” a blog post by Trend Micro on the research concludes. “But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices.” ®