U.S. Gas Stations Vulnerable To Internet Attacks 100
itwbennett writes: Automated tank gauges (ATGs), which are used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated over the Internet by malicious attackers, according to security firm Rapid7. "An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system," said HD Moore, the chief research officer at Rapid7.
Once more (Score:1)
Re: (Score:2, Informative)
Re:Once more (Score:5, Informative)
In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001. Although some systems have the capability to password protect the serial interfaces, this is not commonly implemented.
Approximately 5,800 ATGs were found to be exposed to the internet without a password. Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 [1] fueling stations in the country.
Re: (Score:1)
RTFA yourself: The 5800 cited already are connected to the Internet.
In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001. Although some systems have the capability to password protect the serial interfaces, this is not commonly implemented.
Approximately 5,800 ATGs were found to be exposed to the internet without a password. Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 [1] fueling stations in the country.
I'm just irritated that someone somewhere thought it was necessary to say TCP/IP card as opposed to network card.
Re:Once more (Score:4, Funny)
To what, play warcraft 2?
Re: (Score:2)
I'm just irritated that someone somewhere thought it was necessary to say TCP/IP card as opposed to network card.
You don't need to be irritated. There are plenty of embedded network serial interfaces which have actually TCP/IP protocol hardwired in hardware, such as Wiznet W5100 or newer. You can find some on Arduino shields. These are not generic network adapters, as you know them. Fine tools for hacking, though.
Re: (Score:2)
They usually have a computer that runs all of the reporting for registers and from the ATG into a system like ruby or topaz and are either connected directly to the serial port or are assigned a private ip.
3% setup their ATG insecurely and not in the manufacture recommended configuration I'm not surprised.
Re: (Score:2)
3% setup their ATG insecurely and not in the manufacture recommended configuration I'm not surprised.
You're assuming that the other 97% are connected to the internet - an assumption not supported by any evidence.
Re: (Score:2)
I would assume that mom and pop places probably aren't and that those single proprietors that have multiple locations, not major corporations are the ones that just slap it on the internet. I've managed a few convenience stores while I was in college and my wife has and still does.
Re: (Score:2)
I would assume that mom and pop places probably aren't and that those single proprietors that have multiple locations, not major corporations are the ones that just slap it on the internet. I've managed a few convenience stores while I was in college and my wife has and still does.
I guess you're behind the times. Up here even the smallest restaurant is connected - they have to be because the government is the one that issues the bill at the end of your meal, as a way of assuring they get their taxes.
Also, the major corps will definitely be in on this because they, not the gas station owner, own the gas in the tanks in the ground. Why do you think the prices can follow each other so quickly between competitors in the same neighborhood? So they're going to want to know exactly how man
Re: (Score:2)
I would be a lot more concerned about some vulnerability in the cash registers or credit/debit card readers which would effect a far more significant percentage of stations.
There is no way that banks (or store owners, or consumers) would tolerate a 3.5% error rate.
Re: (Score:3)
Re: (Score:1)
If you're going to be on site anyway, and want to disrupt the damn gas station, just drop something that goes boom ( with a delay ) down into the tanks from one of the unprotected fill holes the tanker trucks use to refill them.
Why give two shits about using a computer ?
Re:Once more (Score:5, Informative)
We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
Because they want to get the need to have anyone working at the gas station - kind of like how truckers can fuel up using their cardpass at fuel depots where nobody works. It's all about getting rid of people. And on-site cash, since everyone will have to pay by credit or debit card.
Re: (Score:3)
I don't think it's to get rid of people, but taking away a responsibility from unreliable people. There will always be need for someone on site, but can they be trusted to catch a problem (like a low fuel tank) and notify the right people in time to actually do something about it?
The station can't sell gas they don't have, so it's in their best interest to never run out. By connecting them to the internet, an automated system can be used to monitor level and usage to make predictions about when the tank
Re: (Score:2)
I don't think it's to get rid of people, but taking away a responsibility from unreliable people.
You're startin' to scare me. Have you been hanging around Nomad [wikipedia.org] again?
Re: (Score:2)
There will always be need for someone on site
Why? As I pointed out, there are 24x7 diesel refueling sites for truckers that don't have anyone working there. They don't run out of fuel because nobody's there.
Re: (Score:2)
I can't completely disagree with that, but there will always be someone to maintain the equipment at regular intervals. They're not unmanned 24/7, someone is there occasionally to maintain and service the equipment. These sites would definitely need fuel level monitoring automation. I was thinking more of gas stations and truck stops where the high volume of fuel sold would require constant monitoring of the fuel levels, a mundane task better left to automation.
Re: (Score:1)
While your fear of being replaced by a robot may be real in most situations, this is not one of them. At no time in the past did people ever perform the functions of an ATG.
The ATG's are hooked up to the internet for two primary reasons and usually for entities that own multiple gas stations for the purpose of central, multi-department monitoring.
1 - Inventory monitoring & management, ie... you would give your hauler access so your tanks don't go dry.
2 - Regulatory compliance monitoring, ie.. data aggr
Re: (Score:2)
At no time in the past did people ever perform the functions of an ATG.
That is a total lie. I put myself through college by working at a gas station. Every night I had to read the small counter on each pump that shows total gallons pumped since installation, and manually take a really long dipstick with some special paste on the end that would change color in the presence of water (to indicate that water had gotten into the tanks) and manually take a dip to get the current level in three different tanks.
This would also help to detect tanks leaking gas into the ground.
Today's tanks aren't metal, so the risk of a tank corroding is obviously just not there, and We now have other ways to directly get the level of fuel in the tanks.
So, no need for someone on site for regulatory compliance or inventory control any more :-)
Re:Once more (Score:4, Insightful)
We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
Reason for these to be Internet-connected? Simple...supply chain. Next time you go get a fill-up, go interact with the guy inside the gas station and then ask yourself, "Do I think this guy could operate a control system and get a reading from a serial interface on a timely fashion so that the regional product distribution centers know when they need to schedule a fuel delivery?" At most gas stations I've been to, they can't even keep those little paper towels filled in the dispensers outside. (You know, the ones you need to wipe the oil off your dipstick? Okay, that looks dirty when I type it out...but I digress.)
On the other hand, if you connect these to the Internet, then an automated system can poll them periodically, automatically, and a lot of the workflow around keeping gas stations provisioned with fuel gets simplified and automated. You also get better metrics about consumption, which in turn allows for better forecasting so the local depots can, themselves, make sure they don't run dry. (There's a much, much longer lead time for getting a product tanker to drop off fuel than there is for a gas truck to bring fuel to a gas station.)
That said, these should be configured NOT to listen to requests from outside a certain subset of network ranges. Having them listen to the open Internet is, frankly, fucking stupid.
Re: (Score:2)
Agreed. I can't even get the new gas station attendant, a block away from my house that I've been going to for 10 years to get gas, to print out my lottery ticket appropriately.
"I want 2 lottery plays, same ticket."
Hands me 2 tickets with one play each.
"Uh... same ticket?"
"Oh sorry, I don't know how to work the machine that way, I'm new here and I'll figure it out eventually... Is this OK?"
-- Next week - same attendant
"2 lottery plays, same ticket please."
Hands me one ticket (yay!) with 3 plays.
-- Next wee
Re: (Score:2)
Pay a decent wage and you'll get better candidates. Gas station attendants are generally part-time, no benefits, minimum wage, not paid nearly enough to give a shit in a dead-end job. You get what you pay for.
so ask the truck driver where he got his stick (Score:3)
and start manually sticking the tank to figure out manually how much gas is in there. station managers used to have to do that twice a day. the drivers stick the tanks to see whether they can take the amount of gas that was ordered, always.
Re: (Score:1)
Smarter stations kept a tally of the volume sold by each pump. They know the capacity of the tanks, so therefor they know how much should be in the tank. (check it once a day to make sure)
Re: (Score:2)
Because it's easier.
Re: (Score:3)
Or even why the sensors are needed. I worked at a gas station in the late 80s and we "sticked" the tanks each night. Looong stick (about 30 feet) w/ an inch scale on it, a little dusting of baby powder and stick it in the tank until it hits bottom. Pull up immediately, see what number is visible closest to wet line on baby powder. Write in log for manager to see in hte morning.
Re: (Score:2)
>We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
It isn't a "need", it is only a "want"
Just imagine the cost difference between a fleet of IT people posistioned in every city the gas station chain does business in, paying their US pay rates - compared to a poor lone indian guy on the other side of the planet being paid a tiny fraction of US pay rates, not multiplied by the number of employees (or multiplied by one technically) able to manage all 100000 pumps owned by the chain.
The psychopaths at the top of the gas station chain companies get to keep that
Re: (Score:2)
Internet of Thingies.
price hack? (Score:2, Funny)
Could they change the gas prices so it would be like .01 per gallon?
Re: (Score:2)
no, that's a different system. these are just for letting the fuel distributor know that they should show up or there's an issue with the tanks.
Re: (Score:2)
I'm sure some high frequency trader could figure out some sleazy way to make a buck off it, though.
Re: (Score:2)
Yep, I worked on software to talk to gas pumps back in the late '90s. The gallons to price stuff happens entirely in the pump. The various prices are all sent to the pump in advance, and it knows which to use based on what grade button the user presses. It then reports gallons and price back when the hose handle is hung up.
You could possibly fool the system into turning on the pumps without the accounting system knowing, but there are low-tech odometers in gas pumps for actual gallons dispensed, and eventu
Re: (Score:1)
RTFA. It's about stations that have connected devices to expose the serial port to the internet.
How accessible is this port? (Score:2)
Is this port accessible by anyone, or is it under a locked access panel? And with the surveillance cameras at the gas stations, I'm pretty sure you won't be able to connect anything without being seen.
Re: (Score:1)
And WTF does a serial port (which may be physically protected) have jack-shit to do with the Internet?
I could be imagining things, but I seem to recall a time in the far-off and glorious past when Slashdot summaries weren't incomplete to the point of being actively misleading.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Have you try to read the article?
Hmmm... "http://slashdot.org".
You must be new here.
So. Effing. What. (Score:1)
You could do interesting things to my car via the OBD-2 port, but I don't lose any sleep over that either. Rapid7 is a security products vendor. EVERYTHING they do is to further their interest in SELLING PRODUCTS. (Nothing wrong with that.) But I am damn tired of security product vendors telling me the sky is falling.
Re: (Score:2)
Read The Fine Article. Serial ports on storage systems aren't connected to the Internet either. (sigh)
The old fashioned way... (Score:2)
Wouldn't they just go back to old fashioned methods like dipping the tanks by hand with a stick if they had to? Any dumbass could do it.
Re: (Score:2)
Re: (Score:2)
And so do the rest of us.
Or are you someone who hires a washerwoman to come in and wash your clothes by hand rather than using a washer/dryer?
Re: (Score:2)
My late father hired a washerwoman to do his laundry after getting out of the hospital, but she used a washer and dryer to get his laundry done.
Thanks Guys. (Score:4, Insightful)
An admin with serial port access may be able to obtain what amounts to admin priveleges. More at 11.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
The problem is that they are connecting a serial to IP adapter with no access control to a device with a serial port that also has no access control. The former device is meant to be used for servers where there will be a login prompt and the latter were meant to be locally connected and protected by physical security.
So given that combination, ANYONE can obtain what amounts to admin privileges.
Re: (Score:2)
Re: (Score:1)
Another stupid title (Score:2)
Re: (Score:2)
Change "some" to "MOST" and you have a better idea. FTR, I work in this industry.
Re: (Score:2)
Re: (Score:2)
The serial console is dead! (Score:2)
Reading the comments so far let me think... (Score:2)
Finally something I can comment on... (Score:5, Informative)
I work for a company that sells, installs and maintains a ATG's by the top two manufacturers, Veeder-Root & Incon. We also offer a web service that polls and aggregates the data from our customer's ATG's. 98% of the >500 ATG's we have on our service are polled via TCP/IP and the remaining few are still modem connections. Of the TCP/IP polled ATG's the majority are through a secure VPN. Typically the only ones that are not are the smaller customers with only 1 - 3 gas stations. Depending on the model of the ATG, there are two access levels both of which have the ability to have a password. The first is read only and is limited to data retrieval such as inventory levels, alarm status, etc... this level is typically not password protected. The second level is for the programming interface, which is what the article is talking about. There is some fear mongering in the article, my guess is because they either want to cause fear or did not do enough research. The only way a station could be shut down through the ATG is if the ATG was installed in a fashion that allowed for it. This type of installation is known as positive shut-down; and basically means the pump wiring is feed through relays in the ATG and in the event a leak was detected, the ATG would kill power to the pumps. Most stations built after 2006 - 2009 (depends on when that particular state adopted Federal storage tanks regulations) are installed with positive shut-down through the ATG. Pre-2006 were not so much installed in this fashion. The article also states no special interface is needed to access the ATG's. That is only true for the current models being sold, which come with a built in web server for programming. The older models, of which is the majority installed do need special software to access the programming interface. The method that the security firm used: polled the internet for open port 10001 would not be able to determine if it was a direct connection to the ATG (newer models) or a serial to IP convertor (older models).
I personally am the system admin for the the system we have in place for the polling and monitoring as well as the front end web service and have been so for 10+ years and I did chuckle a little at the article. There is very, very little to worry about in this regard. Other than shutting down a handful of stations, no real harm can be done such as creating a leak or causing some type of catastrophic failure.
Re: (Score:2)
So, if some really, really bored bad guy who was aiming to create mayhem and havoc (but not make any money) got all arsed, he or she could shut down a couple of mom and pop gas stations in the hinterlands for a couple of hours until mom and pop sobered up.
Truly scary. I'm gonna go unplug everyth*(*RKfkffghdf
Re: (Score:2)
Re: (Score:2)
The thing is, unless the control system is set up to shut down the site (that "positive shut-down" thing is new to me), gas pumps (just like honey badger) don't care what the tank level is and will continue to dispense fuel until it goes dry.
I wrote code for automated gas station stuff back in the late '90s (6809 assembly code to talk to the pump and terminal; Gilbarco, Wayne, Tokheim and Schlumberger were the brands back in the day), and late one afternoon when I was on-site at a unattended station (we we
Put in a @#%$$ Firewall (Score:1)
I would not be surprised if this is all one single vendor who supplied and installed these setups to different gas station suppliers.
Please someone name the company involved with this nonsense so we can ridicule them for this stupidity.
This is no worse than people who have
It is something to deal with... (Score:1)
If you can gain access to the private/vpn network the store is running, you can wreak alot of havoc.
Could send a "no fuel" alarm to the equipment... which can prevent fuel from flowing.
Could throw a vapor lock alarm (or a myriad of other commands) which will prevent fuel to flow until reset...
You can reach this via physical access to a fuel pump/dispenser... use the swrial interface to inside the store.
Long and short... this is something that has been known for over 10 years. Companies, such as mine have
Wait, what? (Score:2)
over the internet ... access to the serial port ...
Those two snippets sound contradictory, but only because the summary has not included the most pertinent fact:
many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port.
Real vulnerability (Score:2)
I'm sick of all these "Oh, our infrastructure is vulnerable to attacks!" Yeah, they are...
My power sub station is vulnerable to anyone with $5 of copper wire. It's not like they're gaurded... Fling! Zap! Pow!
Gas stations are vulnerable to anyone with a $0.50 lighter and no sense. It's not like they're guarded! flick flick flick Woosh!
Nothing is guarded, and yet the world keeps on rolling just fine. I hate these stupid scare tactic BS articles.
how to connect serial to internet? (Score:2)
this is a non issue, as long as we keep the serial port away from the internet. wouldn't the guy at the gas station ask you why you're plugging stuff together?
What is more concerning is physical tank-access (Score:2)
I'm more concerned that all it takes to access thousands of gallons of gas stored in the underground tanks of virtually every gas station in the US, is a crowbar. Most gas stations do not 'lock' those tanks.