Slashdot Mirror
U.S. Gas Stations Vulnerable To Internet Attacks
itwbennett writes: Automated tank gauges (ATGs), which are used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated over the Internet by malicious attackers, according to security firm Rapid7. "An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system," said HD Moore, the chief research officer at Rapid7.
We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
Internet of Tanks
Could they change the gas prices so it would be like .01 per gallon?
Those fucking Jimmy Kimmel video clips suck.
Same old story. get physical access and you own it.
Is this port accessible by anyone, or is it under a locked access panel? And with the surveillance cameras at the gas stations, I'm pretty sure you won't be able to connect anything without being seen.
Get free satoshi (Bitcoin) and Dogecoins
Just turn the pumps back on.
You could do interesting things to my car via the OBD-2 port, but I don't lose any sleep over that either. Rapid7 is a security products vendor. EVERYTHING they do is to further their interest in SELLING PRODUCTS. (Nothing wrong with that.) But I am damn tired of security product vendors telling me the sky is falling.
Wouldn't they just go back to old fashioned methods like dipping the tanks by hand with a stick if they had to? Any dumbass could do it.
Breaking:
An admin with serial port access may be able to obtain what amounts to admin priveleges. More at 11.
We must intercept all internet traffic in all the world to be sure that no hacker, surely from Eastasia or Eurasia, would try to hack them. Meanwhile we will keep that vulnerabilities up because we don't know if we will have to exploit them, of all flags the false ones are the most profitables.
It was discovered that plugging a NEMA-1 or NEMA-15 into a common household or commercial electrical outlet where the neutral and hot terminals are cross connected can result in circuit breakers being switched to open....think about this! This is a huge threat to our nations security - this vulnerability must be plugged immediately! This too can be accomplished via the internet where the NEMA-1/15 connector is controlled using a common off-the-shelf SPST relay that is tied to an IoT platform. Scary stuff. If engineers don't wake up to this we could all be in serious trouble. Also: did you hear about the reports that deadbolt locks can be circumvented with out the use of the rightful owners key? Unbelievable!!
In fine tradition the title is overly sensational. The better title is "Some US Gas Stations have morons installing network-connected gear and not bothering to set a decent password". Or ACLs, or anything else even vaguely resembling security.
headline says internet, summary says serial port.
This may be a shock to some folks: the serial console is alive and well!
nobody reads the summary, neither the article anymore on /. Perhaps it is time to introduce some pictograms to describe the content of the article or summary to those who are too lazy to read it.
Achille Talon
Hop!
I work for a company that sells, installs and maintains a ATG's by the top two manufacturers, Veeder-Root & Incon. We also offer a web service that polls and aggregates the data from our customer's ATG's. 98% of the >500 ATG's we have on our service are polled via TCP/IP and the remaining few are still modem connections. Of the TCP/IP polled ATG's the majority are through a secure VPN. Typically the only ones that are not are the smaller customers with only 1 - 3 gas stations. Depending on the model of the ATG, there are two access levels both of which have the ability to have a password. The first is read only and is limited to data retrieval such as inventory levels, alarm status, etc... this level is typically not password protected. The second level is for the programming interface, which is what the article is talking about. There is some fear mongering in the article, my guess is because they either want to cause fear or did not do enough research. The only way a station could be shut down through the ATG is if the ATG was installed in a fashion that allowed for it. This type of installation is known as positive shut-down; and basically means the pump wiring is feed through relays in the ATG and in the event a leak was detected, the ATG would kill power to the pumps. Most stations built after 2006 - 2009 (depends on when that particular state adopted Federal storage tanks regulations) are installed with positive shut-down through the ATG. Pre-2006 were not so much installed in this fashion. The article also states no special interface is needed to access the ATG's. That is only true for the current models being sold, which come with a built in web server for programming. The older models, of which is the majority installed do need special software to access the programming interface. The method that the security firm used: polled the internet for open port 10001 would not be able to determine if it was a direct connection to the ATG (newer models) or a serial to IP convertor (older models).
I personally am the system admin for the the system we have in place for the polling and monitoring as well as the front end web service and have been so for 10+ years and I did chuckle a little at the article. There is very, very little to worry about in this regard. Other than shutting down a handful of stations, no real harm can be done such as creating a leak or causing some type of catastrophic failure.
Not through the ATG interface, it has nothing to do with pricing. They could through the register, but only if it is also connected to the internet and unsecured.
For the love of {Diety} put in a damn firewall and NAT that shit. What kind of half ass implementation is being sold out there for these people? Is this lowest installation price around or is there a common link to all 5800 gas stations?
I would not be surprised if this is all one single vendor who supplied and installed these setups to different gas station suppliers.
Please someone name the company involved with this nonsense so we can ridicule them for this stupidity.
This is no worse than people who have no passwords on their NVR's.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
What the fuck... how are these "experts" getting so stupid?
Running over the pumps with your pickup would probably shut down the store better.
Apparently some people have read this article, and some have not however both camps feel strongly both ways.
and start manually sticking the tank to figure out manually how much gas is in there. station managers used to have to do that twice a day. the drivers stick the tanks to see whether they can take the amount of gas that was ordered, always.
if this is supposed to be a new economy, how come they still want my old fashioned money?
If you can gain access to the private/vpn network the store is running, you can wreak alot of havoc.
Could send a "no fuel" alarm to the equipment... which can prevent fuel from flowing.
Could throw a vapor lock alarm (or a myriad of other commands) which will prevent fuel to flow until reset...
You can reach this via physical access to a fuel pump/dispenser... use the swrial interface to inside the store.
Long and short... this is something that has been known for over 10 years. Companies, such as mine have taken precautions to lock down pumps as well as the other equip to preclude this.
-Darkelf
NAT that shit
Please do not do network security. After that statement you are probably mad. But let me put it to you this way. Stop. Read up on what is really going on and how this stuff works.
I made a gay joke on slashdot. I'm the coolest!
over the internet ... access to the serial port ...
Those two snippets sound contradictory, but only because the summary has not included the most pertinent fact:
many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port.
systemd is Roko's Basilisk.
The parent is correct that only ~20% of the ATGs in the US have an electronic link to shut off the pump directly. However, all of the affected ATGs could be shut down through the generation of false alarms and other error conditions (manual intervention). The parent is also correct in that there is little risk to the public.
The parent is absolutely wrong in a few other areas:
- No special access is needed to manipulate the device through TCP port 10001 (control-A + command, text-based protocol). The article links to the PDF manual. There are a lot of ways to screw with an ATG based on the available commands.
- The article discusses the serial interface used for monitoring via TCP port 10001. This is through a vendor-supplied XPort card on newer models and through separate serial port servers on older models. Either way, the serial is exposed to the internet and this allows the system to be manipulated.
- Systems with TCP port 9999 exposed (the XPort web interface) are far between, but these can be used to permanently brick the device. No more monitoring until the card is replaced.
I'm sick of all these "Oh, our infrastructure is vulnerable to attacks!" Yeah, they are...
My power sub station is vulnerable to anyone with $5 of copper wire. It's not like they're gaurded... Fling! Zap! Pow!
Gas stations are vulnerable to anyone with a $0.50 lighter and no sense. It's not like they're guarded! flick flick flick Woosh!
Nothing is guarded, and yet the world keeps on rolling just fine. I hate these stupid scare tactic BS articles.
this is a non issue, as long as we keep the serial port away from the internet. wouldn't the guy at the gas station ask you why you're plugging stuff together?
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
I'm more concerned that all it takes to access thousands of gallons of gas stored in the underground tanks of virtually every gas station in the US, is a crowbar. Most gas stations do not 'lock' those tanks.
the only permanence in existence, is the impermanence of existence.
Back in the day, we would dip the tanks with a stick at the end of each shift, which would allow us to see how much water was in them too. Of course that was also back when gas stations were loss leaders for repair work rather than lotto tickets and snack food. Regardless, seems pretty sad we have to put something so basic on the internet.
You have to secure the end equipment that is connected to the network. They make equipment especially for this, and the company manages the security and maintenance. I called Echosat and got their security appliances to secure all my gas stations.....works very nicely, no hassle.