U.S. Gas Stations Vulnerable To Internet Attacks

itwbennett writes: Automated tank gauges (ATGs), which are used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated over the Internet by malicious attackers, according to security firm Rapid7. "An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system," said HD Moore, the chief research officer at Rapid7.

Thanks Guys.

[bigfinger76]

Breaking:
An admin with serial port access may be able to obtain what amounts to admin priveleges. More at 11.

Re:Once more

[Shoten]

We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D

Reason for these to be Internet-connected? Simple...supply chain. Next time you go get a fill-up, go interact with the guy inside the gas station and then ask yourself, "Do I think this guy could operate a control system and get a reading from a serial interface on a timely fashion so that the regional product distribution centers know when they need to schedule a fuel delivery?" At most gas stations I've been to, they can't even keep those little paper towels filled in the dispensers outside. (You know, the ones you need to wipe the oil off your dipstick? Okay, that looks dirty when I type it out...but I digress.)

On the other hand, if you connect these to the Internet, then an automated system can poll them periodically, automatically, and a lot of the workflow around keeping gas stations provisioned with fuel gets simplified and automated. You also get better metrics about consumption, which in turn allows for better forecasting so the local depots can, themselves, make sure they don't run dry. (There's a much, much longer lead time for getting a product tanker to drop off fuel than there is for a gas truck to bring fuel to a gas station.)

That said, these should be configured NOT to listen to requests from outside a certain subset of network ranges. Having them listen to the open Internet is, frankly, fucking stupid.