Slashdot Mirror
U.S. Gas Stations Vulnerable To Internet Attacks
itwbennett writes: Automated tank gauges (ATGs), which are used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated over the Internet by malicious attackers, according to security firm Rapid7. "An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system," said HD Moore, the chief research officer at Rapid7.
RTFA, they are not internet connected. They can be access over the internet if someone takes a device to the pump, connects to the serial interface, and connected to a gateway device to the internet.
We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
Because they want to get the need to have anyone working at the gas station - kind of like how truckers can fuel up using their cardpass at fuel depots where nobody works. It's all about getting rid of people. And on-site cash, since everyone will have to pay by credit or debit card.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Could they change the gas prices so it would be like .01 per gallon?
In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001. Although some systems have the capability to password protect the serial interfaces, this is not commonly implemented.
Approximately 5,800 ATGs were found to be exposed to the internet without a password. Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 [1] fueling stations in the country.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Is this port accessible by anyone, or is it under a locked access panel? And with the surveillance cameras at the gas stations, I'm pretty sure you won't be able to connect anything without being seen.
Get free satoshi (Bitcoin) and Dogecoins
Internet of Thingies.
Get free satoshi (Bitcoin) and Dogecoins
RTFA. It's about stations that have connected devices to expose the serial port to the internet.
Wouldn't they just go back to old fashioned methods like dipping the tanks by hand with a stick if they had to? Any dumbass could do it.
RTFA yourself: The 5800 cited already are connected to the Internet.
In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001. Although some systems have the capability to password protect the serial interfaces, this is not commonly implemented.
Approximately 5,800 ATGs were found to be exposed to the internet without a password. Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 [1] fueling stations in the country.
I'm just irritated that someone somewhere thought it was necessary to say TCP/IP card as opposed to network card.
Breaking:
An admin with serial port access may be able to obtain what amounts to admin priveleges. More at 11.
This is why I tell my daughters to keep their ports locked.
In fine tradition the title is overly sensational. The better title is "Some US Gas Stations have morons installing network-connected gear and not bothering to set a decent password". Or ACLs, or anything else even vaguely resembling security.
I don't think it's to get rid of people, but taking away a responsibility from unreliable people. There will always be need for someone on site, but can they be trusted to catch a problem (like a low fuel tank) and notify the right people in time to actually do something about it?
The station can't sell gas they don't have, so it's in their best interest to never run out. By connecting them to the internet, an automated system can be used to monitor level and usage to make predictions about when the tank will need to be refilled. A properly configured system would place an order for more fuel with enough lead time that when the fuel truck arrives the station has both not run out, and is in need of refill.
People are unreliable, especially when it comes to repetitive and mundane processes. Machines don't care how often they have to perform an action, neither do they get bored doing them.
"Lame" - Galaxar
Serial Over IP Connector
Try reading the article, it says internet via serial port.
Achille Talon
Hop!
This may be a shock to some folks: the serial console is alive and well!
They usually have a computer that runs all of the reporting for registers and from the ATG into a system like ruby or topaz and are either connected directly to the serial port or are assigned a private ip.
3% setup their ATG insecurely and not in the manufacture recommended configuration I'm not surprised.
nobody reads the summary, neither the article anymore on /. Perhaps it is time to introduce some pictograms to describe the content of the article or summary to those who are too lazy to read it.
Achille Talon
Hop!
I work for a company that sells, installs and maintains a ATG's by the top two manufacturers, Veeder-Root & Incon. We also offer a web service that polls and aggregates the data from our customer's ATG's. 98% of the >500 ATG's we have on our service are polled via TCP/IP and the remaining few are still modem connections. Of the TCP/IP polled ATG's the majority are through a secure VPN. Typically the only ones that are not are the smaller customers with only 1 - 3 gas stations. Depending on the model of the ATG, there are two access levels both of which have the ability to have a password. The first is read only and is limited to data retrieval such as inventory levels, alarm status, etc... this level is typically not password protected. The second level is for the programming interface, which is what the article is talking about. There is some fear mongering in the article, my guess is because they either want to cause fear or did not do enough research. The only way a station could be shut down through the ATG is if the ATG was installed in a fashion that allowed for it. This type of installation is known as positive shut-down; and basically means the pump wiring is feed through relays in the ATG and in the event a leak was detected, the ATG would kill power to the pumps. Most stations built after 2006 - 2009 (depends on when that particular state adopted Federal storage tanks regulations) are installed with positive shut-down through the ATG. Pre-2006 were not so much installed in this fashion. The article also states no special interface is needed to access the ATG's. That is only true for the current models being sold, which come with a built in web server for programming. The older models, of which is the majority installed do need special software to access the programming interface. The method that the security firm used: polled the internet for open port 10001 would not be able to determine if it was a direct connection to the ATG (newer models) or a serial to IP convertor (older models).
I personally am the system admin for the the system we have in place for the polling and monitoring as well as the front end web service and have been so for 10+ years and I did chuckle a little at the article. There is very, very little to worry about in this regard. Other than shutting down a handful of stations, no real harm can be done such as creating a leak or causing some type of catastrophic failure.
While your fear of being replaced by a robot may be real in most situations, this is not one of them. At no time in the past did people ever perform the functions of an ATG.
The ATG's are hooked up to the internet for two primary reasons and usually for entities that own multiple gas stations for the purpose of central, multi-department monitoring.
1 - Inventory monitoring & management, ie... you would give your hauler access so your tanks don't go dry.
2 - Regulatory compliance monitoring, ie.. data aggregation to meet fed/state requirements to maintain the last 12 months of passing tank/line release detection records.
For the love of {Diety} put in a damn firewall and NAT that shit. What kind of half ass implementation is being sold out there for these people? Is this lowest installation price around or is there a common link to all 5800 gas stations?
I would not be surprised if this is all one single vendor who supplied and installed these setups to different gas station suppliers.
Please someone name the company involved with this nonsense so we can ridicule them for this stupidity.
This is no worse than people who have no passwords on their NVR's.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
Reason for these to be Internet-connected? Simple...supply chain. Next time you go get a fill-up, go interact with the guy inside the gas station and then ask yourself, "Do I think this guy could operate a control system and get a reading from a serial interface on a timely fashion so that the regional product distribution centers know when they need to schedule a fuel delivery?" At most gas stations I've been to, they can't even keep those little paper towels filled in the dispensers outside. (You know, the ones you need to wipe the oil off your dipstick? Okay, that looks dirty when I type it out...but I digress.)
On the other hand, if you connect these to the Internet, then an automated system can poll them periodically, automatically, and a lot of the workflow around keeping gas stations provisioned with fuel gets simplified and automated. You also get better metrics about consumption, which in turn allows for better forecasting so the local depots can, themselves, make sure they don't run dry. (There's a much, much longer lead time for getting a product tanker to drop off fuel than there is for a gas truck to bring fuel to a gas station.)
That said, these should be configured NOT to listen to requests from outside a certain subset of network ranges. Having them listen to the open Internet is, frankly, fucking stupid.
For your security, this post has been encrypted with ROT-13, twice.
and start manually sticking the tank to figure out manually how much gas is in there. station managers used to have to do that twice a day. the drivers stick the tanks to see whether they can take the amount of gas that was ordered, always.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Read The Fine Article. Serial ports on storage systems aren't connected to the Internet either. (sigh)
Agreed. I can't even get the new gas station attendant, a block away from my house that I've been going to for 10 years to get gas, to print out my lottery ticket appropriately.
"I want 2 lottery plays, same ticket."
Hands me 2 tickets with one play each.
"Uh... same ticket?"
"Oh sorry, I don't know how to work the machine that way, I'm new here and I'll figure it out eventually... Is this OK?"
-- Next week - same attendant
"2 lottery plays, same ticket please."
Hands me one ticket (yay!) with 3 plays.
-- Next week - same attendant again
"2 lottery plays, same ticket please"
Hands me 2 tickets with one play each. "Oh sorry, I didn't hear you right."
Yeah, I trust this person to be able to handle maintenance checking of a flammable liquid.
If you can gain access to the private/vpn network the store is running, you can wreak alot of havoc.
Could send a "no fuel" alarm to the equipment... which can prevent fuel from flowing.
Could throw a vapor lock alarm (or a myriad of other commands) which will prevent fuel to flow until reset...
You can reach this via physical access to a fuel pump/dispenser... use the swrial interface to inside the store.
Long and short... this is something that has been known for over 10 years. Companies, such as mine have taken precautions to lock down pumps as well as the other equip to preclude this.
-Darkelf
I don't think it's to get rid of people, but taking away a responsibility from unreliable people.
You're startin' to scare me. Have you been hanging around Nomad again?
over the internet ... access to the serial port ...
Those two snippets sound contradictory, but only because the summary has not included the most pertinent fact:
many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port.
systemd is Roko's Basilisk.
To what, play warcraft 2?
Because it's easier.
Or even why the sensors are needed. I worked at a gas station in the late 80s and we "sticked" the tanks each night. Looong stick (about 30 feet) w/ an inch scale on it, a little dusting of baby powder and stick it in the tank until it hits bottom. Pull up immediately, see what number is visible closest to wet line on baby powder. Write in log for manager to see in hte morning.
Don't blame me, I voted for Kodos
>We have to ask why everything NEEDS to be internet connected. A local connection to the sensors will allow the station to determine when they need to refill said tanks. Not much point in putting it out there on the big scary internet. :D
It isn't a "need", it is only a "want"
Just imagine the cost difference between a fleet of IT people posistioned in every city the gas station chain does business in, paying their US pay rates - compared to a poor lone indian guy on the other side of the planet being paid a tiny fraction of US pay rates, not multiplied by the number of employees (or multiplied by one technically) able to manage all 100000 pumps owned by the chain.
The psychopaths at the top of the gas station chain companies get to keep that unspent money for themselves, so the less they pay out the better it is in their mind.
Of course you both get what you pay for, and must suffer the consequences of your own choices and actions once made, but it's pretty rare either of those factors even pops into their minds - and when it does the only reaction is to beef up the golden parachute package for when the inevitable happens.
The point is the whole intention here is not to do things right but to save money and raise profits without concern for the future or security of the company as a whole.
Going by those terms, not only do the pumps need to be on the Internet, but does make them more short term profits, so clearly is the correct solution to their incorrect and needless problem.
There will always be need for someone on site
Why? As I pointed out, there are 24x7 diesel refueling sites for truckers that don't have anyone working there. They don't run out of fuel because nobody's there.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
If you're going to be on site anyway, and want to disrupt the damn gas station, just drop something that goes boom ( with a delay ) down into the tanks from one of the unprotected fill holes the tanker trucks use to refill them.
Why give two shits about using a computer ?
3% setup their ATG insecurely and not in the manufacture recommended configuration I'm not surprised.
You're assuming that the other 97% are connected to the internet - an assumption not supported by any evidence.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Pay a decent wage and you'll get better candidates. Gas station attendants are generally part-time, no benefits, minimum wage, not paid nearly enough to give a shit in a dead-end job. You get what you pay for.
I can't completely disagree with that, but there will always be someone to maintain the equipment at regular intervals. They're not unmanned 24/7, someone is there occasionally to maintain and service the equipment. These sites would definitely need fuel level monitoring automation. I was thinking more of gas stations and truck stops where the high volume of fuel sold would require constant monitoring of the fuel levels, a mundane task better left to automation.
"Lame" - Galaxar
At no time in the past did people ever perform the functions of an ATG.
That is a total lie. I put myself through college by working at a gas station. Every night I had to read the small counter on each pump that shows total gallons pumped since installation, and manually take a really long dipstick with some special paste on the end that would change color in the presence of water (to indicate that water had gotten into the tanks) and manually take a dip to get the current level in three different tanks.
This would also help to detect tanks leaking gas into the ground.
Today's tanks aren't metal, so the risk of a tank corroding is obviously just not there, and We now have other ways to directly get the level of fuel in the tanks.
So, no need for someone on site for regulatory compliance or inventory control any more :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I would be a lot more concerned about some vulnerability in the cash registers or credit/debit card readers which would effect a far more significant percentage of stations.
There is no way that banks (or store owners, or consumers) would tolerate a 3.5% error rate.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I'm sick of all these "Oh, our infrastructure is vulnerable to attacks!" Yeah, they are...
My power sub station is vulnerable to anyone with $5 of copper wire. It's not like they're gaurded... Fling! Zap! Pow!
Gas stations are vulnerable to anyone with a $0.50 lighter and no sense. It's not like they're guarded! flick flick flick Woosh!
Nothing is guarded, and yet the world keeps on rolling just fine. I hate these stupid scare tactic BS articles.
this is a non issue, as long as we keep the serial port away from the internet. wouldn't the guy at the gas station ask you why you're plugging stuff together?
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
I'm more concerned that all it takes to access thousands of gallons of gas stored in the underground tanks of virtually every gas station in the US, is a crowbar. Most gas stations do not 'lock' those tanks.
the only permanence in existence, is the impermanence of existence.
I would assume that mom and pop places probably aren't and that those single proprietors that have multiple locations, not major corporations are the ones that just slap it on the internet. I've managed a few convenience stores while I was in college and my wife has and still does.
I'm just irritated that someone somewhere thought it was necessary to say TCP/IP card as opposed to network card.
You don't need to be irritated. There are plenty of embedded network serial interfaces which have actually TCP/IP protocol hardwired in hardware, such as Wiznet W5100 or newer. You can find some on Arduino shields. These are not generic network adapters, as you know them. Fine tools for hacking, though.
I would assume that mom and pop places probably aren't and that those single proprietors that have multiple locations, not major corporations are the ones that just slap it on the internet. I've managed a few convenience stores while I was in college and my wife has and still does.
I guess you're behind the times. Up here even the smallest restaurant is connected - they have to be because the government is the one that issues the bill at the end of your meal, as a way of assuring they get their taxes.
Also, the major corps will definitely be in on this because they, not the gas station owner, own the gas in the tanks in the ground. Why do you think the prices can follow each other so quickly between competitors in the same neighborhood? So they're going to want to know exactly how many gallons were sold at each price so the owner can't play with the figures and claim most of it was sold at the lowest and pocket the diff.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.