Gas Station Nightmare: Are Exposed ATGs Our Next Security Crisis?
In a world where technology seamlessly integrates into our daily existence, it’s easy to miss the threats that quietly coexist with our everyday conveniences.
Among these overlooked dangers, one lies dormant within the unassuming Automated Tank Gauges (ATGs) installed at Buc-ee’s, Kwik Trip, Speedway, and many other popular chains. These unsung heroes of the fuel industry play a critical role in monitoring and managing fuel levels at gas stations worldwide, thereby making them a perfect target for terrorists, anarchists, and the chaos-inclined. ATGs are frequently connected to the internet without proper security, and many times they don’t even have basic password protection.
Yeah, you read that right, the things that keep your local BP from blowing up usually aren’t password-protected.
And if you don’t think it can happen, look no further than Puerto Rico.
Back in 2009, a gas tank monitoring system at a Caribbean Petroleum depot went down and sparked a 3-day-long fire that razed homes and businesses nearly a mile away from the ignition point, necessitating a large-scale evacuation. While the Puerto Rico incident was accidental, it serves as a stark reminder of what could happen if ATGs were deliberately tampered with. This article takes a closer look at ATGs and the potential risks they pose via a proof-of-concept (PoC) demonstration that will send shivers down your spine.
Brace yourself for a journey that exposes the explosive potential lurking right under our noses.
Legal Disclaimer: Before going any further, it is essential to stress that the following content is intended solely for educational purposes and as a means to demonstrate well-documented, existing vulnerabilities in the wild. The information presented here should never be used in any real-world context to cause harm. The objective of this article is to raise awareness about a potential threat, not to encourage any criminal behavior at the pump. It’s your ass if you ignore this warning.
GasPot Proof-of-Concept (PoC)
To illustrate the potential risks associated with exposed Automated Tank Gauges, I’ve spun up a specialized honeypot named GasPot, as experimented with by Trend Micro.
This honeypot has been meticulously designed to mimic a Veeder Root Guardian Aboveground Storage Tank (AST) — a commonly used ATG system in the fuel industry. For those who don’t know, Veeder Root is one of the biggest manufacturers of ATGs on the market. If you’re like me and now suddenly want to invest in Veeder Root, you can do so by buying stock in Fortive Corp (FTV).
GasPot acts as a decoy, attracting potential attackers and allowing us to study their behavior without endangering any real-world systems.
Getting GasPot Ready
With GasPot in place, we can demonstrate how attackers can tamper with these ATGs, exposing vulnerabilities that could have disastrous consequences if left unchecked.
Those interested in setting up a similar simulation at home can do so by following the steps laid out here. Python 3 is a prerequisite for GasPot to work. I have decided to run GasPot in a lightweight VM of Ubuntu Server, but you may choose to run it wherever you like.
To get started, we need to edit the config.ini file using a Linux-based text editor like Nano or Vim.
Once inside a text editor, change the tcp_ip value to the IPv4 address of the device GasPot is running on.
In my case, that is a private IP address (not accessible from the internet). The default port the honeypot will run on is TCP/10001. To keep things simple, I will not touch any other settings.
I am not configuring a public-facing honeypot, so these other settings are not relevant to this demonstration.
Vulnerable Serial Servers
The Guardian ASTs have an RS-232 serial interface and do not use TCP/IP.
To enable remote management, gas station owners and suppliers will often add a TCP/IP card. Alternatively, they will use a third-party serial-to-network adapter known as a serial server to make the system available over the internet. The most common TCP port mapped to is TCP/10001.
If you couldn’t tell already, this is where problems begin to arise.
Originally, a PC or modem had to be connected directly to this serial interface to pull system reports, status, and diagnostic information.
Now all of that information can be accessed by unauthenticated strangers from anywhere in the world if remote management is misconfigured. There is an option to configure a security code for the RS-232 interface but it isn’t used as much as it should be. According to the Veeder Root manual:
The RS-232 security code is an optional six-digit code used to limit external serial access to the system for security purposes. It can be set to any unique set of characters using either the front panel switches or the external communication interface setup commands. The system will not respond to a command without the proper security code if the DIP switch is set to enable RS-232 security.
Security codes are written before function codes, which we will discuss in more detail later on in this article.
Potential Attack Vectors
Bad actors can remotely access unprotected ATGs and grab important info like the types of gas tanks being monitored, how much fuel is in them, reports of leaks, and the status of the tanks, including upcoming deliveries.
Attackers can change system passwords, mess with fuel type labels, and manipulate tank details like overflow limits and temperature settings. They might demand a ransom payment after changing an ATG’s password, pretend to be delivery people, or create dangerous situations like exceeding tank limits or suppressing alarms. The consequences could range from system disruptions to hazardous spills and explosions.
Trend Micro has reported instances of the hacktivist group Anonymous tampering with these exposed systems in the past, highlighting a real and immediate threat to our critical infrastructure.
Checking GasPot’s Status
To test that GasPot is running on the Ubuntu VM, we will attempt to connect to the honeypot from our attacking machine using telnet.
Troubleshooting Note: When you press the Enter key after typing in “python3 GasPot.py” and a blank line with a blinking cursor appears, don’t freak out. GasPot is working and we can check that by typing “telnet [IP] [PORT]”.
As you can see, we were able to connect successfully via telnet.
Information Gathering Methods
There are several ways we can pull more information from the Guardian AST.
The first and simplest is by using telnet. After telnetting into TCP/10001, type Ctrl + A followed by the TLS-350 function code I20100. The function code I20100 will output a basic report of what’s contained in the monitored gas tanks.
Bear in mind, when over telnet, Ctrl + A must precede every function code you input.
We can enter other function codes using the same process.
For example, if you wanted to see the In-Tank Status Report, you could type Ctrl + A then I20500. Ctrl + A shows in the terminal as ^A and there is no space between ^A and the function code. Just one of those formatting things you have to get used to.
Not all function codes work and you will find out why in the coming sections.
Using the Nmap Scripting Engine (NSE)
An easier way to retrieve the same information is by running the NSE script atg-info.nse.
The script can be downloaded from GitHub here. To use it, move the script to the path /usr/local/nmap/scripts/. By default, atg-info.nse will use the function code I20100.
Remember to include “sudo” before the Nmap command or the script will not work right.
sudo nmap [IP ADDRESS] -p [TARGET PORT] --script /usr/share/nmap/scripts/atg-info.nseWhen a remote user pulls info from the honeypot, it is logged in my Ubuntu Server VM:
To extend the functionality of atg-info.nse, arguments can be tacked on. Arguments are written as follows:
--script-args command=[FUNCTION CODE]For example, if I wanted to see the Shift Inventory, I would type:
nmap –script /usr/share/nmap/scripts/atg-info.nse -p 10001 --script-args command=I20400 <HOST>The command is whatever function code you want to try.
Using Metasploit’s atg_client
We can also use Metasploit’s Veeder-Root Automatic Tank Gauge (ATG) Administrative Client auxiliary module to accomplish the same task.
We can take things further in Metasploit by using other TLS-350 codes against the target system by bringing up all the auxiliary actions available:
If we wanted to see the In-Tank Leak Detect Report, we would first set the RHOST and RPORT to the appropriate values. Then, we would type “set ACTION LEAK” and run. Since this is not a real monitoring system for real fuel tanks, there won’t be any data shown.
Function Codes Demystified
So where do all these function codes come from and why are they formatted the way they are?
The Guardian AST speaks using the TLS-350 protocol, therefore we have to use TLS-350 function codes to retrieve information from the monitoring system. This is why I referred to them as TLS-350 codes in previous sections. The official manual for the Guardian AST lists some TLS-350 codes that can be used to gather info:
A full (and albeit very lengthy) list of function codes can be found in the Veeder Root Serial Interface Manual.
Only a select few codes listed will work with GasPot due to it being a pretend version of a real system.
The codes that do work include:
- I20100: In-Tank Inventory Report — Contains product name, tank volume, tank ullage, tank height, water content, and temperature.
- I20200: In-Tank Delivery Report — Shows the most recent delivery date and time.
- I20300: In-Tank Leak Detect Report — Indicates detected tank leaks.
- I20400: In-Tank Shift Inventory Report — Gas station attendant tracks fuel usage during a shift.
- I20500: In-Tank Status Report — Displays the current tank status.
- S60200: Set Tank Product Label — Changes tank labels.
If you enter codes that are unsupported by GasPot, you are going to be thrown a 9999FF1B error:
Function Code Formatting
If you decided to open the Veeder Root Serial Interface Manual yourself, you may have noticed the codes in there look a bit different than the ones I’ve listed out.
Let’s take a look at one now to alleviate any confusion. What you want to pay attention to is what’s under Command Format. <SOH> I205TT shows the In-Tank Status Report.
TLS-300/350/350R Monitoring Systems
There’s a reason we write it as I20500 instead:
Most response messages can be requested for either a single device (tank, sensor, line, etc.) or all devices. A “TT” in the function code signifies single device number 01 through 16. When “TT” is 00, it signifies all devices.
For example, S60200 is used for setting tank product labels.
If we want to change all the tank's product labels, we can use S60200. If we want to change the label only on Tank 1, we use S60201. Similarly, if we want to change the label on Tank 2, we use S60202. If you’re wondering what the <SOH> before the function code represents, it’s Ctrl + A (the escape character).
If a 6-digit RS-232 security PIN is set, we write that before the function code like so: <SOH> + PIN + CODE.
Real-World Relevance
To make a point, I want you to hop over to Shodan and make a free account.
Once you have an account, go up to the search bar. Search “port:10001” followed by I20100 (the TLS-350 Get In-Tank Inventory Report request we covered). Shodan uses I2100 for banner grabbing.
You must include I20100 next to the port because some devices have other services running on TCP/10001 like scp-config.
Out of the 10,178 results, a staggering 5,219 were within the United States, surpassing any other country.
Remarkably, 1,425 of these were flagged by Shodan as GasPot instances, but that still leaves 3,794 potentially susceptible systems. The vast majority of these vulnerable ATGs are affiliated with retail gas stations, truck stops, and convenience stores, totaling 3,794 potential hazards. Thanks to accidental information disclosure, all of these locations are discoverable on Google Maps.
What’s alarming is that many of the actions I’ve demonstrated can be executed on these devices without the need for authentication.
In fact, with a mere 10 seconds spent on an IoT search engine, anyone can uncover these vulnerabilities.
It’s worth noting that there are nearly 600 function codes an attacker could experiment with, while GasPot can only recognize 6. The attack surface is much wider than this article’s PoC lets on. Consider the possibilities for a determined attacker with the luxury of time and resources on their side.
The unsettling truth is that as long as these systems remain unsecured, bad actors could disable a significant portion of the country’s refueling infrastructure or trigger uncontrollable gas fires just by typing a few things on a computer.
Suggested Remediation
- Airgap the ATG if possible. Industrial control systems (ICS) shouldn’t be internet-available.
- If remote management is required, establish a secure VPN tunnel for access and set up an RS-232 security code on the serial interface.
- Configure stringent VPN and firewall ACLs to permit communication only from trusted IP addresses/ranges when accessing the gas station controller remotely. Block all other incoming connections.
- Implement network segmentation using VLANs to isolate the ATG and other critical systems from the broader network infrastructure of the gas station.
- Keep the ATG’s firmware and operating system updated to enhance security.
- Enable logging on the serial interface/mapped interface to capture evidence of unauthorized tampering, which can be crucial for audits, incident response procedures, and law enforcement efforts.
Conclusion
In conclusion, the vulnerabilities found in Automated Tank Gauges serve as a sobering reminder of our interconnected world’s fragility and the importance of fortifying our critical infrastructure in today’s digital age.
Safeguarding these systems is not just a duty but an absolute imperative to shield against potential disasters that could bring society to a standstill. We must support and invest in the cybersecurity of these systems so our communities can reliably access essential services without interruption. The urgency of this matter has only been amplified by recent events.
Just a day after proofreading this article, on December 11, 2023, the Washington Post disclosed that China’s cyber army had made moves to infiltrate US civilian infrastructure over the past year.
According to U.S. officials cited in the report, China appears to be strategically planning disruptive actions on US soil.
Brandon Wales, CISA’s executive director, observed a shift in Chinese spy tactics, veering away from traditional espionage. China’s new focus is on becoming a ghost in the wires rather than the halls of Congress. This evolution poses a challenge for defenders who must track down a cunning Chinese tiger lurking in the digital shadows before it pounces and wreaks havoc.
“You’re trying to build tunnels into your enemies’ infrastructure that you can later use to attack. Until then you lie in wait, carry out reconnaissance, figure out if you can move into industrial control systems or more critical companies or targets upstream. And one day, if you get the order from on high, you switch from reconnaissance to attack.” — Joe McReynolds, a China security studies fellow at the Jamestown Foundation
“It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis” — Brandon Wales, executive director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)
Hardening our critical infrastructure against attack transcends theoretical concerns; it is an immediate necessity demanding our attention and action.
Will you ever look at your gas station the same way after reading this? Do you think the responsibility for securing systems like ATGs lies more with the manufacturers, gas station owners, or government regulatory bodies? Share your thoughts in the comments!
