Around 5,300 gas stations in the United States could be vulnerable to a remote cyberattack on the automated tank gauges, causing the pumps to flag alerts or even shut down, reports Ars Technica.
The issue, explains SC Magazine, is that the serial port interfaces in the automated tank gauges (ATG) are not password protected. The research explains that the majority of the vulnerable automated tank gauges can be found in New York, Texas, Virginia, Florida, Illinois, Maryland, California, Pennsylvania, Connecticut and Tennessee.
Although this is a small fraction of the gas stations throughout the United States (of which there are around 115,000), the exploit at the 5,300 stations affected by the vulnerability could be used to change the settings reporting fuel quantity – or even flag up a false leak, shutting the pumps down. They could possibly be tampered with more deviously to force the station to run out of gas by faking a full inventory, as Jack Chadowitz, the man who found the weakness, told Ars Technica: “One could change the calibration and make the tank report full or empty. If you report the tank is full, no one is going to order fuel.”
The manufacturer of the vulnerable ATGs, Veeder-Root responded to the disclosure in a statement from the company’s president, Andrew Hider:”We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.”
To date, there are no reported cases of automated tank gauges being hacked in this way, but the researchers recommend taking precautions against such attacks anyway, such as using a VPN gateway to connect the ATGs to their monitoring service.