The serial port interfaces of nearly 6,000 automated tank gauges (ATG) — 5,300 of them in the U.S. — aren't password protected, leaving them vulnerable to attackers, who with access to the interfaces, could shut down filling stations across the country.
Hackers could spoof the fuel tank levels, generate false alarms or prevent operators from monitoring the ATGs, according to a Security Street blog by Rapid7, which has conducted considerable research on exposed serial ports.
The ATG issue was reported to the security firm by Kachoolie founder Jack Chadowitz, who did work in the fueling industry and has created a way to test ATGs for exposure.
While there are no reported cases of ATGs being exploited in the wild, Rapid7 recommended taking precautionary measures, perhaps “using a VPN gateway or other dedicated hardware interface to connect their ATGs with their monitoring service.”
