Thousands of automatic tank gauge (ATG) systems used in gas stations, power plants, airports, military bases, and other critical infrastructure facilities are exposed to the internet and using insecure legacy protocols and vulnerable management interfaces, according to researchers from security firm BitSight Technologies.
ATG systems are used to monitor the fuel level, pressure, and temperature inside fuel tanks and are also designed to detect potential leaks and trigger countermeasures. Attackers could exploit such weaknesses to change tank configurations and disable alarms which could result in overfills and dangerous fuel leaks.
The vulnerability of ATG systems has been known since before 2015 when a Trend Micro investigation set up the GasPots Experiment using honeypot systems to lure attackers, investigate their methods, and assess weaknesses.
In its recent study, the BitSight researchers found 11 critical and high-severity vulnerabilities in six ATG models from five different manufacturers, focusing their analysis on the models most commonly found exposed to the internet.
The flaws included OS command injection, hardcoded credentials, authentication bypasses, cross-site scripting, SQL injection, arbitrary file reads, and privilege escalation. The US Cybersecurity and Infrastructure Security Agency (CISA) issued advisories for these vulnerabilities on Tuesday.
Most of the flaws could allow attackers to obtain administrator privileges on either the management interface or the underlying operating system, enabling them to temporarily disable or cause physical damage to systems and their peripheral devices such as valves, pumps, ventilation systems, and sirens.
Fundamental security flaws should have long been addressed
Moreover, the researchers noted the lack of standard security coding practices and by-design mitigations that could have avoided entire classes of vulnerabilities in these systems.
“It is not the number of new vulnerabilities that is most concerning, and probably not even their criticality, but that they reflect fundamental security flaws that should have been addressed long ago,” the researchers said in their report.
“We found vanilla reflected XSS. The authentication bypasses were direct path access. The command injections lacked filtering. There were hardcoded administrator credentials. The arbitrary file read was a direct path traversal access, yielding admin credentials. The SQL injection could be exploited aided by full SQL error logs.”
ATGs have a long track record of security issues
Multiple teams of researchers have warned about internet-connected ATG systems being insecure over the past decade, primarily over their use of a legacy protocol called the Veeder-Root TLS-450 originally designed to work over a serial interface and lacking modern security protections.
ATG systems can also be connected to TCP/IP networks and will listen for commands on TCP port 10001 which will then be forwarded to the serial interface.
By exposing their ATG systems to the internet for remote management and monitoring purposes, asset owners inadvertently expose this insecure protocol to attacks. While the protocol supports a “security code” option, this code is optional and weak at six digits long.
“By default, it is not used, perhaps because some models require manual dip-switch configuration to enable the feature to begin with,” the BitSight researchers said. “The security code is described as a six-digit code. It makes sense if you consider that the older models had a numeric keypad. This yields about 1,000,000 combinations, a code that can nowadays be trivially guessed. An attacker able to try a modest amount of 100 combinations per second would need less than three hours to iterate over the entire code space.”
The protocol can be used to change network configuration and alarm destinations; alter tank, pump and relay parameters that can have a physical impact; and can be used to start and stop leak detection tests, both for tanks and pressure lines.
Vulnerabilities can result in physical damage
“In a nutshell, those actions can lead to the disastrous consequences to which the vendors warned about,” the researchers said. “This is why it is paramount to disconnect any ATG from the Internet. Still, looking at the last month alone we can find 6,542 devices (excluding GasPots) directly connected to the Internet without any security code at all.”
In early September, a team of Ukrainian hackers who target Russian infrastructure reported hacking into multiple routers and industrial control systems. One of the screenshots posted on X by the team was from an ATG system.
Aside from the insecure command protocol itself, the 11 vulnerabilities found by BitSight could be used to trigger permanent faults in the ATG systems and their peripherals. For example, the devices control ventilation systems, emergency shutoff valves, sirens, and pumps through relays that can be turned on or off and have different voltages running through them.
Like most electrical devices, relays have an electrical service life. By looking at the datasheet for certain investigated models, the researchers saw that the relays are guaranteed to work for 1,000,000 operations at the lowest operating current. This means that after this limit is hit, there’s a high chance the relay will break down.
The researchers set out to test this and ran commands using the on-device command line tools to turn a relay ON and OFF at around 50 times per second with a 2A, 30V DC load. The relay started having problems after the first four hours and failed by burning out after 6.2 hours or 1,123,520 operations.
On top of using the local command line interface, such an attack can also be performed over the internet through the ATG protocol by using function code 809, which allows for setting the relay orientation. This operation of setting the relay orientation has the side effect of turning the relay on and off.
Peripheral devices could burn out before the systems themselves
The researchers also warned that the peripheral devices connected to those relays might malfunction much earlier than the relays themselves since they were not designed to sustain many on/off cycles as part of normal operation. Even if they don’t manage to kill the relay, attackers could very well disable an emergency shutoff valve, for example.
“Experts that we have spoken with expressed specific concern about the ability for an attacker to change tank settings remotely,” the researchers said. “Alarms are very important for refilling operators to understand when the tank is about to be full and to have enough time to stop the refilling. Without alarms, the probability for a spill will increase significantly, which, depending on the type of fuel, could create a dangerous situation.”
Other attacks could involve reconfiguring the system, deleting values, or reflashing the device with faulty firmware which would result in the ATG system suffering downtime. Attackers could also obtain information about fuel consumption patterns which could help them prepare for other destructive attacks or allow them to make a tank disappear from monitoring entirely and then physically steal fuel from it.
“Among the organizations affected by these new vulnerabilities, we were surprised to find airports, government systems, manufacturing and utilities companies, to give some examples,” the researchers said. “One thing is clear, regarding ATG systems in general and these new vulnerabilities in particular: the US is the most affected country by far.”
Organizations should immediately identify their deployed ATG systems or those operated by third-party business partners and perform a security assessment for them. The systems should not be connected directly to the internet and firewalls should be placed in front of them to prevent unauthorized access.
The ATG models impacted by the new flaws found by BitSight include the Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla and Franklin TS-550. However, other models have had their ATG protocol exposed and could be connected to the internet.