LAS VEGAS — Fuel-level monitors of the sort used by many U.S. gas stations may be under attack by hackers in Iran and Syria, two researchers told attendees of the Black Hat security conference here yesterday (Aug. 5).
Kyle Wilhoit and Stephen Hilt, researchers for antivirus maker Trend Micro, set up 10 "honeypots," fake machines placed on the Internet to lure malicious hackers. Normal honeypots mimic computers, but these pretended to be Guardian AST automated tank gauges made by Veeder-Root of Simsbury, Conn.
The researchers were surprised by the number of politically motivated attacks they observed from volatile Middle Eastern countries. They weren't worried about terrorists using the Internet to blow up gas-station fuel tanks, but said that the attackers might be performing reconnaissance for future projects.
Automated tank gauges (ATGs) monitor fuel levels in gas-station tanks, sending messages to gas-station owners and fuel distributors when levels get low. Many of these systems are connected to the Internet, and a January 2015 paper by researchers at Boston security firm Rapid7 showed that about 5,800 ATGs worldwide— most in the United States — were connected to the Internet without a password.
Most of the vulnerable systems found by Rapid7 were made by Veeder-Root, and operating manuals for its ATG systems — some of which date to the 1990s — can easily be found online.
Anyone can use the Shodan search engine to find Internet-connected ATGs, then refer to the manuals to send valid commands that could change tank names, alter fuel types, order or cancel deliveries or change the designated volume of a tank. Such changes could result in mixed fuel that could damage vehicle engines, tank overflows, or tanks running dry.
Hilt and Wilhoit set up 10 honeypots, or "GasPots" as the researchers dubbed them, in seven different countries around the world and ran them for the first six months of 2015. The GasPots mostly attracted low-level queries, but in 23 instances, attackers sent valid Guardian AST commands that changed pump names or performed other modifications.
Two of the most serious incidents were against a GasPot installed on a server in Jordan. There, two separate attacks resulted in pump names being defaced to read "H4CK3D by IDC-TEAM" and "AHAAD WAS HERE."
Both messages are "tags" used in attacks attributed to Iranian Dark Coders (IDC), a crew of pro-Tehran hackers who mainly deface websites thought to be anti-Iranian. The attacks also came from Internet Protocol (IP) addresses previously linked to IDC attacks.
Meanwhile, a GasPot set up in Washington, D.C. suffered a substantial distributed denial-of-service (DDoS) attack, which flooded its Internet connection with bogus data, cutting it off from the world for two days.
An associated message declared affiliation with the Syrian Electronic Army (SEA), a group supporting Syrian President Bashar al-Assad, an ally of Iran. The SEA has become famous for defacing websites belonging to Western and Arab news organizations.
Wilhoit and Hilt made clear that the attacks were not truly destructive — there were no attempts to change tank volume, for instance, which might have resulted in gasoline spillage during tank refills. But the surprising number of attacks reinforces the dangers that result when non-protected devices are connected to the Internet.
The researchers invited members of the audience to set up more honeypots, using software that they posted online at github.com/sjhilt/GasPot. They also posted a research paper, which can be read on the Trend Micro website.
- Best Antivirus Protection for PC, Mac and Android
- 12 Things You Didn't Know Could Be Hacked
- Hacking the Internet of Things