More than 5,000 devices in petrol stations in the US can be manipulated from the internet, causing false alarms, closure of the petrol station and locking the monitoring services out of the system.
The issue with the devices – known as automated tank gauges (ATGs) – appears to affect about 35 stations in the entire US, after security researchers performed a scan for unprotected devices.
“An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system”, said HD Moore, the chief research officer at security firm Rapid7, in a blog post.
“Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
The security researcher ran a scan to detect ATGs that are connected to the internet through serial port servers that map ATG serial interfaces to the Internet-accessible TCP port 10001, reports CSO Online.
The results were that 5,800 ATGs were found to be exposed to the internet without a password, and more than 5,300 of these are in the US.
"Operators should consider using a VPN [virtual private network] gateway or other dedicated hardware interface to connect their ATGs with their monitoring service," the researcher said. "Less-secure alternatives include applying source IP address filters or setting a password on each serial port," recommended Moore.
Meanwhile, the number of devices, gadgets and vehicles that could be vulnerable to cyberattack is ever-growing. Earlier this year We Live Security reported how garage doors with electronic locks could be forced open with nothing more than a children's toy.