Skip to the content.

DIVD-2025-00005 - Exposed Automated Tank Gauge Systems

Our reference DIVD-2025-00005
Case lead Joris Cras
Researcher(s)
Products
  • Automated Tank Gauge Systems (ATG)
  • Veeder-Root TLS-250
  • Veeder-Root TLS-350
Versions
  • Various
Recommendation Operators should implement VPN gateways or dedicated hardware interfaces to connect ATGs with monitoring services. Alternative mitigations include applying source IP address filters or setting passwords on serial ports.
Patch status N/A, this is a configuration problem.
Workaround Restrict access using firewalls, implement source IP filtering, or set up a VPN for secure remote access.
Status Open
Last modified 06 May 2025 09:39 CEST

Summary

Automated Tank Gauge (ATG) systems are widely used in gas stations and other critical facilities to monitor fuel levels, detect leaks, and manage inventory. These industrial control systems have been found exposed directly to the internet without proper authentication mechanisms, creating significant security and potential safety risks.

The vulnerability affects ATG systems from various manufacturers, most notably Veeder-Root models including TLS-250 and TLS-350. These devices, when connected directly to the internet, can be accessed by sending specific commands through their serial interfaces (typically on port 10001), potentially allowing attackers to view fuel levels, change tank labels and alarm thresholds, or even modify critical monitoring parameters.

We’ve observed real-world incidents of attackers changing tank information, performing reconnaissance, and even launching DoS attacks against these systems. Previous security research has shown that manipulation of these systems could potentially lead to serious safety incidents, as demonstrated by a 2009 explosion in Puerto Rico that was linked to a malfunctioning computerized monitoring system.

Beyond typical gas stations, such systems are also deployed in military bases, hospitals, airports, emergency services, and power plants, making this exposure a concern for critical infrastructure security.

What you can do

If you operate an ATG system, we recommend the following security measures:

  1. Implement a VPN gateway or dedicated hardware interface to securely connect ATGs with monitoring services
  2. Apply source IP address filtering to restrict access to trusted networks
  3. Set passwords on serial ports where supported
  4. Place ATG systems behind properly configured firewalls
  5. Regularly audit network configurations for exposed systems
  6. Consider using a cellular gateway with private APN for remote monitoring needs

What we are doing

DIVD is conducting internet-wide scans to identify exposed ATG systems. Our scanning methodology uses carefully crafted commands (such as I90200, 980, and A81) that can identify the make and model of ATG systems without disrupting their operation. These commands allow us to verify device types, firmware versions, and configuration details while ensuring we don’t interfere with normal operations.

When scanning, we’re careful to identify specific model information and send a notification message informing operators that their systems were discovered as part of DIVD research (DIVD Case DIVD-2025-00005).

Our research has identified approximately 5,000-8,000 ATG systems directly exposed to the internet globally. We are working to contact the operators of these systems to advise on proper security controls and explain potential risk scenarios that could result from unauthorized access.

Timeline

Date Description
28 Nov 2024 Ad Buckens brings the ATG systems case to DIVD’s attention
15 Dec 2024 DIVD case created
10 Jan 2025-
01 Apr 2025
Research into vulnerabilities of ATG systems
01 Mar 2025-
15 Apr 2025
Creation of target list and fingerprinting methodology
29 Apr 2025 Start scanning
gantt title DIVD-2025-00005 - Exposed Automated Tank Gauge Systems dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00005 - Exposed Automated Tank Gauge Systems (still open) :2024-12-15, 2025-05-13 section Events Ad Buckens brings the ATG systems case to DIVD’s attention : milestone, 2024-11-28, 0d DIVD case created : milestone, 2024-12-15, 0d Research into vulnerabilities of ATG systems (81 days) : 2025-01-10, 2025-04-01 Creation of target list and fingerprinting methodology (45 days) : 2025-03-01, 2025-04-15 Start scanning : milestone, 2025-04-29, 0d

More information