DIVD-2025-00005 - Exposed Automated Tank Gauge Systems

Summary

Automated Tank Gauge (ATG) systems are widely used in gas stations and other critical facilities to monitor fuel levels, detect leaks, and manage inventory. These industrial control systems have been found exposed directly to the internet without proper authentication mechanisms, creating significant security and potential safety risks.

The vulnerability affects ATG systems from various manufacturers, most notably Veeder-Root models including TLS-250 and TLS-350. These devices, when connected directly to the internet, can be accessed by sending specific commands through their serial interfaces (typically on port 10001), potentially allowing attackers to view fuel levels, change tank labels and alarm thresholds, or even modify critical monitoring parameters.

We’ve observed real-world incidents of attackers changing tank information, performing reconnaissance, and even launching DoS attacks against these systems. Previous security research has shown that manipulation of these systems could potentially lead to serious safety incidents, as demonstrated by a 2009 explosion in Puerto Rico that was linked to a malfunctioning computerized monitoring system.

Beyond typical gas stations, such systems are also deployed in military bases, hospitals, airports, emergency services, and power plants, making this exposure a concern for critical infrastructure security.

What you can do

If you operate an ATG system, we recommend the following security measures:

1. Implement a VPN gateway or dedicated hardware interface to securely connect ATGs with monitoring services
2. Apply source IP address filtering to restrict access to trusted networks
3. Set passwords on serial ports where supported
4. Place ATG systems behind properly configured firewalls
5. Regularly audit network configurations for exposed systems
6. Consider using a cellular gateway with private APN for remote monitoring needs

What we are doing

DIVD is conducting internet-wide scans to identify exposed ATG systems. Our scanning methodology uses carefully crafted commands (such as I90200, 980, and A81) that can identify the make and model of ATG systems without disrupting their operation. These commands allow us to verify device types, firmware versions, and configuration details while ensuring we don’t interfere with normal operations.

When scanning, we’re careful to identify specific model information and send a notification message informing operators that their systems were discovered as part of DIVD research (DIVD Case DIVD-2025-00005).

Our research has identified approximately 5,000-8,000 ATG systems directly exposed to the internet globally. We are working to contact the operators of these systems to advise on proper security controls and explain potential risk scenarios that could result from unauthorized access.

Timeline

More information

• Critical Vulnerabilities Discovered in Automated Tank Gauge Systems - BitSight
• The GasPot Experiment - Trend Micro
• The Internet of Gas Station Tank Gauges - Rapid7
• Explosion in 2009 in Puerto Rico, related to a malfunctioning Tank Guage