DIVD-2025-00005 - Exposed Automated Tank Gauge Systems
Our reference | DIVD-2025-00005 |
Case lead | Joris Cras |
Researcher(s) |
|
Products |
|
Versions |
|
Recommendation | Operators should implement VPN gateways or dedicated hardware interfaces to connect ATGs with monitoring services. Alternative mitigations include applying source IP address filters or setting passwords on serial ports. |
Patch status | N/A, this is a configuration problem. |
Workaround | Restrict access using firewalls, implement source IP filtering, or set up a VPN for secure remote access. |
Status | Open |
Last modified | 06 May 2025 09:39 CEST |
Summary
Automated Tank Gauge (ATG) systems are widely used in gas stations and other critical facilities to monitor fuel levels, detect leaks, and manage inventory. These industrial control systems have been found exposed directly to the internet without proper authentication mechanisms, creating significant security and potential safety risks.
The vulnerability affects ATG systems from various manufacturers, most notably Veeder-Root models including TLS-250 and TLS-350. These devices, when connected directly to the internet, can be accessed by sending specific commands through their serial interfaces (typically on port 10001), potentially allowing attackers to view fuel levels, change tank labels and alarm thresholds, or even modify critical monitoring parameters.
We’ve observed real-world incidents of attackers changing tank information, performing reconnaissance, and even launching DoS attacks against these systems. Previous security research has shown that manipulation of these systems could potentially lead to serious safety incidents, as demonstrated by a 2009 explosion in Puerto Rico that was linked to a malfunctioning computerized monitoring system.
Beyond typical gas stations, such systems are also deployed in military bases, hospitals, airports, emergency services, and power plants, making this exposure a concern for critical infrastructure security.
What you can do
If you operate an ATG system, we recommend the following security measures:
- Implement a VPN gateway or dedicated hardware interface to securely connect ATGs with monitoring services
- Apply source IP address filtering to restrict access to trusted networks
- Set passwords on serial ports where supported
- Place ATG systems behind properly configured firewalls
- Regularly audit network configurations for exposed systems
- Consider using a cellular gateway with private APN for remote monitoring needs
What we are doing
DIVD is conducting internet-wide scans to identify exposed ATG systems. Our scanning methodology uses carefully crafted commands (such as I90200, 980, and A81) that can identify the make and model of ATG systems without disrupting their operation. These commands allow us to verify device types, firmware versions, and configuration details while ensuring we don’t interfere with normal operations.
When scanning, we’re careful to identify specific model information and send a notification message informing operators that their systems were discovered as part of DIVD research (DIVD Case DIVD-2025-00005).
Our research has identified approximately 5,000-8,000 ATG systems directly exposed to the internet globally. We are working to contact the operators of these systems to advise on proper security controls and explain potential risk scenarios that could result from unauthorized access.
Timeline
Date | Description |
---|---|
28 Nov 2024 | Ad Buckens brings the ATG systems case to DIVD’s attention |
15 Dec 2024 | DIVD case created |
10 Jan 2025- 01 Apr 2025 |
Research into vulnerabilities of ATG systems |
01 Mar 2025- 15 Apr 2025 |
Creation of target list and fingerprinting methodology |
29 Apr 2025 | Start scanning |
More information
- Critical Vulnerabilities Discovered in Automated Tank Gauge Systems - BitSight
- The GasPot Experiment - Trend Micro
- The Internet of Gas Station Tank Gauges - Rapid7
- Explosion in 2009 in Puerto Rico, related to a malfunctioning Tank Guage