Cyber-Attackers Targeting Web-Connected Fuel Tanks, Experiment Finds

A handful of attackers targeted fake fuel-tank monitors during a six-month month experiment, showing that real Internet-connected monitors are at risk, according to Trend Micro researchers.

GasPot Attack 2

Attackers have begun targeting fuel-tank monitoring systems, which are known to be vulnerable to manipulation, researchers at security firm Trend Micro stated in a report released on Aug. 5.

The researchers used custom-created honeypot programs to emulate a common fuel-tank monitoring device used to monitor the gasoline levels at gas stations and found dozens of attempts to access the six systems deployed in different locations across the globe, including the United States, Germany, Jordan and the United Arab Emirates.

The experiment, dubbed GasPot, aimed to explore attackers' interest in noncritical industrial control systems (ICS), Kyle Wilhoit, senior threat researcher at Trend Micro, told eWEEK.

"This research is not about showing that these pumps are going to blow up, but that there are vulnerabilities in the ICS world," he said. "These devices should never be [connected to] the Internet."

Like many other devices linked to the Internet of things, automated gas-pump monitoring systems pose a risk because many do not have security built into their design or have been improperly configured. In January, an oil-and-gas technology consultant and researchers from security firm Rapid7 found that more than 5,300 monitoring devices were directly connected to the Internet and could be accessed by attackers. An attack on the devices could be used to report false fuel readings or fake a leak in a gas tank.

In Trend Micro's honeypot experiment, researchers created six virtual tank-monitoring systems, modeled after Guardian AST devices. The GasPot systems recorded more than 200 automated scanning and basic connection attempts over a six-month period, according to the researchers. In addition, the honeypots detected more than four dozen attempts to use various commands to make changes to the systems.

In the end, however, only four modifications were made to the systems. In one case, attackers attempted to change the name of one tank to "H4CK3D by IDC-TEAM" and another tank name to "AHAAD WAS HERE." On its face, the modifications appear to implicate hackers from the Iranian Dark Coders (IDC) Team, a group that supports the Iranian government, of hacking into the systems.

In another case, attackers targeted a system in the Washington, D.C., area with a flood of data, peaking at 2G bps and lasting two days. Such a distributed denial-of-service (DDoS) attack would prevent the legitimate owner of the device from monitoring its status, but would likely have little other effect, Wilhoit said.

"The types of attacks depend entirely on the sophistication of the tank monitoring systems installed," Trend Micro said in an online statement. "Simple ones can only enable attackers to monitor the status of the system, while more sophisticated systems allow attackers to take control of and manipulate their targets' tanks."

Most of the attacks encountered by the researchers, about 44 percent, focused on the system in the United States, Trend Micro's report stated. Jordan, at 17 percent, was the next most popular target. A honeypot in Germany encountered no attacks during the six-month experiment.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...