Trend Micro researchers Kyle Wilhoit and Stephen Hilt decided to take a closer look at gas station monitoring systems after one was hacked earlier this hear. They set up fake internet-connected systems called “GasPots” — honeypots that mimic the real ones — in several countries to track hackers’ movements.
As it turns out, gas monitors are never safe: the researchers observed a number of attacks on their GasPots within a period of six months, with US-based ones being the most targeted. Some instances were clearly for reconnaissance purposes as they were merely automated scanners pinging the monitors. Others were more intrusive, with the hackers changing GasPot names to something else. Once, they changed it to “SEAcannngo,” presumably to represent the Syrian Electronic Army, which denied any involvement to Motherboard.
In another instance, hackers named a GasPot “H4CK3D by IDC-TEAM,” the same message Iranian Dark Coders Team members use when they crack websites. To note, when the real gas station was hacked in February, its name was also switched from “DIESEL” to “WE_ARE_LEGION,” which is commonly associated with hacker collective Anonymous. One GasPot in DC also suffered a DDoS attack for two days.
Gas monitoring systems or automated tank gauges (ATG) keep an eye on fuel levels, volume and temperature, among other stats. Many of them are easy to get into, because they’re not protected by passwords. Companies are likely not keeping them heavily protected, since they can’t really be manipulated to do something extremely destructive — like blow up a gas station.
However, the Trend Micro researchers warn that ATG cyberattacks could still cause serious issues. Hackers can monitor one to find out when a facility is expecting the next fuel delivery or hold it hostage and ask for ransom. They can also fake fuel levels to induce overflow and put the lives of people in the area in danger. By the end of their experiment, Wilhoit and Hilt concluded that supervisory systems shouldn’t be connected to the internet. “If they really need to be,” their white paper reads, “their security should be so strong that access to them is extremely limited and private.”