US gas stations may be ripe for hacking

In today's entry of "things you didn't know could be hacked," let's discuss gas stations. That roadside filling stations might have Internet connections is perhaps not so surprising, but that's where their technical sophistication often ends. The problem is that many fueling stations in the United States use Internet-connected industrial devices that aren't even secured with so much as a password.

A posting Jan. 22 on SecurityStreet, Boston-based IT security company Rapid7's blog, states that the trouble lies in automated tank gauges (ATGs), which almost every gas station in the U.S. employs to monitor fuel levels and fuel-tank conditions.

Technicians can access ATGs through serial ports on gas pumps, but for the sake of convenience, many ATGs can be hooked up to a router, or directly to a modem, to transmit and receive remote data. Generally speaking, Rapid7's HD Moore wrote, technicians do not alter the ATGs' default configurations or protect them with passwords.

MORE: Scariest Security Threats Headed Your Way: Special Report

On Jan. 10, Rapid7 did an Internet-wide scan to determine how widespread ATG insecurity might be, and found that of an estimated 150,000 gas stations in the country, at least 5,300 of them had ATGs that were connected to the Internet without any sort of administrative password, making them ripe for a simple hack or two.

That amounts to approximately 3 percent of all gas stations: not huge, but not insignificant by any means. Rapid7 couldn't scan the presumably much larger number of gas-station ATGs that are connected directly to telephone land lines, skipping the Internet altogether. Many of those ATGs probably wouldn't have passwords, either, and could theoretically be attacked by someone who knew the telephone numbers and data protocols.

As for how disastrous ATG hacking could be, it depends mostly on how clever the attacker is. ATGs can't cause a gas hose to start spraying down customers or ignite on its own volition, but they do have the ability to alarm technicians about dangerous conditions or shut down the pump entirely. A dedicated malefactor could inconvenience customers by shutting down a fuel tank, or hurt them by disabling an alarm -- basically, a denial-of-service attack on a service station.

The good news is that, so far as Rapid7 is aware, no one has taken advantage of this security SNAFU in the wild. It's also quite easy to remedy: Gas-station technicians can simply add a password to their systems and share that password with their fuel suppliers.

There's not much to be done from a consumer standpoint, save for buying an electric car.