This story is over 5 years old.

Hackers Are Targeting Internet-Connected Gas Stations

Someone claiming to represent Anonymous is targeting unsecured gas pump monitors, cybersecurity experts say.
February 11, 2015, 4:25pm
​Image: Flickr/​kayugee

​A hacker apparently associated with Anonymous, the nebulous hacktivist group that recently attempted to expose both celebrity sex tapes and pedophile rings at the highest levels of power, is attacking gas pump monitoring devices, according to cybersecurity firm Trend Micro.

The attacker targeted the internet-connected Automated Tank Gauges (ATGs) used by gas stations to monitor fuel levels and trigger alarms in the case of emergencies, according to a blog post written by Trend Micro researcher Kyle Wilhoit and researched by cybersecurity consultant Stephen Hilt. While scanning Internet of Things search engine Shodan, the pair found a pump monitoring station that had its name changed from "DIESEL" to "WE_ARE_LEGION," a common slogan for Anonymous.


"It became apparent that an attacker had modified one of these pump-monitoring systems in the US," wrote Wilhoit. "This pump system was found to be internet facing with no implemented security measures."

So, apparently it was really easy, and as with any hack, the name change doesn't directly implicate Anonymous. While the slogan may indicate Anonymous's involvement, it's in the nature of the collective that the attack could have been executed by anyone pretending to represent the group.

​Despite the fact that it really was nothing more than a name change, the ATG attack is still concerning, because it shows just how vulnerable these systems can be. Consider this: if you woke up one day and found that someone had changed your laptop's name, wouldn't you be worried about what else an attacker could do with access to your computer? The case is the same for ATGs, the Trend Micro researchers wrote.

"An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems," Wilhoit wrote. "For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations [that] have no fuel."

The security vulnerabilities of internet-connected ATGs have been well-documented. In January, HD Moore, chief research officer at security firm Rapid7, found that a large number of ATGs in America were essentially being left completely defenseless against any potential hackers.

"Approximately 5,800 ATGs were found to be exposed to the internet without a password," Moore wrote in a blog post. "Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country."

While it's still not clear whether or not Anonymous is really to blame for changing the name of an internet-connected gas pump monitor, somebody did. It's yet another reminder that as the Internet of Things—the networked universe of internet-connected devices—grows, so does the challenge of securing it against malicious hackers.