Nearly a decade has passed since the cybersecurity community started warning about automatic tank gauge (ATG) systems being exposed to remote hacker attacks, and critical vulnerabilities continue to be found in these devices.

ATG systems are designed for monitoring the parameters in a storage tank, including volume, pressure, and temperature. They are widely deployed in gas stations, but are also present in critical infrastructure organizations, including military bases, airports, hospitals, and power plants. 

Several cybersecurity companies showed in 2015 that ATGs could be remotely hacked, and some even warned — based on honeypot data — that these devices have been targeted by hackers.  

Bitsight conducted an analysis earlier this year and found that the situation has not improved in terms of vulnerabilities and exposed devices. The company looked at six ATG systems from five different vendors and found a total of 10 security holes.

The impacted products are Maglink LX and LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. 

Seven of the flaws have been assigned ‘critical’ severity ratings. They have been described as authentication bypass, hardcoded credentials, OS command execution, and SQL injection issues. The remaining vulnerabilities are high-severity XSS, privilege escalation, and arbitrary file read issues. 

“All these vulnerabilities allow for full administrator privileges of the device application and, some of them, full operating system access,” Bitsight warned.

In a real-world scenario, a hacker could exploit the vulnerabilities to cause a DoS condition and disable devices. A pro-Ukraine hacktivist group actually claims to have disrupted a tank gauge recently. 

Bitsight warned that threat actors could also cause physical damage. 

“Our research shows that attackers can easily change critical parameters that may result in fuel leaks, such as tank geometry and capacity. It is also possible to disable alarms and the respective actions that are triggered by them, both manual and automatic ones (such as ones activated by relays),” the company said. 

It added, “But perhaps the most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it. In our research, we’ve shown that an attacker can gain access to a device and drive the relays at very fast speeds, causing permanent damage to them.”

The cybersecurity firm also warned about the possibility of attackers causing indirect damage.

“For example, it is possible to monitor sales and get financial insights about sales in gas stations. It is also possible to simply delete an entire tank before proceeding to silently steal the fuel, an increasing trend. Or monitor fuel levels in critical infrastructures to decide the best time to conduct a kinetic attack. Or even plainly use the device as a means to pivot into internal networks,” it explained. 

Bitsight has scanned the web for exposed and vulnerable ATG devices and found thousands, particularly in the United States and Europe, including ones used by airports, government organizations, manufacturing facilities, and utilities. 

The company then monitored exposure between June and September, but did not see any improvement in the number of exposed systems. 

Impacted vendors have been notified through the US cybersecurity agency CISA, but it’s unclear which vendors have taken action and which vulnerabilities have been patched.

UPDATE: CISA has released advisories for these vulnerabilities. The agency’s advisories reveal that while some vendors have released patches and/or mitigations, others have not responded to responsible disclosure attempts.

Related: Number of Internet-Exposed ICS Drops Below 100,000: Report

Related: Study Finds Excessive Use of Remote Access Tools in OT Environments

Related: CERT/CC Warns of Unpatched Critical Vulnerability in Microchip ASF