Automated Tank Gauge (ATG) Remote Configuration Disclosure
In 2015, HD Moore, the creator of Metasploit, published an article
disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are
also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low.
ATGs are utilized by nearly every fueling station in the United States and
tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment
systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001). This script reads
the Get In-Tank Inventory Report from TCP/10001 as a proof of concept to demonstrate the arbitrary access.
https://packetstormsecurity.com/files/169703/atg_client.py.txt
Thu, 03 Nov 2022 12:29:09 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com