Tech Hidden In Plain Sight: Gas Pumps

Ask someone who isn’t technically inclined how a TV signal works or how a cell phone works, or even how a two-way switch in a hall light works and you are likely to get either a blank stare or a wildly improbable explanation. But there are some things so commonplace that even the most tech-savvy of us don’t bother thinking about. One of these things is the lowly gas pump.

Gas pumps are everywhere and it’s a safe bet to assume everyone reading this has used one at some point, most of use on a regular basis. But what’s really going on there?

Most of it is pretty easy to figure out. As the name implies, there must be a pump. There’s some way to tell how much is pumping and how much it costs and, today, some way to take the payment. But what about the automatic shut off? It isn’t done with some fancy electronics, that mechanism dates back decades. Plus, we’re talking about highly combustible materials, there has to be more to it then just a big tank of gas and a pump. Safety is paramount and, experientially, we don’t hear about gas stations blowing up two or three times a day, so there must be some pretty stout safety features. Let’s pay homage to those silent safety features and explore the tricks of the gasoline trade.

Continue reading “Tech Hidden In Plain Sight: Gas Pumps”

Road Pollution Doesn’t Just Come From Exhaust

Alumni from Innovation Design Engineering at Imperial College London and the Royal College of Art want to raise awareness of a road pollution source we rarely consider: tire wear. If you think about it, it is obvious. Our tires wear out, and that has to go somewhere, but what surprises us is how fast it happens. Single-use plastic is the most significant source of oceanic pollution, but tire microplastics are next on the naughty list. The team calls themselves The Tyre Collective, and they’re working on a device to collect tire particles at the source.

Continue reading “Road Pollution Doesn’t Just Come From Exhaust”

Security Problems With Gas Station Automated Tank Gauges

[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.

Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. SomeĀ of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.

The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.

Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.

Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.

[Thanks Ellery]