At this year’s RSA Conference, security researcher Pedro Umbelino of Bitsight revealed a critical threat to U.S. infrastructure. Thousands of internet-connected automatic tank gauges (ATGs) at gas stations are highly vulnerable to cyberattacks. These devices, which manage fuel levels and safety systems, often lack basic security, creating a risk of widespread disruption that could be triggered by hackers from anywhere in the world.
The Hidden Weakness in Your Local Gas Station
Automatic tank gauges were not designed with modern internet security in mind. Many of these essential devices are connected directly to the internet for remote monitoring, but without proper safeguards. This leaves them wide open to anyone who knows how to find them.
Some of these systems are protected by nothing more than a default password like “123456,” while others have no password at all. According to Umbelino, this makes it dangerously easy for an attacker to take control.
A few simple commands could shut off pumps, fake tank readings, or disable critical safety alarms. Hackers can even cause physical damage by forcing the system’s internal relays to switch on and off rapidly, burning them out. A remote attacker could cause serious problems, including:
- Spoofing fuel levels to make tanks appear full or empty.
- Swapping fuel labels, leading to dangerous mix-ups.
- Disabling emergency shutoff systems entirely.
This isn’t just a theoretical problem. The tools to find and access these systems are publicly available, making it a matter of when, not if, they will be targeted on a larger scale.
A Problem Ignored for Nearly a Decade
This isn’t the first time an alarm has been sounded. Back in 2015, HD Moore, the creator of the popular security tool Metasploit, discovered over 5,800 of these tank gauges exposed online. He warned that the lack of authentication allowed anyone to access and manipulate them.
Years later, the problem has not been fixed. In fact, it has grown significantly worse.
A 2022 study by the security firm Cyborg found that the number of exposed ATGs had skyrocketed to over 11,000, a 120% increase in just seven years. Many of these vulnerable systems are still in use at stations supplied by major vendors like Gilbarco Veeder-Root and Franklin Fueling Systems. The warnings have been there, but the action has not followed.
Fresh Research Shows the Threat is Worse Than Ever
Recent work by Pedro Umbelino’s team at Bitsight has uncovered just how deep the vulnerabilities run. They examined six popular ATG models and discovered 11 new security flaws. These weren’t minor bugs; they were serious issues like command injection and authentication bypass.
Two of the vulnerabilities were so critical that they earned a perfect 10.0 severity score on the Common Vulnerability Scoring System (CVSS).
These flaws give attackers complete control over the device, allowing them to do whatever they want. The research highlights specific, exploitable weaknesses that are currently active in the field.
| Vulnerability ID | Vendor | CVSS Score | Risk Type |
| CVE-2024-45066 | MagLink LX | 10.0 | Command Injection |
| CVE-2024-43693 | MagLink LX | 10.0 | Authentication Bypass |
| Others (x9) | Various | 9.0–9.9 | SQLi, Priv Esc, More |
The Panic Button is Just a Click Away
The true danger isn’t necessarily a massive explosion, but the chaos caused by disruption. Umbelino referenced the 2021 Colonial Pipeline incident, where a ransomware attack on billing systems caused panic buying and fuel shortages across the U.S. East Coast, even though the fuel delivery systems themselves were never touched.
Imagine hundreds of gas stations suddenly going offline. The resulting panic could trigger a supply chain crisis. The impact would spread beyond everyday drivers, affecting backup generators for hospitals, data centers, and emergency services that rely on the same fuel infrastructure.
Many of these ATGs cannot be easily fixed. They run on old software that is no longer supported, meaning they can’t be patched. Technicians would need to physically visit each site to perform an upgrade, which is a slow and expensive process.
“All you need to cause chaos is to make people believe something bad is happening,” Umbelino concluded. “It’s the panic that does the damage.” Right now, that panic button is dangerously exposed and just a few clicks away for a determined attacker.
