Pedro Umbelino of Bitsight warns that thousands of fuel stations across the U.S. are quietly sitting on a time bomb — one that hackers could set off without ever setting foot near a pump.
Speaking at this year’s RSA Conference in San Francisco, Umbelino shed light on a threat that’s remained under the radar for far too long: automatic tank gauges (ATGs) — the devices that keep gas stations running smoothly — are shockingly vulnerable to cyberattacks.
Fuel Pumps, ATGs, and a Dangerous Game of Dominoes
The core issue? These devices weren’t built for security. Many of them are connected to the Internet, accessible to anyone who knows where to look — and some don’t even require a password.
That’s right. Some ATGs still use the default “123456” password. Others don’t use any at all.
“If someone really wanted to mess things up, they could,” Umbelino said, pointing out just how fragile the infrastructure is. “A few well-placed commands could shut off pumps, disable alarms, or fake tank readings.”
It’s not just a theoretical concern. The relays inside these systems — which control everything from fuel pumps to emergency shutoffs — can be physically damaged by remotely forcing them to switch on and off at high speeds.
And this is where it gets scary:
-
Hackers can spoof fuel levels to trick operators into thinking tanks are full — or empty
-
They can swap labels, creating dangerous miscommunications
-
They can make a tank look like it holds more fuel than it really does
-
They can even disable safety systems entirely
All it takes is a simple scan and an Internet connection.
A Crisis That’s Closer Than You Think
Umbelino pointed to the Colonial Pipeline ransomware incident in 2021 as an example of how infrastructure panic spreads faster than the actual problem.
That attack didn’t touch the fuel pumps — it didn’t need to. Just the idea of disruption triggered mass panic and emptied gas stations along the U.S. East Coast.
Now imagine a few hundred gas stations going offline at once.
“That’s not just a nuisance,” Umbelino said. “That’s the kind of thing that kicks off a supply chain disaster.”
And it wouldn’t stop there. Backup generators at hospitals, data centers, and emergency services — many of which rely on similar systems — could go dark. This isn’t sci-fi. It’s fuel tech from the 2000s, still kicking, now dangerously exposed.
Old Warnings, Ignored
This isn’t the first time the alarm’s been raised.
Back in 2015, HD Moore — the creator of Metasploit — called out ATGs for exactly the same problems. He found over 5,800 of them sitting wide open on the Internet, most of them in the U.S. They were accessible via TCP port 10001, a favorite among fuel operators for remote monitoring.
Moore warned that with no authentication, any attacker could snoop or meddle freely. But years later, not much has changed.
In fact, it’s gotten worse.
A 2022 study by Cyborg found that the number of exposed ATGs had jumped to more than 11,000 — a 120% increase in just seven years.
One line.
Many of these vulnerable devices still belong to big-name vendors like Gilbarco Veeder-Root and Franklin Fueling Systems.
Bitsight Research Uncovers Alarming Flaws
Last year, Umbelino’s team at Bitsight examined six popular ATG models and found 11 new vulnerabilities. Two of them were so serious they received a perfect 10 on the CVSS severity scale.
These flaws weren’t obscure, technical oddities either — they were straightforward holes like:
-
OS command injection
-
SQL injection
-
Authentication bypass
-
Privilege escalation
Here’s a quick look at the impact Bitsight found:
| Vulnerability ID | Vendor | VSS Score | Risk Type |
|---|---|---|---|
| CVE-2024-45066 | MagLink LX | 10.0 | Command Injection |
| CVE-2024-43693 | MagLink LX | 10.0 | Authentication Bypass |
| Others (x9) | Various | 9.0–9.9 | SQLi, Priv Esc, More |
These aren’t theoretical bugs. They’re real, tested, and exploitable — and in the wrong hands, they’re dangerous.
Why Are These Devices Still Online?
One of the main problems is maintenance. Some ATG systems are built on old, proprietary firmware or run outdated versions of Linux or RTOS. Updating them isn’t as easy as pushing a patch.
“In many cases,” Umbelino said, “you need a technician to physically go to the site and update the firmware with special tools. Some models don’t even support updates anymore. They’re end-of-life.”
That means they’re frozen in time — and wide open.
Even worse? Many operators don’t even realize they’re exposed. Shodan, a search engine for Internet-connected devices, can be used to find thousands of these systems with a few clicks.
It’s not hacking, it’s Googling.
The Ticking Time Bomb Few Are Watching
Gas stations aren’t sexy targets — they don’t store credit cards or customer data. But they’re vital.
That’s the paradox.
Hackers, researchers, and nation-state actors alike know that it’s often easier — and more disruptive — to mess with physical systems. ATGs aren’t just monitoring fuel; they’re controlling safety hardware like:
-
Emergency valves
-
Alarm sirens
-
Ventilation systems
-
Fuel dispensers
Burning out one ATG relay could knock a station offline. Hitting hundreds could leave an entire region in the lurch.
One sentence.
“People always think about explosions and big drama,” Umbelino said. “But all you need to cause chaos is to make people believe something bad is happening. It’s the panic that does the damage.”
And right now, the panic button is just a few clicks away.
