Gas Station Hacking: Veeder Root

This vulnerability mainly relies on a misconfigured access controls on the Veeder Root TLS-300/350 UST Monitoring Systems and the TLS-350R Environmental & Inventory Management System. [Serial Interface Manual PDF] I first found it by searching for my hometown on Shodan, where I discovered a mysterious system that seemed to control a gas station that I visit often. It had the following server response on Port 10001: I20100 OCT 16, 2016 6:48 AM [REDACTED HEADER] [REDACTED HEADER] [REDACTED HEADER] [REDACTED HEADER] IN-TANK INVENTORY TANK PRODUCT VOLUME TC VOLUME ULLAGE HEIGHT WATER TEMP 1 NO LEAD WEST 3124 3110 2892 49.44 0.94 65.74 2 NO LEAD EAST 3107 3097 2911 49.23 0.00 64.32 3 SUPER 1215 1214 4803 24.56 1.22 60.58 4 DIESEL 2314 2310 1715 50.87 0.76 62.81 I looked up the string at the very top of the header "I20100", and found that it is the command for giving an In Tank Inventory Report on the Veeder Root System. I quickly found a manual and figured out what commands can be sent to the server. I noticed that to issue a command via telnet, you have to type ASCII 01, or "CTRL+A" before giving the command. This is the "Start of Heading" control character (similar to the tag in HTML). It can be configured to also require ASCII 04, or "End of Transmission" control character as well, but just pressing enter has seemed to work for all the systems I've found. [Info on ASCII Control Characters] --- Commands ---------------------------------------------------------------//-- There are over 600 commands that can be used on this system, including many types of reports, thresholds for various sensor triggers, the naming of specific aspects of the system, and general configuration settings. Here are some of the basic commands to get info on the station: I10200 | System Config I20100 | Tank Status I11300 | Alarm Reports I11400 | Alarm History (Most Interesting IMO) I20200 | Delivery Report I20300 | Leak Detection I20600 | In Tank Alarm I21900 | Tank Chart Security Status I40200 | Input Alarm History I40600 | Relay Status Report I50100 | Get System Time S50100YYMMDDHHmm | Set Time I50300 | Get Header S503LL + n*20 | Set Header (ASCII Characters) | LL = Header Lines 01 02 03 04 I50400 | Get System Security Code S50400 + n*6 | Set Password (ASCII Characters) I523RR | Get Receiver number After playing around for a bit on this one, I searched again for the string I20100 on Shodan. The search yields over 4,000 results, although some are for different systems. Refining the search with various keywords like "Tank" brings the results down slightly, but it reveals all of the Veeder Root systems that have been scraped by Shodan. A search for the server response code 9999FF1B has much fewer results, but this response is indicative of a properly configured system, which requires a 6 character passcode. 9999FF1B is Veeder Root's response code for when the system doesn't understand the last command given to it. It's also given when you first connect to port 10001 on a system, regardless of configuration. --- The Problem ------------------------------------------------------------//-- The reason we can connect to these systems on port 10001 and have full root access is because there is either: 1. No password enabled on the entire system, including the RS-232 Serial Port connected to the internet 2. Because there is a password enabled, but it's not enabled on the RS-232 Port Take a look at the system configuration on this station. I20100 OCT 16, 2016 6:48 AM [REDACTED HEADER] [REDACTED HEADER] [REDACTED HEADER] [REDACTED HEADER] SYSTEM CONFIGURATION SLOT BOARD TYPE POWER ON RESET CURRENT 1 4 PROBE / G.T. 163722 163013 2 INTERSTITIAL BD 200812 200429 3 UNUSED 15000000 15000000 4 UNUSED 15000000 15000000 5 UNUSED 15000000 15000000 6 UNUSED 15000000 15000000 7 UNUSED 15000000 15000000 8 UNUSED 15000000 15000000 9 UNUSED 15000000 15000000 10 UNUSED 15000000 15000000 11 UNUSED 15000000 15000000 12 UNUSED 15000000 15000000 13 UNUSED 15000000 15000000 14 UNUSED 15000000 15000000 15 UNUSED 15000000 15000000 16 UNUSED 15000000 15000000 COMM 1 FAXMODEM BOARD 47252 47153 COMM 2 SERIAL SAT BD 15000000 479367 COMM 3 UNUSED 15000000 15000000 COMM 4 UNUSED 15000000 15000000 COMM 5 UNUSED 15000000 15000000 COMM 6 UNUSED 15000000 15000000 Notice that there is the Fax Modem Board on COMM 1 (Which would be the main unit on-site), and the "Serial SAT BD" on COMM 2. Both of these boards are serial devices used to communicate with this system. Now take a look at the security configuration using command "I50400" 232 SECURITY CODE PORT SECURITY CODE STATUS 1 901350 ENABLED 2 000000 DISABLED 3 000000 DISABLED 4 000000 DISABLED 5 000000 DISABLED 6 000000 DISABLED You can see that port 1 has a password enabled. This maps to the unit inside the station. Port 2 doesn't have any password, which is ultimately what is connected to the internet. --- The Fix ----------------------------------------------------------------//-- Patching this vulnerability is relatively easy. The station manager would have to set the position of the second switch on an internal DIP switch within the unit to enable security on the RS-232 port. The other switch on this DIP switch enables security on the front panel, preventing physical access. [More info on page 5 of the Manual] [ Steps ] 1. Check Security Code Status – System may have a code, but it hasn't been enabled. [Command: I50400] 2. Flip internal switch 2 in the Veeder Root unit 3. Set New Code – Default is 000000 [Command: S50400abcdef] 6 ASCII Characters (Important that it's not just numbers!) 4. Write down the new security code 5. Test it out! 6. ???? 7. PROFIT If you must have a direct connection with no auth, at the very least, you can have a firewall or a VPN setup to make sure that whoever is connected is authorized to modify fuel distribution systems. --- Disclosure -------------------------------------------------------------//-- I visited the local Exxon Mobil Station to try and speak with a manager to explain the situation. I didn't know the chain of command so I started there. The manager on duty said that he would forward my information to the management company that runs this station. I had called and left a message the next day, and another one a couple of days later. I finally got in touch with the IT person there who seemed to understand what I was saying somewhat, but said that the fuel distribution company was the ones who had requested this remote telnet connection to the fuel system. The IT person said she would forward my information to the fuel distribution company, but I haven't received any response. I was curious as to the number of systems they leave open like this with no password. There's quite a few open systems in my state, a lot are in seemingly concentrated areas. I suppose it really comes down to the fuel distribution companies to manage the security of their clients stations. After the struggle I had to even talk to anyone who would understand the problem, I realized that it would be almost impossible to try and notify every single vulnerable station, figure out who their fuel distribution company is, then wait to see if they change their settings. UPDATE: I contacted the State Division of Standards, and shared with them a list of nearly 2,000 vulnerable IP addresses related to this system. They told me that they would be forwarding this information and instructions for fixing it to the appropriate agencies.