Over 5,000 apparatus used by gas stations in the U.S. to track their fuel tank amounts can be manipulated from the Internet by malicious attackers.

These devices, known as automated tank gauges (ATGs), are also accustomed to activate alarms in the event of issues with the tanks, including fuel spills.

“Tank gauge malfunctions are considered a serious problem as a result of regulatory and security problems which could apply.”

Before this month, Moore ran a scan to find ATGs which are on the Net through serial port servers that map ATG serial interfaces to the Internet-reachable TCP port 10001. It is a standard setup used by ATG owners to track the devices remotely.

After being alerted of the issue by Jack Chadowitz, the creator of Kachoolie, a department of BostonBase that supplies risk-free tank gauge access services Rapid7 chose to run the scan.

This functionality isn’t normally empowered, according to Moore, although some systems supply the potential to guard serial interfaces using a password.

“Operators should think about using a VPN [virtual private network] gateway or other dedicated hardware interface to link their ATGs with their tracking service,” the researcher said. “Less-risk-free options comprise using source IP address filters or establishing a password on every serial port.”

The discovery comes at a time of increased examination of Internet-connected devices, particularly old ones and industrial facilities whose communicating protocols were designed with little concern for security.