If attackers could cause a gas station's tanks to overflow or prevent leak alarms from sounding, it could have devastating consequences—particularly if they struck multiple pumps in a region at once.

To see how real a threat that notion was, Kyle Wilhoit and Stephen Hilt from TrendMicro decided to set up a GasPot—a honeypot composed of virtual gas pump monitoring systems—to lure hackers and watch what they would do.

The work was inspired by Rapid7, which published a report earlier this year about finding 5,800 unsecured automated tank gauges accessible online. None of the systems—which belonged to gas stations, truck stops, and convenience stores primarily in the US—were password-protected.

Gas pump-monitoring systems vary in functionality, but they can include controls to set tank levels and overflow limits, monitor fuel-levels for inventory purposes and gauge the temperature of tanks. Some also detect leaks.

Remote attackers could take advantage of those controls in a few different ways. First, they could shut stations down by falsifying fuel levels to make it appear that tanks are low when they're not, or they could change the "Unleaded" label on a tank to "Premium" or "Diesel," causing confusion about inventory. They could also conceivably modify tank levels and overflow limits, potentially leading to dangerous spills. In 2009 in Puerto Rico, for example, a fuel tank exploded into flames and burned for three days after a computerized monitoring system failed to sense when the tank reached capacity during an automated refill.

The GasPot systems the researchers set up were designed to resemble Guardian AST (above-ground storage tank) monitoring systems made by Vedeer-Root. Guardian AST systems have been targeted in real-world attacks in the past by what appear to be hacktivists.

They hosted the fake gas pump systems on servers in the US, UK, Germany, Jordan, Brazil, Russia and the United Arab Emirates and watched them over a period of about five months, from February to June of this year. The US ones attracted the most attention. In most cases, the attackers simply used automated scanners to locate and probe the systems. But a few bold attackers went further, though never beyond the equivalent of digital graffiti. At least nine times, for example, the intruders changed the name of a GasPot tank to things like "H4CK3D by IDC-TEAM" and "AHAAD WAS HERE." IDC-TEAM may refer to the pro-Iran hacking group Iranian Dark Coders Team, known for defacing web sites and tagging them with "H4CK3D by IDC-TEAM."

One US system was hit with a DDoS attack over two days. Evidence, TrendMicro notes, suggests it may have been done by the Syrian Electronic Army, famous for hacking Twitter accounts and defacing web sites.

The GasPot research was presented at Defcon over the weekend. Read the full research paper below:

Wp the Gaspot Experiment