Listen to this Post

Introduction
Automatic Tank Gauges (ATGs) are industrial control systems buried beneath every fuel station, silently monitoring fuel levels, leak detection, and tank status. Designed decades ago for reliability and speed—not security—many ATGs still communicate over unencrypted Telnet and are exposed on Shodan, making them a prime attack surface for critical infrastructure compromise.
Learning Objectives
- Identify how ATGs work and why their legacy communication protocols (Telnet, custom function codes) introduce severe OT security risks.
- Use OSINT and Shodan to discover internet‑exposed ATG systems and understand the attacker’s reconnaissance workflow.
- Apply network segmentation, firewall rules, and protocol filtering to harden ATG deployments against remote exploitation.
You Should Know
- ATG Communication Deep Dive: Function Codes and Telnet Nightmares
ATGs communicate using raw TCP/IP (often port 23/tcp for Telnet or proprietary ports like 10001). Operators send function codes—obscure strings like ^S60201haxx03<3fuel—to query tank levels, retrieve alarms, or change configurations. These codes are often documented in leaked manuals or discovered via simple fuzzing, giving attackers full control.
Step‑by‑step – Interacting with an ATG (authorised testing only):
- Discover open Telnet – Use Nmap to scan for port 23 on a target network range:
nmap -p 23 --open -sV 192.168.1.0/24
2. Connect via Telnet (Linux/macOS):
telnet 192.168.1.100
3. Send a common function code (example – request fuel level):
^S60201haxx03<3fuel
(Response might show tank levels in raw hexadecimal.)
4. Windows alternative – Enable Telnet client via:
dism /online /Enable-Feature /FeatureName:TelnetClient telnet 192.168.1.100 23
Because Telnet transmits everything in plain text, an attacker on the same network (or who has compromised a firewall) can capture credentials and replay commands.
- Hunting ATGs on Shodan: OSINT for Industrial Control Systems
Shodan indexes devices by banner and protocol. Many ATGs identify themselves with strings like “Tank Gauging System”, “Veeder‑Root”, “Gilbarco”, or “OPW”. Attackers use these fingerprints to find exposed units in minutes.
Step‑by‑step – Using Shodan for ATG discovery (ethical reconnaissance only):
1. Install Shodan CLI (Linux/macOS):
pip install shodan shodan init YOUR_API_KEY
2. Search for ATG‑related banners:
shodan search "Tank Gauge" --fields ip_str,port,org shodan search "port:23 fuel" --fields ip_str shodan search "Veeder-Root" --fields ip_str,location
3. Filter by country or city to find local gas stations:
shodan search "port:23 Veeder-Root country:US"
4. Cross‑reference with Google Maps or OpenStreetMap – exposed ATGs often sit at the same IP as the gas station’s public Wi‑Fi or payment gateway.
Windows equivalent – Use PowerShell with Shodan’s REST API:
$apiKey = "YOUR_KEY" $query = "Tank Gauge" $response = Invoke-RestMethod -Uri "https://api.shodan.io/shodan/host/search?key=$apiKey&query=$query" $response.matches | Select-Object ip_str, port
- Telnet in OT: Why “Legacy” Is No Excuse
As Ron van den Burg noted, OT systems used Telnet because it was fast and available decades ago. But today, leaving Telnet open is equivalent to handing out the keys to your underground fuel tanks. Attackers can:
– Read real‑time fuel inventory (knowing exactly when to steal).
– Disable leak detection (causing environmental disasters).
– Change alarm thresholds (masking overfills or theft).
Hands‑on – Capturing Telnet traffic with tcpdump:
sudo tcpdump -i eth0 port 23 -w atg_telnet.pcap
Then analyse with Wireshark – every command and password is visible in plaintext.
- Hardening ATG Deployments: Network Segmentation and Access Controls
Mitigation requires a defence‑in‑depth approach. Telnet cannot be “patched” on old controllers, so you must isolate it.
Step‑by‑step – Isolate ATG networks using Linux iptables (as a jump box):
- Create a dedicated VLAN for ATGs – no routing to corporate or guest networks.
- On the OT gateway, allow only specific management workstations:
sudo iptables -A INPUT -p tcp --dport 23 -s 192.168.100.50 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 23 -j DROP
- Force all remote access through a VPN with multi‑factor authentication.
- Use a Telnet‑to‑SSH proxy (e.g., `socat` or
telnet-proxy) so administrators never send credentials in the clear:socat TCP-LISTEN:2323,fork EXEC:'ssh user@jumphost "telnet 192.168.100.10 23"'
Windows (PowerShell) – Block inbound Telnet via Windows Firewall:
New-NetFirewallRule -DisplayName "Block Telnet" -Direction Inbound -LocalPort 23 -Protocol TCP -Action Block
- Real‑World Attack Simulation: Compromising a Leak Detection System
Assume an attacker finds an ATG on Shodan with open Telnet and default credentials (e.g., `admin:1234` or fuel:fuel). They connect and run:
^S60201leak_disable=1
This command disables all leak‑detection alarms. The gas station continues selling fuel while a slow leak goes unreported for hours or days.
Mitigation – Inventory reconciliation: Use a separate system (dip stick or automated reconciliation software) to cross‑check ATG readings. If the ATG says “no leak” but physical dip measurements drop unexpectedly, you have an incident.
6. OSINT for ATG Hunting Without Shodan
Some ATGs are not indexed by Shodan but can be found via Google dorks or by scanning common IP ranges of gas station chains.
Google dork examples:
– `intitle:”Tank Gauge” “Veeder-Root”`
– `inurl:atg “fuel level”`
Python script to check for Telnet on a list of IPs (educational):
import socket
ips = ["192.168.1.100","203.0.113.5"]
for ip in ips:
try:
s = socket.socket()
s.settimeout(2)
s.connect((ip,23))
banner = s.recv(1024)
print(f"{ip} - {banner}")
s.close()
except:
pass
7. Incident Response for a Compromised ATG
If you suspect an ATG is hacked:
- Immediately disconnect the Telnet port at the network level (ACL or unplug cable).
- Pull forensic data – Capture traffic logs, Telnet history, and last function codes received.
- Reset the controller to factory defaults and change all passwords.
- Manually verify tank levels using a dip stick (wooden graduated stick) and compare with ATG readings.
- Notify environmental regulators if leak detection was disabled—this may be a legal requirement.
What Undercode Say
- Key Takeaway 1: ATGs are critical OT assets hiding in plain sight, and legacy protocols like Telnet turn gas stations into soft targets for attackers, not just physical theft but environmental sabotage.
- Key Takeaway 2: Shodan + OSINT dramatically lowers the bar for finding vulnerable industrial systems—defenders must assume adversaries already have these maps and act accordingly with network segmentation and continuous monitoring.
Analysis: The conversation highlights a dangerous gap: IT professionals see Telnet as a non‑starter, while OT operators tolerate it because “that’s how it’s always been.” This cultural divide leads to exposed systems that are trivially discoverable. Moreover, as Marcel Rick‑Cen points out, focusing solely on the controller (not sensors) misses the bigger picture—attackers rarely need physical access when they can send `^S60201haxx03<3fuel` from anywhere. The inclusion of “function codes” in plain English suggests these systems are ripe for automated scanning and script‑based exploitation. Until gas station owners treat ATG networks like they treat their payment card networks (isolated, monitored, and patched), we will see more headlines about “hackers targeting fuel stations.”
Expected Output
Introduction: (Already provided above)
What Undercode Say: (Already provided above)
Prediction: Over the next 18 months, we will see the first confirmed ransomware attack that cripples fuel distribution by locking ATG controllers. Adversaries will pivot from simply stealing fuel to demanding ransoms in exchange for restoring tank monitoring and leak detection. This will force regulatory bodies (e.g., EPA in the US, EU’s NIS2) to mandate minimum security standards for ATGs, including the outright ban of Telnet and requirement for encrypted alternatives like Modbus over TLS or dedicated cellular gateways with mutual authentication. Startups offering “ATG firewall appliances” that deep‑inspect function codes will emerge as a new niche in OT security.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Marcelrickcen Are – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


