The Legalities of Scanning Vulnerable Tank Gauges

By ARUME

Let’s tackle the legalities surrounding the scanning and hacking of vulnerable Automatic Tank Gauges (ATGs) and the tools associated.

Cyberattacks on ATGs: A Clear Crime

It is no surprise that launching cyberattacks to steal information or disrupt operations of a tank gauge is illegal and carries consequences such as severe fines, civil lawsuits, damages and jail time.

Shodan: Unveiling the Internet of Things (IoT)

Similar to ARUME, Shodan.io is a search engine specifically designed to find vulnerable internet-connected devices, often referred to as the "IoT" (Internet of Things). It works by scanning the internet and identifying devices with open ports or weak security configurations. This information can be valuable for:

  • Security Researchers: Identifying potential vulnerabilities in IoT devices to help manufacturers improve security.
  • Network Administrators: Finding and securing vulnerable devices on their own networks.

However, there's a flip side. Hackers can use Shodan to find vulnerable devices like ATGs, potentially exploiting them for malicious purposes.

Scanning Vulnerable Devices: A Legal Debate

The legality of scanning for vulnerable devices like ATGs remains a gray area. Let’s consider it in the context of a general internet search:

Shodan vs Google Search:

Shodan scans the internet for vulnerable devices, providing information like their IP addresses and ports. This action is compared to how Google scans websites for content to be indexed in search results.

While there are similarities, there's a crucial difference:

Website Control vs Device Passivity:

Website owners can control what Google scans by adding specific instructions. Vulnerable devices such as ATGs lack such control and can't block unwanted scans.

The Legality of Accessing Information

In the case of ATGs, the legality of simply accessing a vulnerable device and viewing information (without modifying anything) is unclear. Some argue it's similar to Google's indexing, while others see it as unauthorized access.

Complications arise with:

  • No Logs: Unlike websites, ATGs often lack logs to track who accessed them, making it difficult to identify unauthorized access.
  • No "No Scan" Option: Vulnerable ATGs have no way to prevent scans or warn users about unauthorized access.

ARUME's Approach

At ARUME our responsible security researchers do not disclose IP addresses and Ports that could be exploited for malicious purposes, however we focus on emphasizing responsible security

practices and creating awareness. ARUME doesn't publish identifying information but we do offer resources to help station owners identify and address vulnerabilities in their ATGs.

The Takeaway

The legality of scanning for vulnerable ATGs is a complex issue with no easy answers. However, ARUME prioritizes ethical practices and focuses on helping owners secure their systems.

Some additional considerations are:

  • National Security Concerns: Cyberattacks on critical infrastructures like gas stations can have national security implications and add further legal considerations for cyberattacks and vulnerabilities.
  • Evolving Regulations: Regulations surrounding cybersecurity are constantly evolving. Staying informed about relevant laws is crucial for both gas station owners and security researchers.

By understanding the legal gray areas and ethical considerations, we can promote a safer and more secure environment for ATGs and the critical infrastructure they support.