RunOut™ - A New Vulnerability Threatens Tens of Thousands of Gas Stations

Why isn’t the threat of retaliation a deterrent against RunOut™ attacks?

There are two reasons why the threat of retaliation might not be effective:

RunOut™ disrupts by blocking access to tank gauges but doesn't directly damage the tank gauge or gas station. This type of attack doesn’t cross the implicit "red line" that would trigger retaliation.

Attributing a RunOut™ attack to a specific source can be extremely challenging. These attacks can be launched anonymously making it likely impossible to pinpoint the culprit. Without clear attribution, retaliation becomes nearly impossible.

Is there a solution to the RunOut™ vulnerability?

A RunOut™ attack would disrupt a significant portion of gas stations in the United States, of which 100,000 are remotely accessed, according to claims by the companies who rely on remote communication with these ATGs. Most of these companies utilize TCP/IP polling over the Internet making these locations susceptible to RunOut™ attacks.

How widespread could a RunOut™ attack be?

No, unlike vulnerabilities in software and hardware, the RunOut™ vulnerability cannot be mitigated by updates and patches. It is baked-in into the TCP/IP polling method of remote communication with ATGs.

The recommended way to avoid an attack that exploits RunOut™ and other ATG vulnerabilities is to avoid TCP/IP polling, especially over the Internet.

Who would the attack impact?

A RunOut™ attack would have a ripple effect impacting several groups:

Fuel Logistics and Environmental Services: Companies that rely on TCP/IP polling to monitor fuel levels and ensure environmental compliance would be directly affected.

Fuel Marketers and Suppliers: Fuel marketers and their suppliers depend on accurate fuel level information for efficient logistics and deliveries.

Gas Station Owners and Operators: Gas station owners rely on using fuel to attract customers that then buy high margin convenience store items.

Individual Consumers: Ultimately, everyone who relies on gas for transportation would be impacted. RunOut™ attacks could lead to gas shortages, disruptions to daily life and shut down the economy.

When would the impact of an attack be felt and how long
would it take to recover?

The current fuel supply chain operates on a "just-in-time" model, meaning deliveries are made based on real-time needs. A RunOut™ attack disrupts this delicate balance, leading to widespread shortages:

Immediate Impact: A RunOut™ attack could cause rapid gas shortages at stations relying on frequent deliveries (every 1-2 days). Disrupted access to tank gauge data would prevent fuel suppliers from knowing when to order fuel, leading to runouts.

Shortages and Panic Buying: Initial shortages could lead to panic buying, further exacerbating the situation and creating long lines at pumps and increased fuel prices.

Manual Logistics: In the event of a sustained attack, fuel dispatchers would need to resort to manual methods for scheduling fuel deliveries. As logistics systems that schedule deliveries are now highly automated, it will take time and a massive effort to schedule manually.

Recovery Time: The time to fully recover depends on the duration of the attack. The fuel supply chain is fragile and short while recovery would be long and painful. Even after the attack stops, it would take time to re-establish automated logistics and normalize fuel delivery schedules.

What are the solutions to mitigate RunOut™ Attacks?

Avoid TCP/IP Polling over the Internet: This eliminates the vulnerability exploited by RunOut™.

Use Secure Remote Access Solutions: Consider using remote access solutions that are unaffected like Kachoolie, that provide built-in proprietary protection making external protection such as a firewall or a VPN unnecessary.

Are services that poll using TCP/IP and use firewalls or VPNs
vulnerable to RunOut™?

firewalls or VPNs do protect against RunOut™, compromised systems can be exploited. According to a warning by FBI Director Christopher Wray, the systems that control the Critical Infrastructure, which include TCP/IP polling servers, have already been compromised by Volt Typhoon and other hacking groups.

Compromised servers employing TCP/IP polling could be leveraged by attackers to bypass all ATG protection measures and launch widespread attacks on a large scale, such as targeting tens of thousands of gas stations. RunOut™ now allows attackers to use these compromised servers for attacks without fear of retaliation.

Why hasn't ARUME publicly disclosed technical details on RunOut™?

The RunOut™ vulnerability is baked-in to the TCP/IP polling design. Sharing technical details wouldn't lead to viable solutions from vendors.

Public disclosure could mirror the situation after January 2015, when exposed ATG vulnerabilities were exploited. ARUME fears similar misuse of RunOut™.

Instead ARUME has developed free, safe, non-intrusive tools to check sites for ATG vulnerabilities including RunOut™.

Similar to CISA's malware analysis tool for malware analysis, ARUME takes a proactive approach that helps organizations assess their risk without publicly exposing the vulnerability details.

Two videos which provide proof of concept for RunOut™ are:
Blocking a site and Detecting password protection.

ARUME understands the importance of security research. Bona fide researchers can contact ARUME for information on how to investigate ATG vulnerabilities responsibly.