Full Report
A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat.
Analysis Summary
# Vulnerability: Vulnerabilities in Gas Station Controller (SiteSentinel)
## CVE Details
- **CVE ID:** CVE-2015-0985
- **CVSS Score:** 10.0 (Critical) - CVSS v2
- **CWE:** CWE-219 (Information Exposure Through Storage of Data in a Web-exposed Directory), CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** OPW Fuel Management Systems SiteSentinel Tank Gauge
- **Versions:** All versions prior to 1.0.0.63
- **Configurations:** Systems connected directly to the internet without firewall protection or VPN tunnels.
## Vulnerability Description
The vulnerability involves improper access control and unauthenticated access to the web interface of the SiteSentinel fuel monitoring system. The controller provides a web-based dashboard for monitoring tank levels, leak detection, and system configuration. Because the system lacks sufficient authentication mechanisms for certain administrative functions and data directories, remote attackers can gain full control over the controller’s settings and monitoring data.
## Exploitation
- **Status:** PoC available; widely scanned for and accessed via search engines like Shodan/Censys.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Exposure of fuel levels, delivery schedules, and system configurations)
- **Integrity:** Total (Potential to modify tank thresholds, disable alarms, or spoof tank levels)
- **Availability:** Total (Ability to shut down or disrupt the controller operations)
## Remediation
### Patches
- Update SiteSentinel firmware to version **1.0.0.63** or higher, which introduces improved security controls.
### Workarounds
- **Network Isolation:** Do not expose the device directly to the public internet. Use a VPN for remote access.
- **Firewall Restrictions:** Implement Access Control Lists (ACLs) to restrict access to the device's IP address to authorized corporate networks only.
## Detection
- **Indicators of Compromise:** Unexpected changes in tank level reporting, unauthorized configuration modifications, or logs showing unfamiliar IP addresses accessing the web interface.
- **Detection Methods:** Monitor for HTTP/HTTPS traffic to the SiteSentinel web console on non-standard ports or port 80/443 from external sources.
## References
- **ICS-CERT Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-15-020-01
- **Vendor Site:** hxxps[://]www[.]opwglobal[.]com/fms
- **Analysis:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/02/07/gas-is-too-expensive-lets-make-it-cheap/