Six thousand fuel gauges answer every stranger

Six thousand Automatic Tank Gauges sit on the public internet without authentication. They report fuel levels, temperatures, water intrusion readings, and tank configurations to anyone who queries them on TCP port 10001. They accept commands. They respond to console functions. They do this because that is what they were built to do, and nothing in their operating environment has told them to do otherwise. The devices are not malfunctioning. They are answering, in the protocol they were designed to speak, to every party that asks.

These are not obscure systems. They sit beneath service stations, fuel depots, hospital generator yards, military installations, and municipal fleet operations. They govern the physical inventory of a substance that is flammable, regulated, and economically tracked down to the gallon. The exposed surface includes alarm thresholds, leak detection states, and the ability to alter tank parameters. The systems are reachable. The systems are responsive. The systems are doing what their firmware expects them to do.

The public reporting frames this as a vulnerability. It is more accurate to describe it as a behavior. There is no exploit chain. There is no memory corruption. There is no privilege escalation. There is a device, a protocol, and a network path. The device speaks when spoken to. The protocol does not ask who is speaking. The network path was opened, at some point, by someone who needed it to be open. From that moment forward, the device behaved exactly as specified.

The Original Assumption.

The Veeder-Root TLS protocol, and its peers in the tank gauging market, were designed in an era when the physical and logical boundaries of a fuel site were treated as equivalent. The gauge sat in a back office. A serial cable ran from the gauge to a console. The console was operated by a technician with a clipboard. The trust model was implicit and complete: if you could reach the wire, you were already inside the building, and if you were inside the building, you were authorized. Authentication was not absent through oversight. It was absent because the medium itself performed authentication.

The assumption was that proximity equals permission. The serial loop was the perimeter. The protocol carried no notion of identity because identity was established by the act of plugging in. There was no concept of a remote operator because there was no remote. The system was designed for a closed loop, and within that closed loop, every actor was, by definition, legitimate. The firmware does not contain a flaw in this regard. It contains a faithful implementation of the trust model that existed when it was written.

This assumption was not unique to fuel gauges. It is the same assumption that produced unauthenticated Modbus, plaintext DNP3, open SNMP communities, and the entire first generation of industrial protocols. The design did not omit authentication. The design assumed authentication had already happened, elsewhere, by means of cable, building, and badge. Trust was inherited from the physical layer. The protocol was a courier, not a gatekeeper. That courier role was the entire specification.

What Changed.

The wire moved. A serial-to-Ethernet adapter was installed so a regional manager could check inventory from headquarters. A cellular modem was added so the fuel distributor could schedule deliveries based on real-time levels. A site VPN was provisioned, then replaced by a flat internet connection during a contractor migration, then forgotten. Each step was rational within its own frame. None of them re-examined the trust model the gauge was built on. The protocol was carried, unchanged, across a medium it was never designed to traverse. The assumption of physical containment was transferred to a network that contains nothing.

What changed was not the device. The device is the same device it was in 1998. What changed was the meaning of reachability. In the original design, reaching the gauge required physical presence, and physical presence was the credential. In the current state, reaching the gauge requires a port scan, and the port scan is performed by anyone, from anywhere, continuously. The credential that the protocol silently relied on, the wire, no longer exists. The protocol still relies on it. The protocol cannot tell that it is gone.

The operational context shifted in layers, each one invisible to the device beneath it. Remote monitoring contracts expected connectivity. Insurance carriers expected leak data. Environmental regulators expected alarm logs. Fleet operators expected dispatch integration. Each expectation produced another adapter, another tunnel, another exposed interface. The gauge was never told its boundary had moved, because no part of the system tracks where its boundary is. The boundary was a property of the building, not the firmware, and buildings do not generate change events. The assumption that proximity equals permission was not revoked. It was simply rendered false, quietly, over two decades, while the system continued to operate on it.

Mechanism of Failure.

The gauge does not authenticate because the protocol does not carry a field for authentication. When a TCP connection arrives on port 10001, the device treats the connection itself as the credential. It reads a function code. It returns the requested data. It accepts a configuration command if the command is well-formed. The validation that the protocol performs is structural, not relational. It confirms that the request conforms to the specification. It does not confirm that the requester has any standing to make the request. The reference is the syntax. The verification is absent.

This is not a bypass. A bypass implies a control that was circumvented. There is no control here to circumvent. The system is executing its expected behavior with full fidelity. The Ethernet adapter delivers a stream of bytes to the serial interface. The serial interface presents those bytes to the firmware. The firmware parses them according to the Veeder-Root TLS specification and produces the documented response. Every layer in the chain is operating within its design envelope. The failure is not in any layer. The failure is that the chain assumes a property, physical containment, that no layer in the chain is responsible for enforcing.

Identity of source has been replaced by integrity of format. The gauge does not ask who sent the I20100 command. It asks whether the command is syntactically valid. If the bytes parse, the bytes execute. This substitution, format for identity, is the operative drift. It was tolerable when the wire performed the identity check by physical means. It is no longer tolerable, but the substitution is now load-bearing in production environments that depend on the data flowing through it. Remote monitoring platforms parse the same responses. Distributor dashboards ingest the same telemetry. The unauthenticated response is not an anomaly in the data flow. It is the data flow. Removing it would break the monitoring contracts that were the reason connectivity was introduced in the first place.

The system has reached a state where the original assumption is structurally false and operationally required. The trust that the wire used to provide has not been replaced. It has been forgotten as a category. Downstream consumers treat the gauge response as authoritative because the gauge is the gauge. The source is the credential. The content is not verified because there is no second source against which to verify it. The architecture resolves identity by address, and address has become the only remaining proxy for trust.

Pattern.

The pattern is execution based on reference rather than verification. A system receives a request, locates the resource the request names, and acts on it. The locating is treated as the validating. Where the request came from, what produced it, whether the conditions that originally justified the trust still hold, none of these are inspected. The system resolves the reference. The reference is sufficient. This pattern is not a property of industrial protocols. It is a property of how distributed systems decompose responsibility when no single component owns the trust boundary.

The same mechanism operates in cloud metadata services. An instance metadata endpoint at a link-local address returns credentials to any process on the host that asks for them. The endpoint does not validate the requester. It validates the network position. The assumption was that only authorized workloads run on the host, and only authorized processes on the host could reach the link-local address. When a server-side request forgery vulnerability appears in a web application running on that host, the application becomes a proxy for the request. The metadata service receives a well-formed query from the expected network position and returns credentials. It is not deceived. It is operating correctly. The reference, network position, is treated as the verification, workload identity. The substitution was acceptable in the original design because the two were equivalent. They are no longer equivalent. The service has not been told.

The fuel gauge and the metadata service share no code, no vendor, no industry, and no era. They share a structure. Both were designed at a moment when a physical or topological fact made identity self-evident. Both encoded that fact as an implicit assumption rather than an enforced control. Both continue to operate on the assumption after the fact has ceased to be true. The pattern does not require a flaw to produce a failure. It requires only that the environment outlive the assumption, which environments always do.

Hard Closing Truth.

The gauge resolves the request once. It does not revalidate. The wire that performed authentication was removed twenty years ago and the protocol was never told. The control existed in the building. The outcome lives on the internet.

---

#ad Contains an affiliate link.