Jack Chadowitz, creator of Kachoolie, in January 2015 discovered over 5,000 sites where the Tank Gauges could be easily accessed to read data AND make configuration changes. Anyone knowing the IP address can gain access. As of March 2018 there are 7,000 + such sites. Test your site. If you fail the test, look at our video to understand how to protect your Tank Gauge and here to understand the problems of an unprotected Tank Gauge. If you pass, you may want to look at this page to understand possible unintended consequences of the protection. To protect your gauge and get a free Web App for inventory, consider adding the Kachoolie Firewall.
Note: To prevent misuse of this tool, you MUST be at the site when you do the test. If you cannot test from the site, we can test for you. Contact us to provide the IP address or addresses you want tested.
We recently discovered that having a TLS450 connected to the store LAN (Local Area Network) can cause a PCI compliance test to fail. This is because the TLS450 uses OpenSSH on port 22 to provide remote access to the Linux processor that drives the TLS450. The OpenSSH version used is 7.0. A test by a leading PCI compliance testing company, Trustwave and maybe others, will fail PCI compliance if the version is less than 7.3. You can easily test for this vulnerability by using a utility called telnet. Open a command window and type:
telnet [your site IP address] 22
if the site is unreachable, or you get something like
Connected to c-xxx.xxx.xxx.xxx.hsd1.nh.comcast.net.
Escape character is '^]'.
where xxx.xxx.xxx.xxx is the IP address. If the OpenSSH version is 7.3 or later then your PCI testing should be unaffected.
If your version is less than 7.3 you can easily disable the remote access by removing the port forwarding for port 22 in the site router. This will NOT affect your access via the Veeder Root App or via port 10001 but will avoid failing PCI compliance because of an old OpenSSH version.
You should also use the Tank Gauge accessible to anyone test because even if you disable port 22 your Tank Gauge could still be vulnerable to attack.
Please note that this vulnerability DOES NOT affect Kachoolie!
Veeder Root, the leading Tank Gauge manufacturer, whose communications protocol is used in most Tank Gauges, suggests configuring password protection to secure Tank Gauges connected to the Internet.
VPNFilter Malware could read these passwords making this protection ineffectual!
VPNFilter Malware that has infected over 500,000 routers supports plugins. These plugins such as the one for Modbus and a packet sniffer allows traffic to industrial devices to be monitored. Cisco who discovered the Malware is still analysing for more plugins.
The packet sniffer plugin could be reading and gathering Tank Gauge passwords making the password protection ineffectual. As Modbus and the Veeder Root protocol are the industry standards predating the Internet and are used by thousands of devices, a Veeder Root plugin may exist.
The FBI recommends rebooting routers immediately. This eliminates stage 2 and 3 of the malware but leaves stage 1 and the possibility of re-infection with stages 2 and 3.
FBI officials warned. “Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.”
The device in our context is the Tank Gauge, and remote access is enabling port forwarding on port 10001. Unfortunately strong passwords and encryptation is not possible with Veeder Root's password protection and the latest available firmware does not improve the password protection.
So whats left?
Cisco recommends reseting the router to factory defaults to eliminate stage 1.
If you do follow Cisco's recommendation, we suggest that you save your router's settings as you will need them to reconfigure the router especially port forwarding on port 10001 so that the tank gauge can be polled.
Please note that this vulnerability DOES NOT affect Kachoolie.
For an understanding of VPNFilter Malware see Kelly Jackson Higgens Dark Reading article.