Researchers at Trend Micro have found evidence that at least one internet-facing gas pump in the United States has been hacked by an actor using the call-sign of the hacking group Anonymous. The report, by senior threat researcher Kyle Wilhoit and Independent Researcher Stephen Hilt, follows up on recent revelations of the vulnerability of North America’s gas pumps to cyber-attack, but its findings are more than theoretical:

“It became apparent that an attacker had modified one of these pump-monitoring systems in the U.S. This pump system was found to be Internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.”

Wilhoit and Hilt found the device by using the search engine Shodan, aka ‘Google for devices’, which allows research access to internet-facing machines, including video cameras, infrastructure monitoring equipment and critical interfaces such as traffic light control systems.


Statistics provided by Trend Micro indicate that gas-pump vulnerabilities are currently a uniquely American attack vector, since the U.S. contains 98.350% of the world’s internet-facing gas pump control mechanisms, with Canada a distant second at 0.528% and the Cayman Islands, New Zealand and Jamaica barely on the scale behind North America.

The report notes that besides Shodan, attackers also use the port-mapping tool Nmap to identify vulnerable devices.

“Overall statistics derived from Shodan are concerning.” say the researchers. “At the time of writing, there were over 1,515 gas pump monitoring devices Internet exposed worldwide, all of them lacking security measures that prevent access by unauthorized entities,”

The Guardian AST monitoring system is the point of approach for potential hacks, and provides a number of data-items for the gas pump which can be altered or reset in the case of unprotected devices. Though the system allows for a six-digit pin as a security barrier, the researchers found that many devices have no security measures implemented at all – it is enough for a hacker to identify a vulnerable device and begin to make changes to its settings.

Though the only change made to the hacked gas pump that Trend Micro found was the change of ID from ‘DIESEL’ to the Anonymous clarion call ‘WE_ARE_LEGION’, the report notes further potential to change readings and settings at the pump, and cause disruption. It also recommends that vulnerable device ecostructures move over to the more secure and encrypted control available via SCADA (Supervisory Control and Data Acquisition), which would remove critical systems from being exposed to search and exposure via their IP addresses.

“Our investigation shows that the tampering of an Internet-facing device resulted in a name change. But sooner or later, real world implications will occur, causing possible outages or even worse.”