Iran's Hackers Walked Into US Gas Stations. The Systems Had No Passwords.

No zero-day exploit. No sophisticated supply chain attack. No nation-state budget required.

Suspected Iranian hackers breached fuel monitoring systems at gas stations across multiple US states by exploiting automatic tank gauges that were sitting on the internet without passwords, according to multiple sources briefed on the activity. CNN first reported the intrusions on Thursday. The systems — which measure fuel levels in storage tanks — were essentially left with the front door open.

The intrusions have not caused known physical damage. Hackers were able in some cases to alter display readings on the tanks, though not the actual fuel levels. But the breach has alarmed officials and private experts because, in theory, access to an automatic tank gauge could allow an attacker to mask a gas leak — turning a digital intrusion into a physical safety hazard.

A Decade of Warnings, Ignored

This was not an unpredictable event. Cybersecurity researchers have been sounding alarms about internet-facing automatic tank gauges for more than ten years. In 2015, security firm Trend Micro deployed mock ATG systems online to see who would target them. A pro-Iran hacking group surfaced quickly. In 2021, Sky News cited internal Islamic Revolutionary Guard Corps documents that explicitly identified ATGs as targets for disruptive cyberattacks on gas stations.

The warnings kept coming. Bitsight TRACE researchers and the Cybersecurity and Infrastructure Security Agency (CISA) disclosed 10 critical vulnerabilities across five ATG vendors in September 2024. One vulnerability — in the ProGauge MagLink tank console — carried the maximum severity rating of 10.0. Pedro Umbelino, the Bitsight security scientist who discovered the flaws, found hundreds of these systems exposed online using basic research methods. During a three-month disclosure window, only a handful were taken offline.

Of the five affected vendors — Omntec, Alisonic, OPW, ProGauge, and Franklin Fueling Systems — two did not respond to CISA’s outreach at all, according to CyberScoop. The US is, by Bitsight’s assessment, “the most affected country by far.”

The Broader Campaign

The gas station breaches are one thread in a wider Iranian cyber campaign that has accelerated since the US-Israeli war with Iran began in late February. Tehran-linked hackers have disrupted operations at US oil and gas facilities, water utilities, and medical device manufacturer Stryker, where manipulation of the company’s Microsoft Intune environment caused brief manufacturing and shipping delays in March, according to a joint advisory from the FBI and CISA.

Iranian actors are “under pressure and are trying to strike wherever they find an opening in cyberspace,” Yossi Karadi, head of Israel’s National Cyber Directorate, told CNN.

The FBI and CISA advisory, released Tuesday, warned that Iran-linked actors have exploited internet-facing programmable logic controllers made by Rockwell Automation and Allen-Bradley. More than 3,000 Rockwell devices remain visible on the public internet, according to Markus Mueller, field CISO at Nozomi Networks — either because organizations don’t know they’re exposed or underestimate the risk.

Iran’s cyber capabilities have long been considered inferior to those of China or Russia. But the wartime campaign suggests Tehran is more capable and opportunistic than its reputation allows. Allison Wikoff, a director on PwC’s threat intelligence team, described a shift toward “faster iteration, more layered hacktivist personas, and likely AI-driven scaling for reconnaissance and phishing.”

Soft Targets, Hard Questions

US officials suspect Iran’s involvement in the ATG breaches based on the country’s documented history of targeting those specific systems. But they caution that a lack of forensic evidence may prevent definitive attribution.

The systemic failure is not a mystery. Thousands of industrial control systems — fuel monitors, water pressure gauges, programmable controllers — sit connected to the internet with minimal protection. Patching them is difficult: the equipment runs continuously, often sits in remote locations, and was typically installed by operators with no cybersecurity expertise. Vendors have been slow to respond, and in some cases haven’t responded at all.

The EPA, Department of Energy, NSA, and US Cyber Command all participated in this week’s joint advisory, urging operators to enable multifactor authentication, remove devices from the public internet, and check logs for suspicious activity. That such basic hygiene instructions constitute urgent federal guidance in 2026 tells you everything about the state of US infrastructure security.

The gas station hacks didn’t require sophistication. That’s what makes them worrying.

Sources

EXCLUSIVE: Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible — CNN
Iran-linked hackers target water, energy in US, FBI and CISA warn — Cybersecurity Dive
Automatic tank gauge vendors alerted of software vulnerabilities in their products — CyberScoop

Discussion (9)

Truthteller42

Iran is literally sending hackers into our gas stations and nobody is talking about how they WALKED IN. Like physically walked in. What is going on with security in this country?? We need the national guard at every pump immediately.

14 ↑

secondhandsmoke

They didn't physically walk in. The systems were connected to the internet. It was a remote hack. You might want to actually read the article before calling for the national guard.

19 ↑

marcus_t

The article mentions 'thousands of industrial control systems' sitting unprotected but then says Umbelino found 'hundreds' using basic methods. Which is it? Hundreds or thousands? These are very different numbers and the distinction matters for understanding the actual scope. Also would've liked to see the full CVSS breakdown for all 10 vulnerabilities, not just the ProGauge 10.0. Were the others 9s? 7s? That context would help.

8 ↑

kirsten_m

no passwords. in 2026. we deserve whatever happens to us tbh

31 ↑

jenny_adventures

When I was in Estonia in 2022, I actually visited their e-Governance Academy in Tallinn and they talked about how after the 2007 cyberattacks they hardened EVERYTHING, including industrial control systems. The idea that the US — the country that invented the internet — still has unpassworded fuel tanks sitting on the open internet in 2026 would have appalled the Estonian engineers I spoke with. And those people have seen things.

3 ↑

grumpydad1958

*sigh* Back when I ran a Sunoco station in '94, the tank monitoring was done by a guy named Earl who went out back with a wooden measuring stick. Earl was not connected to the internet. Earl could not be hacked by Iran. I'm not saying Earl was a security system, but... actually yeah, maybe I am saying that.

47 ↑

DrewP94

Earl was the firewall we didn't know we needed. Pour one out for Earl.

22 ↑

network_ned

I work in OT (operational technology) and let me tell you it's WORSE than this article makes it sound. I've been in facilities where the HVAC, the fire suppression, the water treatment — ALL of it is on a flat network with zero segmentation. And when you tell management they need to fix it they look at you like you asked them to fund a Mars mission. The cost of a breach: millions. The cost of putting a password on a system: $0. But sure let's keep doing nothing.

2 ↑

sarah.c

wait so the hackers could see how much gas was in the tanks?? could they like... change the prices on the signs too?? asking because the Exxon near me changed their price 4 times last tuesday and i've been suspicious ever since. something feels off

6 ↑

A Decade of Warnings, Ignored

The Broader Campaign

Soft Targets, Hard Questions

Sources

Discussion (9)

More Stories