• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
DefCon 2012 - Power Smart Meter Hacking
 

DefCon 2012 - Power Smart Meter Hacking

on

  • 6,517 views

"When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into ...

"When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye."

Statistics

Views

Total Views
6,517
Views on SlideShare
6,505
Embed Views
12

Actions

Likes
2
Downloads
67
Comments
0

3 Embeds 12

https://twitter.com 6
http://storify.com 3
http://www.slashdocs.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    DefCon 2012 - Power Smart Meter Hacking DefCon 2012 - Power Smart Meter Hacking Presentation Transcript

    • Looking Into The Eye Of The Meter Don C. Weber InGuardians, Inc.Copyright 2012 InGuardians, Inc. 1
    • Cutaway and InGuardians http://www.linkedin.com/in/cutaway http://inguardians.com/infoCopyright 2012 InGuardians, Inc. 2
    • Smart Meter Research Findings REDACTEDCopyright 2012 InGuardians, Inc. 3
    • Research Disclaimer • Yes, I conduct assessments on AMI components • No, I will not tell you for which clients • No, I will not tell you which vendor products I have analyzed • Yes, many of these images are genericCopyright 2012 InGuardians, Inc. 4
    • Danger Electrocution I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. Random Image Taken From: http://www.flickr.com/photos/lwr/132854217/Copyright 2012 InGuardians, Inc. 5
    • Permission-based Research / Penetration Testing Unauthorized Testing Is Illegal EVEN IF THE METER IS ON YOUR HOUSE. Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions.Copyright 2012 InGuardians, Inc. 6
    • Agenda • Purpose • Smart Meters • Criminals and Smart Meters • Attack/Assessment • Optical Tool • Mitigations Not So Random Image Taken From: http://www.willhackforsushi.com/?p=349Copyright 2012 InGuardians, Inc. 7
    • Purpose: Presentation and Toolkit • Smart Meter data acquisition techniques have been known since January 5, 2009 – Advanced Metering Infrastructure Attack Methodology [1] – Some vendors/utilities/people/teams are still not aware • Tools to: – Test functionality – Validate configuration – Generate anomalous data [1] http://inguardians.com/pubs/AMI_Attack_Methodology.pdfCopyright 2012 InGuardians, Inc. 8
    • What Criminals Can Attack • Access and change data on meter • Gain access to wireless communications • Subvert field hardware to impact internal resourcesCopyright 2012 InGuardians, Inc. 9
    • Criminal Interest • Free or Reduced Energy HAS ALREADY • Corporate Espionage OCCURRED VIA OPTICAL PORT • Access To Back-End Resources • Non-Kinetic Attack • HacktivismCopyright 2012 InGuardians, Inc. 10
    • Aggregator On Poletop Random Image Taken From: http://www.blogcdn.com/www.engadget.com/ media/2009/12/091204-smartgrid-01.jpgCopyright 2012 InGuardians, Inc. 11
    • Only One Winks At YouCopyright 2012 InGuardians, Inc. 12
    • Where To Start? Steal This? State of Texas: Class B Misdemeanor Theft - $50 to $500 Jail <180 Days and/or Fine <$2000 Meter near my barber shop. The exposed contacts scared me.Copyright 2012 InGuardians, Inc. 13
    • Components and Interaction DANGER!!! • Data At Rest – Microcontrollers – Memory – Radios • Data In Motion – MCU to Radio – MCU to MCU – MCU to Memory – Board to Board – IR to MCU Image Take From: http://www.ifixit.com/Teardown/XXXXXXX-Smart-Meter-Teardown/5710/1Copyright 2012 InGuardians, Inc. 14
    • Data At Rest SPI/I2C Serial/ Parallel EEPROM – PDIP/SOIJ/SOIC NAND/NOR/NVRAM/SRAM/ CellularRAM/PSRAM/SuperFlash/ DataFlash – BGA/FBGA/VFBGACopyright 2012 InGuardians, Inc. 15
    • Dumping Memory Total Phase Aardvark Xeltek SuperPro 5000 Flash Utility plus Adapter Custom ExtractorsCopyright 2012 InGuardians, Inc. 16
    • Memory Layout Logic • Data Storage Standards – C12.19 Tables in Transit • Standard Tables – formatted and documented • Manufacturer Tables – formatted but not externally documented – Custom • Obfuscated Information and Tables • Extended memory for firmware • SWAP SpaceCopyright 2012 InGuardians, Inc. 17
    • Data In Motion Component To Component Board to Board Random image take from some random Internet siteCopyright 2012 InGuardians, Inc. 18
    • Data Eavesdropping – Step One Simple Tapping with Logic AnalyzerCopyright 2012 InGuardians, Inc. 19
    • Data Eavesdropping – Step Two Persistent tapping by soldering leads to components Provides consistent monitoring for research and developmentCopyright 2012 InGuardians, Inc. 20
    • ANSI C12 Communication Protocols C12.21: Is Worse – because people think it is “secure” C12.22: ANSI C12.18: Is Okay – committee has because you know stated vendors what you are should be getting. implementing thisCopyright 2012 InGuardians, Inc. 21
    • Logic Analyzer - Async Serial • Analyzers can decode digital signal • Export data to CSV formatted files C12.21 Identification OK End-of-list Service Standard Response 0x00 == C12.18 Version Packet 0x02 == C12.21 RevisionCopyright 2012 InGuardians, Inc. 22
    • C12.18 Packet Basics C12.21 Identification Service Request Packet • Start packet character • Identity • Control Field • Sequence Number • Length • Data – Identification Service • CCITT CRCCopyright 2012 InGuardians, Inc. 23
    • C12.18 Protocol Basics • C12.18 Request/Response Pattern – Identification – Negotiation – Logon – Security – Action (Read, Write, Procedure) – Logoff – TerminateCopyright 2012 InGuardians, Inc. 24
    • CSV Parser FunctionalityCopyright 2012 InGuardians, Inc. 25
    • Replay Tables To Talk To TablesCopyright 2012 InGuardians, Inc. 26
    • Advanced Persistent Tether • Serial Transmitter – Receive possible • Replay C12.18 Packets • C12.19 Table Interaction – Read Tables – Write Tables – Run Procedures • Receive Responses via Logical Analyzer • Parse Responses by HandCopyright 2012 InGuardians, Inc. 27
    • Hardware Client FunctionalityCopyright 2012 InGuardians, Inc. 28
    • Wink! Wink! Wink! Wink!Copyright 2012 InGuardians, Inc. 29
    • Lean In For A Closer LookCopyright 2012 InGuardians, Inc. 30
    • ANSI Type 2 Optical Port: Not Your Typical Infra-red Port Remote Control Devices Provides /dev/ttyUSB0 via FTDI chipCopyright 2012 InGuardians, Inc. 31
    • Open Source Optical Probe? http://iguanaworks.net/Copyright 2012 InGuardians, Inc. 32
    • What Do We Need To Do This? • Serial Transceiver Driver • C12.18 Packet Driver • C12.18 Client – Reads and parses C12.19 Tables – Writes to C12.19 Tables – Runs C12.19 Procedures – Easy Function Updates – Easy Access To All FunctionsCopyright 2012 InGuardians, Inc. 33
    • OptiGuard A Smart Meter Assessment Toolkit Image borrowed from: http://www.geekologie.com/2011/01/windows_to_the_soul_eyeball_cl.phpCopyright 2012 InGuardians, Inc. 34
    • Permission-based Research / Penetration Testing Unauthorized Testing Is Illegal EVEN IF THE METER IS ON YOUR HOUSE. Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions.Copyright 2012 InGuardians, Inc. 35
    • OptiGuard Menu • Notes – Requires a VALID C12.18 Security Code to modify tables or run procedures – Currently only works with some meters – Vendor specific functions may be required – C12.18 functions are coded for easy implementation and modification – Optical transfer is finicky and fuzzing / brute forcing is hit or miss and must be monitored – Brute force procedure runs have been known to disconnect/connect meters – Brute force procedure runs have been known to brick metersCopyright 2012 InGuardians, Inc. 36
    • Using The Eye Chart • Can check one code ~ every 2 seconds • 12277 x 2 seconds = 409 minutes = 6.8 hours • Hmmm, are failed logons logged? • Does the meter return an error after N attemptsCopyright 2012 InGuardians, Inc. 37
    • Open Wide for a Deep Look Inside Random Image Taken From: http://www.gonemovies.com/www/Hoofd/A/PhotoLarge.php?Keuze=KubrickClockworkCopyright 2012 InGuardians, Inc. 38
    • Mitigations - General • Residential meters on businesses – Evaluate for increased risk to client • Limit Shared Security Codes – Difficult to implement a single security per meter – Can vary in numerous ways: • Vendor • Commercial and Residential meter • Zip CodeCopyright 2012 InGuardians, Inc. 39
    • Mitigations – General (2) • Incident Response Planning – Prioritize Critical Field Assets – Incident Response Plan and Training • Employee Training – Identify – Report – RespondCopyright 2012 InGuardians, Inc. 40
    • Mitigations - Physical • Tamper Alerts – May seem overwhelming, initially – Experience will identify correlating data to escalate appropriately • Toggle Optical Port – Use a switch that activates optical interface – Should generate a tamper alertCopyright 2012 InGuardians, Inc. 41
    • Mitigations – Data At Rest • Secure Data Storage – Encryption <- must be implemented properly – Hashes <- must be implemented properly • Configuration Integrity Checks – Vendor Specific – Some solutions systems already do this – Meters should function with old configuration until approved / deniedCopyright 2012 InGuardians, Inc. 42
    • Mitigations – Data In Motion • IR Interaction Authorization Tokens – Breaking or Augmenting Standard? • Microcontroller to <INSERT HERE> – C12.22 – Obfuscated ProtocolsCopyright 2012 InGuardians, Inc. 43
    • OptiGuard Offspring? • Wireless Optical Port Readers – Small cheap magnetic devices activated wirelessly • Optical Port Spraying – IR interaction without touching meter • Wireless Hardware Sniffers/MITM – Detect updates and modify data in transit • Neighborhood Area Network FHSS Eavesdropping – Channels, Spacing, Modulation, Sync Bytes, EtcCopyright 2012 InGuardians, Inc. 44
    • Vendor Participation • The following people helped out in various important ways during this journey. – Ed Beroset, Elster – Robert Former, Itron – Others who have asked not to be namedCopyright 2012 InGuardians, Inc. 45
    • Those Who Must Be Thanked Gretchen, Garrison, Joshua Wright and Collier Weber Matt Carpenter Andrew Righter Tom Liston Atlas Travis Goodspeed Daniel Thanos InGuardians John SawyerCopyright 2012 InGuardians, Inc. 46
    • consulting@inguardians.com Tell Them Cutaway Sent You Don C. Weber / Cutaway: don@inguardians.comCopyright 2012 InGuardians, Inc. 47