How I learned to Stop Worrying and Start Loving the Smart Meter


Published on

Presented by: Spencer McIntyre, SecureState

Abstract: Smart Meter Security is a growing topic in the security industry that hasn’t been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing with the open source Termineter framework developed by the presenter. Finally a live demonstration of the attacks that were discussed will be performed on a real Smart Meter during the presentation for the audience. Finally the newest features in the Termineter framework will be discussed including the support for connecting to Meters over TCP/IP networks using C12.22.

Audience members will leave the presentation with a detailed understanding of the types of vulnerabilities that affect smart meters and how they can be leveraged by an attacker.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How I learned to Stop Worrying and Start Loving the Smart Meter

  1. 1. Spencer McIntyre, SecureState EnergySec Summit Presentation 9/19/2013 PRESENTATION
  2. 2. Data Classification: Public AGENDA  Smart Meters in the “Big Picture”  Role in AMI (Advanced Metering Infrastructure)  Why attack the Meter?  Information  Access  How do we attack the meter?  Access mechanisms  Termineter Framework (w/Demo!) 2
  3. 3. Data Classification: Public ABOUT YOUR PRESENTER  Spencer McIntyre (OSCP, OSEE) Open Source Contributor  Research lead on SecureState's Research and Innovation team  Background/Specialization  Vulnerability & Tool development  “Special Projects” 3
  4. 4. Data Classification: Public SECURESTATE OVERVIEW Management Consulting Firm: Specializing in Information Security Est. 2001 – more than 11 years in business We solve complex information security problems by using technical services to facilitate strategic decisions. By identifying the problem in a causal relationship we can provide tactical and strategic recommendations to position our clients in achieving their SecureState. 4
  5. 5. Background 5
  6. 6. What is AMI AMI (Advanced Metering Infrastructure) Allows two way communication with the meter ○Compared to AMR which only allows for one way communication Allows automatic, remote readings and configuration Today, we’re focusing on the meter component 6 BACKGROUND
  7. 7. The old days of stealing with magnets are ending USA Today estimate $6 billion in power stolen each year AMI is still being deployed in many locations 7 BACKGROUND
  8. 8. Why? Assessing the Situation 8
  9. 9. Same two reasons we typically attack anything Information ○Control of information Access Consumers have physical access Smart Meters deployments are increasing Physical access is a security worst-case scenario 9 WHY ATTACK METERS?
  10. 10. Meters store usage information Information can be modified to affect billing Modification results in fraud Usage can be profiled Electric meters would be best bet Peak usage can identify when occupants are home or building is in use 1 0 INFORMATION
  11. 11. Some meters can access the service provider’s internal network via Cellular connection Not the case when a central unit is used to collect data Meter has a SIM card Requires typical SIM card settings (APN, username, password, etc.) Either direct internet access or private network access 1 1 ACCESS
  12. 12. Attacker with physical access can open the meter and retrieve the SIM card Guess/Bruteforce Settings APN Username (if set) Password (if set) Internal network access 1 2 CASE STUDY
  13. 13. How? On the Offense 1 3
  14. 14. At a basic level, there are two mechanisms Wireless ○Zigbee ○Cellular Wired ○Optical Interface Data collectors often also have TCP/IP connection ○Network accessible 1 4 ACCESSING METERS
  15. 15. What is Zigbee? Low power/Low cost wireless mesh network Ideal for use with Smart Meters Low power and mesh- based architecture makes it ideal Pretty reliable 1 5 ZIGBEE
  16. 16. Central collector Allows for single cell connection Consumer grade devices Readers Thermostats Not typically used for inter- meter communications Mesh network does require meters to relay information 1 6 ZIGBEE
  17. 17. Association is dependent on a few things Pairing Window Encryption Key (sometimes) Pairing window is often configured/controlled by the service provider Not all service providers agree on acceptable length Ranges from 1 week to infinite 1 7 ZIGBEE ACCESS
  18. 18. Encryption is often available but must be enabled Based on AES Security types include: ○None ○Encrypted ○Encrypted with authentication check ○Unencrypted with authentication check Keys can be negotiated/distributed Uncommon with meters, they are often statically set by the provider 1 8 ZIGBEE ACCESS
  19. 19. Killerbee is invaluable for assessing the Zigbee portion zbstumbler Finding devices zbscapy Killerbee + Scapy Offers live capturing, injection and encryption options 1 9 WEAPON OF CHOICE: KILLERBEE
  20. 20. 2 0 ZBSCAPY
  21. 21. 21 DATA COLLECTORS Data collectors aggregate information Often use C12.22 and are network accessible C12.22 is still an unexplored attack surface A combination of authentication, encryption and device IDs make attacks difficult Attacks are still possible however
  22. 22. 22 DATA COLLECTOR SNIFFING Network enabled serial sniffing No authentication required Contacted the vendor
  23. 23. Meters can be accessed using a physical connection ANSI Type-2 Optical Probe (sounds dirty) Couple of standards in use here C12.18 ○Defines standards for accessing data (requests/responses) C12.19 ○Defines standards for data formats 2 3 WIRED ACCESS
  24. 24. Tables are broken up into “decades” based on IDs General Configuration 0-9 Security Tables 40-49 ○Defines access permissions History and Event Logs 70-79 Telephone/Modem Control 90-99 About 10 more defined by C12.19-2008 Standard 2 4 C12.19 BACKGROUND
  25. 25. Optical Probes are expensive (~$500) Can be created for cheaper? Use infrared transceivers 2 5 PHYSICAL EQUIPMENT
  26. 26. The “Termineter” Framework provides access to meters over C12.18 Modeled after the Metasploit Framework for ease of use Implemented in Python Includes full C12.18 stack and C12.19 library Released last week Open Source (GPLv3) 2 6 INTRODUCTION: TERMINETER
  27. 27. Currently interacts with meters via a serial connection Core features implemented as modules 14 modules in total Modules mostly focus on reading/writing to C12.19 tables Everything involves reading/writing to tables Even running “Procedures” 2 7 TERMINETER: FEATURES
  28. 28. Included Modules: Basic information retrieval Brute forcing authentication Reading/Writing to tables (low-level) Dump tables and perform a “diff” 2 8 TERMINETER: MODULES
  29. 29. Modules require some knowledge (not quite script-kiddie ready) Mostly of valid data to write to tables Procedures can be tricky, check the documentation Some modules can automate common tasks Changing the Meter’s ID Setting the Meter’s operating mode 2 9 TERMINETER: MODULES
  30. 30. Common security issues Some table values can be modified without proper authentication (via invalid password) Some meters ignore username and user ID field with authenticating users No lock out, just logging of failed attempts 3 0 TERMINATING WITH TERMINETER
  31. 31. Let the demos begin! 3 1 TERMINETER DEMO
  32. 32. Getting this far has been a fight Future plans include Zigbee integration Support for character sets beyond 7-bit Additional modules ○Easier access to procedures 3 2 TERMINETER FUTURE
  33. 33. 3 3
  34. 34. References Killerbee: ANSI C12.18 Standard ANSI C12.19 Standard 3 4
  35. 35. Thank you for your time! Spencer McIntyre Email: Twitter: @zeroSteiner Termineter Homepage: 3 5 Q U E S T I O N S A N S W E R S