How I Learned To Stop Worrying and

Love the Smart Meter

September 30th, 2012DerbyCon 2.0

Spencer McIntyre

2

About Your Presenter

Spencer McIntyre

Security Consultant on SecureState's

Research and Innovation team

Background/Specialization

Tool development

“Special Projects”

3

Agenda:Meter Back GroundAttacking Meters

4

Background What is AMI

AMI (Advanced Metering Infrastructure)The infrastructure to communicate with gas, water

and electric metersAllows two way communication with the meter

○ Compared to AMR which only allows for one way communication

Component in a smart grid Allows automatic, remote readings and

configuration Today, we’re focusing on the meter component

5

Background

The old days of stealing with magnets are ending

USA Today estimate $6 billion in power stolen each year

AMI is still being deployed in many locations

6

Why Attack Smart Meters? Same two reasons we typically attack

anythingInformation

○ Control of informationAccess

Consumers have physical accessSmart Meters are growing in popularity

7

Meters store usage information Information can be modified to affect

billingModification results in fraud

Usage can be profiled Electric meters would be best betPeak usage can identify when occupants

are home or building is in use

Information

8

Some meters can access the service provider’s internal network via Cellular connectionNot the case when a central unit is used to

collect data Meter has a SIM card

Requires typical SIM card settings (APN, username, password, etc.)

Either direct internet access or private network access

Access

9

Attacker with physical access can open the meter and retrieve the SIM card

Guess/Bruteforce SettingsAPNUsername (if set)Password (if set)

Internal network access

Case Study

10

Accessing Meters

At a basic level, there are two mechanismsWireless

○ Zigbee○ Cellular

Wired (We’re only covering this one)○ Optical Interface

11

Wired Access

Meters can be accessed using a physical connectionANSI Type-2 Optical Probe (sounds dirty)

Couple of standards in use hereC12.18

○ Defines standards for accessing data (requests/responses)

C12.19○ Defines standards for data formats

12

C12.19 Background

Tables are broken up into “decades” based on IDsGeneral Configuration 0-9Security Tables 40-49

○ Defines access permissionsHistory and Event Logs 70-79Telephone/Modem Control 90-99About 10 more defined by C12.19-2008

Standard

13

Physical Equipment

Optical Probes are expensive (~$500)Can be created

for cheaper? Use infrared

transceivers

14

Introduction: Termineter

The “Termineter” Framework provides access to meters over C12.18

Modeled after the Metasploit Framework for ease of use

Implemented in PythonIncludes full C12.18 stack and C12.19 library

Released last week Open Source

http://code.google.com/p/termineter

15

Termineter: Features

Currently interacts with meters via a serial connection

Core features implemented as modules12 modules in total

Modules mostly focus on reading/writing to C12.19 tables

Everything involves reading/writing to tablesEven running “Procedures”

16

Termineter: Modules

Included Modules:Basic information

retrievalBrute forcing

authenticationReading/Writing to

tables (low-level)

17

Termineter: Modules

Modules require some knowledge (not quite script-kiddie ready)Mostly of valid data to write to tablesProcedures can be tricky, check the

documentation Some modules can automate common

tasksChanging the Meter’s IDSetting the Meter’s operating mode

18

Terminating with Termineter

Common security issuesSome table values can be modified without proper

authentication (via invalid password)Some meters ignore username and user ID field with

authenticating usersNo lock out, just logging of failed attempts

19

Termineter Demo

Let the demos begin!

20

Termineter Future

Getting this far has been a fight Future plans include

Zigbee integrationSupport for character sets beyond 7-bitAdditional modules

○ Easier access to procedures

21

22

References

ANSI C12.18 Standard ANSI C12.19 Standard

23

Thank you for your time!Spencer McIntyre

Email: SMcIntyre@SecureState.net

Twitter: @zeroSteiner

Termineter Homepage: http://code.google.com/p/termineter

AQ&Q U E S T I O N S

A N S W E R S