how i learned to stop worrying and love the smart meter
TRANSCRIPT
How I Learned To Stop Worrying and
Love the Smart Meter
September 30th, 2012DerbyCon 2.0
Spencer McIntyre
2
About Your Presenter
Spencer McIntyre
Security Consultant on SecureState's
Research and Innovation team
Background/Specialization
Tool development
“Special Projects”
3
Agenda:Meter Back GroundAttacking Meters
4
Background What is AMI
AMI (Advanced Metering Infrastructure)The infrastructure to communicate with gas, water
and electric metersAllows two way communication with the meter
○ Compared to AMR which only allows for one way communication
Component in a smart grid Allows automatic, remote readings and
configuration Today, we’re focusing on the meter component
5
Background
The old days of stealing with magnets are ending
USA Today estimate $6 billion in power stolen each year
AMI is still being deployed in many locations
6
Why Attack Smart Meters? Same two reasons we typically attack
anythingInformation
○ Control of informationAccess
Consumers have physical accessSmart Meters are growing in popularity
7
Meters store usage information Information can be modified to affect
billingModification results in fraud
Usage can be profiled Electric meters would be best betPeak usage can identify when occupants
are home or building is in use
Information
8
Some meters can access the service provider’s internal network via Cellular connectionNot the case when a central unit is used to
collect data Meter has a SIM card
Requires typical SIM card settings (APN, username, password, etc.)
Either direct internet access or private network access
Access
9
Attacker with physical access can open the meter and retrieve the SIM card
Guess/Bruteforce SettingsAPNUsername (if set)Password (if set)
Internal network access
Case Study
10
Accessing Meters
At a basic level, there are two mechanismsWireless
○ Zigbee○ Cellular
Wired (We’re only covering this one)○ Optical Interface
11
Wired Access
Meters can be accessed using a physical connectionANSI Type-2 Optical Probe (sounds dirty)
Couple of standards in use hereC12.18
○ Defines standards for accessing data (requests/responses)
C12.19○ Defines standards for data formats
12
C12.19 Background
Tables are broken up into “decades” based on IDsGeneral Configuration 0-9Security Tables 40-49
○ Defines access permissionsHistory and Event Logs 70-79Telephone/Modem Control 90-99About 10 more defined by C12.19-2008
Standard
13
Physical Equipment
Optical Probes are expensive (~$500)Can be created
for cheaper? Use infrared
transceivers
14
Introduction: Termineter
The “Termineter” Framework provides access to meters over C12.18
Modeled after the Metasploit Framework for ease of use
Implemented in PythonIncludes full C12.18 stack and C12.19 library
Released last week Open Source
http://code.google.com/p/termineter
15
Termineter: Features
Currently interacts with meters via a serial connection
Core features implemented as modules12 modules in total
Modules mostly focus on reading/writing to C12.19 tables
Everything involves reading/writing to tablesEven running “Procedures”
16
Termineter: Modules
Included Modules:Basic information
retrievalBrute forcing
authenticationReading/Writing to
tables (low-level)
17
Termineter: Modules
Modules require some knowledge (not quite script-kiddie ready)Mostly of valid data to write to tablesProcedures can be tricky, check the
documentation Some modules can automate common
tasksChanging the Meter’s IDSetting the Meter’s operating mode
18
Terminating with Termineter
Common security issuesSome table values can be modified without proper
authentication (via invalid password)Some meters ignore username and user ID field with
authenticating usersNo lock out, just logging of failed attempts
19
Termineter Demo
Let the demos begin!
20
Termineter Future
Getting this far has been a fight Future plans include
Zigbee integrationSupport for character sets beyond 7-bitAdditional modules
○ Easier access to procedures
21
22
References
ANSI C12.18 Standard ANSI C12.19 Standard
23
Thank you for your time!Spencer McIntyre
Email: [email protected]
Twitter: @zeroSteiner
Termineter Homepage: http://code.google.com/p/termineter
AQ&Q U E S T I O N S
A N S W E R S