presenter: rob miller - winlab · modulation ook an amr meter transmits at 902~928 mhz 0 0.5 1 1.5...
TRANSCRIPT
![Page 1: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/1.jpg)
Neighborhood Watch: Security and Privacy Analysis of Automatic Meter
Reading Systems
Presenter: Rob Miller
Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu,Dept. of CSE, University of South Carolina
Rob Miller, Applied Communication SciencesMarco Gruteser, WINLAB, Rutgers University
![Page 2: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/2.jpg)
Electric Meters
• Smart meters– Demand-response– Time of day use
• Automatic meter reading (AMR)– Gas, water, electricity– 47 million installed (2010)
![Page 3: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/3.jpg)
AMR — Overview
• Communication protocols– Telephone line– Power line– Wireless communication
• Our focus– Wireless communication
with drive-by trucks
• Transmission methods– Electric meters: Bubble-up once every 30s
• Meter IDs are linked with accounts
3
Acquisition
ProcessingBilling
Transmission
![Page 4: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/4.jpg)
Misuse 1: Privacy
4
Eavesdropper monitors consumption
Empty House?Time
to visit.
![Page 5: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/5.jpg)
“I want to pay less…”
Bad neighbor
Selfish
Misuse 2: Spoofing
Sending spoofed packets
“I don’t like my neighbor…”
![Page 6: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/6.jpg)
AMR — To Be Discovered
• Reverse engineer the communication protocol? – Messages encrypted? Authenticated?
• How easy to spoof AMR communication?– Drive-by trucks reject suspicious packets?
• Privacy risks?– How much information can be inferred?
• How to protect AMR communication?
6
![Page 7: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/7.jpg)
Q1: Reverse-Engineering Wireless Communication
• Proprietary protocols – Patent – Manchester encoding– Multiple Channels– Message formats
• Equipment
• To be discovered– Modulation schemes?– Baud rate, channel information?– Message encrypted?
7
A gas meter
Sentry 900
Universal Software Radio Peripheral (USRP)
An electric meter
![Page 8: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/8.jpg)
Q1: Reverse-Engineering Walk-Through
8
Determine Modulation
OOK
An AMR meter transmits at
902~928 Mhz
0 0.5 1 1.5 2 2.5 3 3.5
x 105
0
0.2
0.4
0.6
0.8
1
samples
RS
S
Scan at 902~928 Mhz
for activity
Encoding Scheme
Manchester
Determine Baud rate
16kBd
Verify Message Format
![Page 9: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/9.jpg)
Q1: Reverse-Engineering Results
9
• Observations– Reverse engineering possible– No encryption– Meter ID transmitted in plaintext– Simple frequency hopping
pre-determined channels
![Page 10: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/10.jpg)
Q2: Packet Spoofing
• How likely to spoof AMR communication?– Security mechanisms in receiver? – Override real meter transmission?
• Spoofing System– Developed a packet generator
• Include a proper checksum• Contain arbitrary ID, usage data, etc.
• Tested on a few instruments:– Sentry 900 validates packet structure– Drive-by truck validates….
10
Select meter ID, tamper field and
reading
Modulate (ASK) Encode (Manchester)
Transmit at 916Mhz
![Page 11: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/11.jpg)
Q2: Spoofing Validation
11
Meter ID: 31415926Reading: 1233
![Page 12: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/12.jpg)
Q3: Privacy Risks via Eavesdropping
12
• Eavesdropping System– Gas meters and electric meters– Developed a live eavesdropper
• How likely to eavesdrop?– How far away?– How many observable meters?– How much information?
0 0.5 1 1.5 2 2.5 3 3.5
x 105
0
0.2
0.4
0.6
0.8
1
samples
RS
S
Electric Meters
Antenna
Eavesdropping experiment setup
![Page 13: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/13.jpg)
Q2: How to link a meter ID with a house?
13
![Page 14: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/14.jpg)
Q3: Privacy Risks – Neighborhood Watch
14
Eavesdropping range can be significantly boosted by a low-noise amplifier
300m
70m
![Page 15: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/15.jpg)
Privacy Risks from Traditional Methods
15
Infrared LED, flash once per watt-hour usage
Digitizeddisplay
IR flash detection circuit
Dot on-off display
ERT (Encoder, Receiver,Transmitter) module
• Privacy Risks from • IR flash• LCD display
• Which one is the worst?
![Page 16: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/16.jpg)
Privacy Breach Comparison
16
12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm
Water heater
IR/Image
RF (120pph)
RF (25pph)
RF (6pph)
Power (kW)
12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm
12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm
12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm
pph packets per hour
# of step changes
Time of day use
50
17
15
11
Washing machine
![Page 17: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/17.jpg)
Neighborhood Watch Via Eavesdropping
17
![Page 18: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/18.jpg)
Defense - Legacy meters
• Cryptographic mechanisms– Transmit on-demand– Reinstall new meter or upgrade
firmware?
• Spoofing– Radio Fingerprint– Anomaly detection at data center– In-person visual inspect
18
• Eavesdropping Jammer Add-on• A jamming signal to mask data packets• Work with drive-by• Narrowband jammer 1 AMR meter• Wideband jammer multiple AMR
meters
![Page 19: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/19.jpg)
Conclusions
• Privacy risks – AMR messages are transmitted in plaintext Anyone can eavesdrop– Able to eavesdrop on 500 electric meters using USRP with cheap antennas– Eavesdropping range of about 300 meters
• Spoofing risks
– Spoofing attacks are possible
• Raise awareness before more serious security and privacy vulnerabilities emerge
• Jamming-based protection
I. Rouf, H. Mustafa, M. Xu, W. Xu, R. Miller, and M. Gruteser, “Neighborhood Watch: Security and Privacy Analysis of Automatic Meter Reading Systems”, ACM Conference on Computer and Communication Security (CCS), October, 2012.
19
![Page 20: Presenter: Rob Miller - WINLAB · Modulation OOK An AMR meter transmits at 902~928 Mhz 0 0.5 1 1.5 2 2.5 3 3.5 x 10 5 0 0.2 0.4 0.6 0.8 1 samples RSS Scan at 902~928 Mhz for activity](https://reader030.vdocument.in/reader030/viewer/2022040408/5ebc02e963da786606245ca0/html5/thumbnails/20.jpg)
Thank you & Questions?
• University of South Carolina– Ishtiaq Rouf (Itron)– Hossen Mustafa– Miao Xu– Wenyuan Xu ([email protected])
• Applied Communication Sciences– Rob Miller ([email protected])
• Rutgers University– Marco Gruteser ([email protected])
20