Presented by: Spencer McIntyre, SecureState
Abstract: Smart Meter Security is a growing topic in the security industry that hasn’t been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing with the open source Termineter framework developed by the presenter. Finally a live demonstration of the attacks that were discussed will be performed on a real Smart Meter during the presentation for the audience. Finally the newest features in the Termineter framework will be discussed including the support for connecting to Meters over TCP/IP networks using C12.22.
Audience members will leave the presentation with a detailed understanding of the types of vulnerabilities that affect smart meters and how they can be leveraged by an attacker.
2. Data Classification: Public
AGENDA
Smart Meters in the “Big Picture”
Role in AMI (Advanced Metering Infrastructure)
Why attack the Meter?
Information
Access
How do we attack the meter?
Access mechanisms
Termineter Framework (w/Demo!)
2
3. Data Classification: Public
ABOUT YOUR PRESENTER
Spencer McIntyre (OSCP, OSEE)
Open Source Contributor
Research lead on SecureState's Research
and Innovation team
Background/Specialization
Vulnerability & Tool development
“Special Projects”
3
4. Data Classification: Public
SECURESTATE OVERVIEW
Management Consulting Firm: Specializing in Information Security
Est. 2001 – more than 11 years in business
We solve complex information security problems by using technical
services to facilitate strategic decisions.
By identifying the problem in a causal relationship we can provide
tactical and strategic recommendations to position our clients in
achieving their SecureState.
4
6. What is AMI
AMI (Advanced Metering Infrastructure)
Allows two way communication with the meter
○Compared to AMR which only allows for one
way communication
Allows automatic, remote readings and
configuration
Today, we’re focusing on the meter component
6
BACKGROUND
7. The old days of stealing
with magnets are ending
USA Today estimate $6
billion in power stolen
each year
AMI is still being
deployed in many
locations
7
BACKGROUND
9. Same two reasons we typically attack
anything
Information
○Control of information
Access
Consumers have physical access
Smart Meters deployments are increasing
Physical access is a security worst-case scenario
9
WHY ATTACK METERS?
10. Meters store usage information
Information can be modified to affect
billing
Modification results in fraud
Usage can be profiled
Electric meters would be best bet
Peak usage can identify when occupants are
home or building is in use
1
0 INFORMATION
11. Some meters can access the service
provider’s internal network via Cellular
connection
Not the case when a central unit is used to
collect data
Meter has a SIM card
Requires typical SIM card settings (APN,
username, password, etc.)
Either direct internet access or private
network access
1
1 ACCESS
12. Attacker with physical
access can open the meter
and retrieve the SIM card
Guess/Bruteforce Settings
APN
Username (if set)
Password (if set)
Internal network access
1
2 CASE STUDY
14. At a basic level, there are two mechanisms
Wireless
○Zigbee
○Cellular
Wired
○Optical Interface
Data collectors often also have TCP/IP
connection
○Network accessible
1
4 ACCESSING METERS
15. What is Zigbee?
Low power/Low cost
wireless mesh network
Ideal for use with
Smart Meters
Low power and mesh-
based architecture
makes it ideal
Pretty reliable
1
5 ZIGBEE
16. Central collector
Allows for single cell
connection
Consumer grade devices
Readers
Thermostats
Not typically used for inter-
meter communications
Mesh network does require
meters to relay information
1
6 ZIGBEE
17. Association is dependent on a few things
Pairing Window
Encryption Key (sometimes)
Pairing window is often
configured/controlled by the service
provider
Not all service providers agree on acceptable
length
Ranges from 1 week to infinite
1
7 ZIGBEE ACCESS
18. Encryption is often available but must be
enabled
Based on AES
Security types include:
○None
○Encrypted
○Encrypted with authentication check
○Unencrypted with authentication check
Keys can be negotiated/distributed
Uncommon with meters, they are often
statically set by the provider
1
8 ZIGBEE ACCESS
19. Killerbee is invaluable for assessing the
Zigbee portion
zbstumbler
Finding devices
zbscapy
Killerbee + Scapy
Offers live capturing, injection and encryption
options
1
9 WEAPON OF CHOICE: KILLERBEE
21. 21
DATA COLLECTORS
Data collectors aggregate information
Often use C12.22 and are network
accessible
C12.22 is still an unexplored attack
surface
A combination of authentication, encryption and device IDs make
attacks difficult
Attacks are still possible however
23. Meters can be accessed using a physical
connection
ANSI Type-2 Optical Probe (sounds dirty)
Couple of standards in use here
C12.18
○Defines standards for accessing data
(requests/responses)
C12.19
○Defines standards for data formats
2
3 WIRED ACCESS
24. Tables are broken up into “decades”
based on IDs
General Configuration 0-9
Security Tables 40-49
○Defines access permissions
History and Event Logs 70-79
Telephone/Modem Control 90-99
About 10 more defined by C12.19-2008
Standard
2
4 C12.19 BACKGROUND
25. Optical Probes are
expensive (~$500)
Can be created for
cheaper?
Use infrared
transceivers
2
5 PHYSICAL EQUIPMENT
26. The “Termineter” Framework provides
access to meters over C12.18
Modeled after the Metasploit Framework
for ease of use
Implemented in Python
Includes full C12.18 stack and C12.19 library
Released last week
Open Source (GPLv3)
http://code.google.com/p/termineter
2
6 INTRODUCTION: TERMINETER
27. Currently interacts with meters via a
serial connection
Core features implemented as modules
14 modules in total
Modules mostly focus on reading/writing
to C12.19 tables
Everything involves reading/writing to
tables
Even running “Procedures”
2
7 TERMINETER: FEATURES
29. Modules require some knowledge (not quite
script-kiddie ready)
Mostly of valid data to write to tables
Procedures can be tricky, check the
documentation
Some modules can automate common
tasks
Changing the Meter’s ID
Setting the Meter’s operating mode
2
9 TERMINETER: MODULES
30. Common security issues
Some table values can be modified without
proper authentication (via invalid password)
Some meters ignore username and user ID field
with authenticating users
No lock out, just logging of failed attempts
3
0 TERMINATING WITH TERMINETER
32. Getting this far has been a fight
Future plans include
Zigbee integration
Support for character sets beyond 7-bit
Additional modules
○Easier access to procedures
3
2 TERMINETER FUTURE
35. Thank you for your time!
Spencer McIntyre
Email: SMcIntyre@SecureState.com
Twitter: @zeroSteiner
Termineter Homepage: http://code.google.com/p/termineter
3
5
Q U E S T I O N S
A N S W E R S