Presented by: Spencer McIntyre, SecureState Abstract: Smart Meter Security is a growing topic in the security industry that hasn’t been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing with the open source Termineter framework developed by the presenter. Finally a live demonstration of the attacks that were discussed will be performed on a real Smart Meter during the presentation for the audience. Finally the newest features in the Termineter framework will be discussed including the support for connecting to Meters over TCP/IP networks using C12.22. Audience members will leave the presentation with a detailed understanding of the types of vulnerabilities that affect smart meters and how they can be leveraged by an attacker.

1. Spencer McIntyre, SecureState
EnergySec Summit Presentation
9/19/2013
PRESENTATION

2. Data Classification: Public
AGENDA
 Smart Meters in the “Big Picture”
 Role in AMI (Advanced Metering Infrastructure)
 Why attack the Meter?
 Information
 Access
 How do we attack the meter?
 Access mechanisms
 Termineter Framework (w/Demo!)
2

3. Data Classification: Public
ABOUT YOUR PRESENTER
 Spencer McIntyre (OSCP, OSEE)
Open Source Contributor
 Research lead on SecureState's Research
and Innovation team
 Background/Specialization
 Vulnerability & Tool development
 “Special Projects”
3

4. Data Classification: Public
SECURESTATE OVERVIEW
Management Consulting Firm: Specializing in Information Security
Est. 2001 – more than 11 years in business
We solve complex information security problems by using technical
services to facilitate strategic decisions.
By identifying the problem in a causal relationship we can provide
tactical and strategic recommendations to position our clients in
achieving their SecureState.
4

5. Background
5

6. What is AMI
AMI (Advanced Metering Infrastructure)
Allows two way communication with the meter
○Compared to AMR which only allows for one
way communication
Allows automatic, remote readings and
configuration
Today, we’re focusing on the meter component
6
BACKGROUND

7. The old days of stealing
with magnets are ending
USA Today estimate $6
billion in power stolen
each year
AMI is still being
deployed in many
locations
7
BACKGROUND

8. Why?
Assessing the Situation
8

9. Same two reasons we typically attack
anything
Information
○Control of information
Access
Consumers have physical access
Smart Meters deployments are increasing
Physical access is a security worst-case scenario
9
WHY ATTACK METERS?

10. Meters store usage information
Information can be modified to affect
billing
Modification results in fraud
Usage can be profiled
Electric meters would be best bet
Peak usage can identify when occupants are
home or building is in use
1
0 INFORMATION

11. Some meters can access the service
provider’s internal network via Cellular
connection
Not the case when a central unit is used to
collect data
Meter has a SIM card
Requires typical SIM card settings (APN,
username, password, etc.)
Either direct internet access or private
network access
1
1 ACCESS

12. Attacker with physical
access can open the meter
and retrieve the SIM card
Guess/Bruteforce Settings
APN
Username (if set)
Password (if set)
Internal network access
1
2 CASE STUDY

13. How?
On the Offense
1
3

14. At a basic level, there are two mechanisms
Wireless
○Zigbee
○Cellular
Wired
○Optical Interface
Data collectors often also have TCP/IP
connection
○Network accessible
1
4 ACCESSING METERS

15. What is Zigbee?
Low power/Low cost
wireless mesh network
Ideal for use with
Smart Meters
Low power and mesh-
based architecture
makes it ideal
Pretty reliable
1
5 ZIGBEE

16. Central collector
Allows for single cell
connection
Consumer grade devices
Readers
Thermostats
Not typically used for inter-
meter communications
Mesh network does require
meters to relay information
1
6 ZIGBEE

17. Association is dependent on a few things
Pairing Window
Encryption Key (sometimes)
Pairing window is often
configured/controlled by the service
provider
Not all service providers agree on acceptable
length
Ranges from 1 week to infinite
1
7 ZIGBEE ACCESS

18. Encryption is often available but must be
enabled
Based on AES
Security types include:
○None
○Encrypted
○Encrypted with authentication check
○Unencrypted with authentication check
Keys can be negotiated/distributed
Uncommon with meters, they are often
statically set by the provider
1
8 ZIGBEE ACCESS

19. Killerbee is invaluable for assessing the
Zigbee portion
zbstumbler
Finding devices
zbscapy
Killerbee + Scapy
Offers live capturing, injection and encryption
options
1
9 WEAPON OF CHOICE: KILLERBEE

20. 2
0 ZBSCAPY

21. 21
DATA COLLECTORS
Data collectors aggregate information
Often use C12.22 and are network
accessible
C12.22 is still an unexplored attack
surface
A combination of authentication, encryption and device IDs make
attacks difficult
Attacks are still possible however

22. 22
DATA COLLECTOR SNIFFING
Network enabled serial
sniffing
No authentication
required
Contacted the vendor

23. Meters can be accessed using a physical
connection
ANSI Type-2 Optical Probe (sounds dirty)
Couple of standards in use here
C12.18
○Defines standards for accessing data
(requests/responses)
C12.19
○Defines standards for data formats
2
3 WIRED ACCESS

24. Tables are broken up into “decades”
based on IDs
General Configuration 0-9
Security Tables 40-49
○Defines access permissions
History and Event Logs 70-79
Telephone/Modem Control 90-99
About 10 more defined by C12.19-2008
Standard
2
4 C12.19 BACKGROUND

25. Optical Probes are
expensive (~$500)
Can be created for
cheaper?
Use infrared
transceivers
2
5 PHYSICAL EQUIPMENT

26. The “Termineter” Framework provides
access to meters over C12.18
Modeled after the Metasploit Framework
for ease of use
Implemented in Python
Includes full C12.18 stack and C12.19 library
Released last week
Open Source (GPLv3)
http://code.google.com/p/termineter
2
6 INTRODUCTION: TERMINETER

27. Currently interacts with meters via a
serial connection
Core features implemented as modules
14 modules in total
Modules mostly focus on reading/writing
to C12.19 tables
Everything involves reading/writing to
tables
Even running “Procedures”
2
7 TERMINETER: FEATURES

28. Included Modules:
Basic information
retrieval
Brute forcing
authentication
Reading/Writing to
tables (low-level)
Dump tables and
perform a “diff”
2
8 TERMINETER: MODULES

29. Modules require some knowledge (not quite
script-kiddie ready)
Mostly of valid data to write to tables
Procedures can be tricky, check the
documentation
Some modules can automate common
tasks
Changing the Meter’s ID
Setting the Meter’s operating mode
2
9 TERMINETER: MODULES

30. Common security issues
Some table values can be modified without
proper authentication (via invalid password)
Some meters ignore username and user ID field
with authenticating users
No lock out, just logging of failed attempts
3
0 TERMINATING WITH TERMINETER

31. Let the demos begin!
3
1 TERMINETER DEMO

32. Getting this far has been a fight
Future plans include
Zigbee integration
Support for character sets beyond 7-bit
Additional modules
○Easier access to procedures
3
2 TERMINETER FUTURE

33. 3
3

34. References
Killerbee:
http://code.google.com/p/killerbee
ANSI C12.18 Standard
ANSI C12.19 Standard
3
4

35. Thank you for your time!
Spencer McIntyre
Email: SMcIntyre@SecureState.com
Twitter: @zeroSteiner
Termineter Homepage: http://code.google.com/p/termineter
3
5
Q U E S T I O N S
A N S W E R S