Spencer McIntyre, SecureState
EnergySec Summit Presentation
9/19/2013
PRESENTATION
Data Classification: Public
AGENDA
Smart Meters in the “Big Picture”
Role in AMI (Advanced Metering Infrastructure)
Why attack the Meter?
Information
Access
How do we attack the meter?
Access mechanisms
Termineter Framework (w/Demo!)
2
Data Classification: Public
ABOUT YOUR PRESENTER
Spencer McIntyre (OSCP, OSEE)
Open Source Contributor
Research lead on SecureState's Research
and Innovation team
Background/Specialization
Vulnerability & Tool development
“Special Projects”
3
Data Classification: Public
SECURESTATE OVERVIEW
Management Consulting Firm: Specializing in Information Security
Est. 2001 – more than 11 years in business
We solve complex information security problems by using technical services to facilitate strategic decisions.
By identifying the problem in a causal relationship we can provide tactical and strategic recommendations to position our clients in achieving their SecureState.
4
Background
5
What is AMI
AMI (Advanced Metering Infrastructure)
Allows two way communication with the meter
○Compared to AMR which only allows for one way communication
Allows automatic, remote readings and configuration
Today, we’re focusing on the meter component
6BACKGROUND
The old days of stealing with magnets are ending
USA Today estimate $6
billion in power stolen each year
AMI is still being
deployed in many locations
7BACKGROUND
Why?
Assessing the Situation
8
Same two reasons we typically attack anything
Information○Control of information
Access
Consumers have physical accessSmart Meters deployments are increasing
Physical access is a security worst-case scenario
9WHY ATTACK METERS?
Meters store usage information
Information can be modified to affect billing
Modification results in fraud
Usage can be profiled Electric meters would be best bet
Peak usage can identify when occupants are home or building is in use
1
0 INFORMATION
Some meters can access the service
provider’s internal network via Cellular connection
Not the case when a central unit is used to collect data
Meter has a SIM cardRequires typical SIM card settings (APN, username, password, etc.)
Either direct internet access or private network access
1
1 ACCESS
Attacker with physical
access can open the meter and retrieve the SIM card
Guess/Bruteforce Settings
APN
Username (if set)
Password (if set)
Internal network access
1
2 CASE STUDY
How?
On the Offense
1
3
At a basic level, there are two mechanismsWireless
○Zigbee
○Cellular
Wired○Optical Interface
Data collectors often also have TCP/IP connection
○Network accessible
1
4 ACCESSING METERS
What is Zigbee?Low power/Low cost wireless mesh network
Ideal for use with Smart Meters
Low power and mesh-
based architecture makes it ideal
Pretty reliable
1
5 ZIGBEE
Central collector Allows for single cell connection
Consumer grade devicesReaders
Thermostats
Not typically used for inter-meter communications
Mesh network does require meters to relay information
1
6 ZIGBEE
Association is dependent on a few thingsPairing Window
Encryption Key (sometimes)
Pairing window is often
configured/controlled by the service
providerNot all service providers agree on acceptable length
Ranges from 1 week to infinite
1
7 ZIGBEE ACCESS
Encryption is often available but must be enabled
Based on AES
Security types include:○None
○Encrypted
○Encrypted with authentication check
○Unencrypted with authentication check
Keys can be negotiated/distributedUncommon with meters, they are often statically set by the provider
1
8 ZIGBEE ACCESS
Killerbee is invaluable for assessing the Zigbee portion
zbstumblerFinding devices
zbscapyKillerbee + Scapy
Offers live capturing, injection and encryption options
1
9 WEAPON OF CHOICE: KILLERBEE
2
0 ZBSCAPY
21
DATA COLLECTORS
Data collectors aggregate information
Often use C12.22 and are network
accessible
C12.22 is still an unexplored attack
surfaceA combination of authentication, encryption and device IDs make
attacks difficult
Attacks are still possible however
22
DATA COLLECTOR SNIFFING
Network enabled serial
sniffing
No authentication
required
Contacted the vendor
Meters can be accessed using a physical connection
ANSI Type-2 Optical Probe (sounds dirty)
Couple of standards in use hereC12.18
○Defines standards for accessing data (requests/responses)
C12.19○Defines standards for data formats
2
3 WIRED ACCESS
Tables are broken up into “decades” based on IDs
General Configuration 0-9
Security Tables 40-49○Defines access permissions
History and Event Logs 70-79
Telephone/Modem Control 90-99
About 10 more defined by C12.19-2008 Standard
2
4 C12.19 BACKGROUND
Optical Probes are expensive (~$500)
Can be created for cheaper?
Use infrared transceivers
2
5 PHYSICAL EQUIPMENT
The “Termineter” Framework provides access to meters over C12.18
Modeled after the Metasploit Framework for ease of use
Implemented in PythonIncludes full C12.18 stack and C12.19 library
Released last week Open Source (GPLv3)
http://code.google.com/p/termineter
2
6 INTRODUCTION: TERMINETER
Currently interacts with meters via a serial connection
Core features implemented as modules14 modules in total
Modules mostly focus on reading/writing to C12.19 tables
Everything involves reading/writing to tables
Even running “Procedures”
2
7 TERMINETER: FEATURES
Included Modules:Basic information retrieval
Brute forcing authentication
Reading/Writing to
tables (low-level)
Dump tables and perform a “diff”
2
8 TERMINETER: MODULES
Modules require some knowledge (not quite
script-kiddie ready)Mostly of valid data to write to tables
Procedures can be tricky, check the documentation
Some modules can automate common tasks
Changing the Meter’s ID
Setting the Meter’s operating mode
2
9 TERMINETER: MODULES
Common security issuesSome table values can be modified without proper authentication (via invalid password)
Some meters ignore username and user ID field with authenticating users
No lock out, just logging of failed attempts
3
0 TERMINATING WITH TERMINETER
Let the demos begin!
3
1 TERMINETER DEMO
Getting this far has been a fight
Future plans includeZigbee integration
Support for character sets beyond 7-bit
Additional modules○Easier access to procedures
3
2 TERMINETER FUTURE
3
3
References
Killerbee: http://code.google.com/p/killerbee
ANSI C12.18 Standard
ANSI C12.19 Standard
3
4
Thank you for your time!Spencer McIntyre
Email: [email protected]
Twitter: @zeroSteiner
Termineter Homepage: http://code.google.com/p/termineter
3
5
Q U E S T I O N SA N S W E R S