OT-How to hack smart meters

Worried about the security of the Smart Grid? You should be. Security researchers warn that the Smart Grid could become a hacker's playground. As proof, here are four ways the Smart Grid can be hacked.

Technology Review has an excellent article outlining ways in which the Smart Grid is vulnerable. Here, based on the article, are four ways it can be hacked via the smart meters that will be in businesses and people's homes.

Attack Smart Meter RAM

The article says that security researcher Travis Goodspeed warns that attackers will be able to hack directly into smart meter RAM, and by doing that, get free reign. It sounds a little James Bond-ish, but here's how the articles claims says it can be done:

If the meter hasn't been built with protective features, a hacker can use syr The smart meter's two-way radio chip allows the device to be read remotely and to receive commands over the network. The software in the chip contains security codes that an attacker who's cracked the meter's programming can use to get on the network and begin issuing commands. Goodspeed has shown that the codes can be extracted using syringes in a process similar to the attack on the memory. Hack the Meter Wirelessly

The article says that David Baker, director of services for security firm IOActive, warns that hackers can get into the meter via its wireless networking device for communicating with the network:

An attacker can use a software radio, which can be programmed to emulate a variety of communicati To demonstrate his attack, Davis crafted a piece of malware that could self-replicate to other meters, allowing an attacker to shut them down remotely. In simulations, Davis showed that if his worm were released in an area where all the houses were equipped with the same brand of meter, the worm could spread to 15,000 homes in the space of 24 hours

Read more:

formatting link
Best Regards Tom.

--- news://freenews.netfront.net/ - complaints: snipped-for-privacy@netfront.net ---

Reply to
Azotic
Loading thread data ...

The system used for cars:

formatting link
jsw

Reply to
Jim Wilkins

Okay, consider a house with a service attached to the house. Some one can jamn a pin through L1 and L2 above and below the meter and run a jumper between both.

I have no idea of what the drop across the meter is but even a small jumper could steal a significant amount of electricity w/o getting into technology.

Hell I could have free cable if I cut the isolator from the underground run from the pole. They put a coupler that doesn't connect when you drop service. I have Dish, screw cable.

Thieves don't have to be high tech.

Wes

-- "Additionally as a security officer, I carry a gun to protect government officials but my life isn't worth protecting at home in their eyes." Dick Anthony Heller

Reply to
Wes

Without addressing any of the rest of this (I really must confess an embarassing lack of knowledge of the subject), it's hilarious that the author thinks that reverse engineering a meter "does require a good knowledge of integrated circuits" while it's perfectly plausible to him that "a hacker can use syringes to insert a needle into each side of the device's memory chip."

Not that it's impossible to probe the guts of a chip, but I'm gonna guess that the writer of this article doesn't know much about electronics.

BTW, there have also been widely publicized hacks on Diebold voting machines - those are at least as scary as the ones suggested here, and nobody has done a thing about them.

Just sayin' is all.

Reply to
rangerssuck

You got me interested in this.

After reading a little bit, it would seem that "hacking the meters" is much more in the realm of fantasy than something that can be done remotely on a wholesale basis.

formatting link
The attacks described amount to me finding out your address, stealing your meter, stealing the code from SPI bus. That bus normally is not even exposed, so I would have to ruin your meter with a "syringe", all the while hoping that you do not notice your stolen meter (and no electricity). And what do I get from it? Very little, as I would not even be able to join the power meter network or fake output from other meters.

Hacking someone's home network is likely much easier. I have enough scripts that I usually crack a WEP network in under 10 minutes.

i
Reply to
Ignoramus28517

can jamn a pin

er could steal a

un from the pole.

Dish, screw cable.

I think the guy is referring more to terrorist-type attacks, not just stealing electricity.

Reply to
rangerssuck

Thieves are not the the problem, they all eventually get caught.

Consider a hacker takes control of the wireless transmitter in each meter in a city and sets them to transmit continously. Whats gonna happen to the reciever at the power company ? A DNS of sorts ? Will the power company give away unbillabe power or will they shut it down while they try various fixes ?

Analog meters provide a degree of security the digitals cant.

Best Regards Tom.

--- news://freenews.netfront.net/ - complaints: snipped-for-privacy@netfront.net ---

Reply to
Azotic

formatting link

I dont think anyones gonna hack chips, you get in thru the transmitter and take control of meter that way.

All you need now is the SDK from the chip makers to steer you in the right direction. I havent checked but you might be able to download the sofware form the manufactures websites.

Rick Merritt EE Times (06/07/2010 12:01 AM EDT)

SAN JOSE, Calif. - Arch Rock is releasing a software stack based on Internet Protocol standards for a new generation of radio chips aimed at smart meters. Analog Devices Inc. and Texas Instruments are expected to make the chips that will create neighborhood wireless mesh networks linking smart meters to utility networks. The chips will be based on the IEEE 802.15.4g and .4e standards. They aim to replace largely proprietary radios, typically in sub-gigahertz bands, used in current smart meters.

Arch Rock's PhyNet-Grid software supports a range of standards. They include the 6LoWPAN, Roll and CoRE specifications from the Internet Engineering Task Force. The software also supports XML and EXI standards from the World Wide Web Consortium to deliver Web services over power and bandwidth constrained networks.

formatting link
Best Regards

Tom.

begin 666 spacer.gif M1TE&.#EA`0`!`)'_`/___P```,# P ```"'Y! $```(`+ `````!``$`0 (" $5 $`.P`` ` end

Reply to
azotic

Only if they can generate the correct code, which can be different each time. As a simple example it could be entries in a table of trigonometric functions, so recording one doesn't tell you the next unless you know which table they used and the pattern from one to the next, like skip down the Julian date MOD 13 etc. This is a more complex implementation of a password and the same defenses work, such as 3 successive failures and you are blocked and reported. Keyless car locks and garage door openers still offer good security. Their low power and short range makes covert interception risky.

The security system can be made as safe as cost and operator training allow. Look at the security record of ATM cards.

I've done my time on these probe stations, poking around inside prototype ICs at Unitrode:

formatting link
silicon wafer goes on the mushroom pedestal, which is a vacuum chuck, The blocks with micrometer knobs on the back scattered around the rim each position one tungsten probe needle, normally used to contact the bonding wire pads, but you can blast through the SiN passivation with a laser and touch the top layer of metallization if - really- necessary.
formatting link
The bonding wire pads correspond to package pins or leads, which the hacker might contact with the wire in the syringe needle I suppose, using the rubber plunger as a spring. The hardest part is holding the needle in place at an awkward angle and making contact without gouging the board from excess pressure or shorting to the adjacent leads. It's easier (relatively speaking) to solder a piece of fine magnet wire onto the pin's pad or a nearby via (hole).

Then the hacker could record the data pattern passing between that lead and the circuit board. Potting the board in epoxy makes this approach extremely difficult.

Poking around INSIDE the IC to reverse engineer it is possible but orders of magnitude more difficult, takes different equipment, and I'm not saying more. I needed a whole year to completely understand the device.

Programmable devices may have an access code or even a physical fuse you can blow which blocks external access to the memory after you have loaded the code.

jsw

Reply to
Jim Wilkins

Supposedly, meters use Public Key cryptography.

formatting link
With the build out of two way communication between the meter, and the utility, utility companies recognized the need for stronger security for utility to meter communications. Public-key algorithms create a mechanism for sharing keys among large numbers of meters or endpoints in a complex meter data management system.

Public Key cryptography allows utilities to securely control, and manage individual meters. One of the major benefits of a PKI in metering is that if a meter key gets compromised, only that individual meter is compromised. PKI brings other major benefits such as:

Strong Mutual Authentication Non-repudiation Key agreement for session confidentiality Communication systems that rely on a single network key for encryption and decryption (symmetric key cryptography) run the risk of compromising the entire network if a key is lost or stolen. The risk associated with managing this type of network becomes unacceptable as the number of endpoints increase.

PKC is a very basic stuff in 2010 -- I used it in 1995 when pgp was already popular -- and it is now well known and well implemented. If properly done, the meters do not know the private key of the utility, or other meters, and cannot possibly compromise anything besides information of that one compromised meter.

public key cryptography makes this art into a science.

formatting link
formatting link

But all the hacker could discover is the private key of that meter.

So then, after expending enormous effort stealing that meter, and compromising it in a very obvious way, all the hacker might get, at best, is a way to send false information about that one meter.

Not really much for the effort.

much more likely would be leaking of the proprietary information by employees, which, if all PK stuff was done correctly, would not amount to much. That happened to other things like DVD CSS keys and Bluray and such, but those never utilised public keys becsue of a different use model.

i
Reply to
Ignoramus28517

Here is another commonly used technology suitable for a system with a huge number of users:

formatting link
RFID section mentions the spy device of Leon Theremin:
formatting link
the current "History Detectives" has a piece on him and shows the device, which the US revealed after the U2 incident.

jsw

Reply to
Jim Wilkins

I think you mean DOS (Denial Of Service)

No they will just do what they do now when they can not read a meter. Bill you the same as last month, and catch up the difference next month, longer term, they would just go out an manually access the meter.

It is not the digital vs analog that has the higher security it is the "connected" versus "not connected" that provides the security.

- news://freenews.netfront.net/ - complaints: snipped-for-privacy@netfront.net ---

jk

Reply to
jk

Oh, I see I missed the point.

As far as ter ror ist type at tac ks. Acc urate rif le, trans mis sion line in open country, sh oot in su lat ors. I'll stop now, I've had many ideas on how they could sc rew us and I don't want to go any further. I hope our pro tect ors have as much imagi nation as I do.

I figure I let a no brainer out but those weird spaces are intentional. I love my cou ntry and don't want it to see har m.

Wes

Reply to
Wes

The transponder in the meter has a limited range. Your idea of a city and mine are quite different.

Reply to
Michael A. Terrell

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.