OT-How to hack smart meters

Worried about the security of the Smart Grid? You should be. Security researchers warn that the Smart Grid could become a hacker's playground. As
proof, here are four ways the Smart Grid can be hacked.
Technology Review has an excellent article outlining ways in which the Smart Grid is vulnerable. Here, based on the article, are four ways it can be hacked via the smart meters that will be in businesses and people's homes.
Attack Smart Meter RAM
The article says that security researcher Travis Goodspeed warns that attackers will be able to hack directly into smart meter RAM, and by doing that, get free reign. It sounds a little James Bond-ish, but here's how the articles claims says it can be done:
If the meter hasn't been built with protective features, a hacker can use syringes to insert a needle into each side of the device's memory chip. The needle serves as a probe to intercept the electrical signals in the memory chip. By analyzing these signals, the hacker can deduce the device's programming. Even if the meter includes security features, he says, it may be possible to extract the information using customized tools. Hack the Meter's Digital radio
Godspeed says a similar technique to RAM-hacking can be used to get command of the smart meter's radio, and from there, launch attacks on the grid itself. Here's what the the article says:
The smart meter's two-way radio chip allows the device to be read remotely and to receive commands over the network. The software in the chip contains security codes that an attacker who's cracked the meter's programming can use to get on the network and begin issuing commands. Goodspeed has shown that the codes can be extracted using syringes in a process similar to the attack on the memory. Hack the Meter Wirelessly
The article says that David Baker, director of services for security firm IOActive, warns that hackers can get into the meter via its wireless networking device for communicating with the network:
An attacker can use a software radio, which can be programmed to emulate a variety of communications devices, to listen in on wireless communications with the network and deduce over time how to communicate with the meters. Another method, Baker says, is to attack the hardware. An attacker could steal a meter from the side of a house and reverse-engineer it. This method, he says, while inexpensive, does require a good knowledge of integrated circuits. Spread Malware Throughout the Network
Baker says that once someone has gotten access to a smart meter's programming, he could easily launch a worm or other malware to attack the network itself, other smart meters, and other devices attached to the grid. In fact, Baker has already demonstrated that it can be done, the article says:
To demonstrate his attack, Davis crafted a piece of malware that could self-replicate to other meters, allowing an attacker to shut them down remotely. In simulations, Davis showed that if his worm were released in an area where all the houses were equipped with the same brand of meter, the worm could spread to 15,000 homes in the space of 24 hours
Read more: http://www.greenbiz.com/blog/2009/09/01/four-ways-hack-smart-grid#ixzz0sBjDNb6o
Best Regards Tom.
--- ---
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The system used for cars: http://en.wikipedia.org/wiki/KeeLoq
jsw
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Okay, consider a house with a service attached to the house. Some one can jamn a pin through L1 and L2 above and below the meter and run a jumper between both.
I have no idea of what the drop across the meter is but even a small jumper could steal a significant amount of electricity w/o getting into technology.
Hell I could have free cable if I cut the isolator from the underground run from the pole. They put a coupler that doesn't connect when you drop service. I have Dish, screw cable.
Thieves don't have to be high tech.
Wes -- "Additionally as a security officer, I carry a gun to protect government officials but my life isn't worth protecting at home in their eyes." Dick Anthony Heller
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I think the guy is referring more to terrorist-type attacks, not just stealing electricity.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Oh, I see I missed the point.
As far as ter ror ist type at tac ks. Acc urate rif le, trans mis sion line in open country, sh oot in su lat ors. I'll stop now, I've had many ideas on how they could sc rew us and I don't want to go any further. I hope our pro tect ors have as much imagi nation as I do.
I figure I let a no brainer out but those weird spaces are intentional. I love my cou ntry and don't want it to see har m.
Wes
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
---
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I think you mean DOS (Denial Of Service)

No they will just do what they do now when they can not read a meter. Bill you the same as last month, and catch up the difference next month, longer term, they would just go out an manually access the meter.

It is not the digital vs analog that has the higher security it is the "connected" versus "not connected" that provides the security. - ---
jk
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Azotic wrote:

--
Anyone wanting to run for any political office in the US should have to
have a DD214, and a honorable discharge.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Without addressing any of the rest of this (I really must confess an embarassing lack of knowledge of the subject), it's hilarious that the author thinks that reverse engineering a meter "does require a good knowledge of integrated circuits" while it's perfectly plausible to him that "a hacker can use syringes to insert a needle into each side of the device's memory chip."
Not that it's impossible to probe the guts of a chip, but I'm gonna guess that the writer of this article doesn't know much about electronics.
BTW, there have also been widely publicized hacks on Diebold voting machines - those are at least as scary as the ones suggested here, and nobody has done a thing about them.
Just sayin' is all.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Only if they can generate the correct code, which can be different each time. As a simple example it could be entries in a table of trigonometric functions, so recording one doesn't tell you the next unless you know which table they used and the pattern from one to the next, like skip down the Julian date MOD 13 etc. This is a more complex implementation of a password and the same defenses work, such as 3 successive failures and you are blocked and reported. Keyless car locks and garage door openers still offer good security. Their low power and short range makes covert interception risky.
The security system can be made as safe as cost and operator training allow. Look at the security record of ATM cards.

I've done my time on these probe stations, poking around inside prototype ICs at Unitrode:
http://www.lerner.ccf.org/bme/biomems/images/KarlSuss1.jpg
The silicon wafer goes on the mushroom pedestal, which is a vacuum chuck, The blocks with micrometer knobs on the back scattered around the rim each position one tungsten probe needle, normally used to contact the bonding wire pads, but you can blast through the SiN passivation with a laser and touch the top layer of metallization if - really- necessary.
http://www.remingtontest.com/images/image_uploads/micromanipulator-6200-Micromanipulator-manual_probe_station-74-2_large.jpg
http://www.a3pics.com/data/measurement_prober.jpg
The bonding wire pads correspond to package pins or leads, which the hacker might contact with the wire in the syringe needle I suppose, using the rubber plunger as a spring. The hardest part is holding the needle in place at an awkward angle and making contact without gouging the board from excess pressure or shorting to the adjacent leads. It's easier (relatively speaking) to solder a piece of fine magnet wire onto the pin's pad or a nearby via (hole).
Then the hacker could record the data pattern passing between that lead and the circuit board. Potting the board in epoxy makes this approach extremely difficult.
Poking around INSIDE the IC to reverse engineer it is possible but orders of magnitude more difficult, takes different equipment, and I'm not saying more. I needed a whole year to completely understand the device.
Programmable devices may have an access code or even a physical fuse you can blow which blocks external access to the memory after you have loaded the code.
jsw
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Supposedly, meters use Public Key cryptography.
http://certicomcenterofexcellence.com/faq.php
With the build out of two way communication between the meter, and the utility, utility companies recognized the need for stronger security for utility to meter communications. Public-key algorithms create a mechanism for sharing keys among large numbers of meters or endpoints in a complex meter data management system.
Public Key cryptography allows utilities to securely control, and manage individual meters. One of the major benefits of a PKI in metering is that if a meter key gets compromised, only that individual meter is compromised. PKI brings other major benefits such as:
Strong Mutual Authentication Non-repudiation Key agreement for session confidentiality Communication systems that rely on a single network key for encryption and decryption (symmetric key cryptography) run the risk of compromising the entire network if a key is lost or stolen. The risk associated with managing this type of network becomes unacceptable as the number of endpoints increase.
PKC is a very basic stuff in 2010 -- I used it in 1995 when pgp was already popular -- and it is now well known and well implemented. If properly done, the meters do not know the private key of the utility, or other meters, and cannot possibly compromise anything besides information of that one compromised meter.

public key cryptography makes this art into a science.

http://www.remingtontest.com/images/image_uploads/micromanipulator-6200-Micromanipulator-manual_probe_station-74-2_large.jpg
But all the hacker could discover is the private key of that meter.
So then, after expending enormous effort stealing that meter, and compromising it in a very obvious way, all the hacker might get, at best, is a way to send false information about that one meter.
Not really much for the effort.

much more likely would be leaking of the proprietary information by employees, which, if all PK stuff was done correctly, would not amount to much. That happened to other things like DVD CSS keys and Bluray and such, but those never utilised public keys becsue of a different use model.
i
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Jun 29, 12:25am, Ignoramus28517 <ignoramus28...@NOSPAM. 28517.invalid> wrote:

Here is another commonly used technology suitable for a system with a huge number of users: http://en.wikipedia.org/wiki/NLFSR The RFID section mentions the spy device of Leon Theremin: http://en.wikipedia.org/wiki/RFID Coincidentally the current "History Detectives" has a piece on him and shows the device, which the US revealed after the U2 incident.
jsw
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
You got me interested in this.
After reading a little bit, it would seem that "hacking the meters" is much more in the realm of fantasy than something that can be done remotely on a wholesale basis.
http://freaklabs.org/index.php/Blog/Misc/Clearing-the-Air-About-Hacking-Into-The-Smart-Grid.html
The attacks described amount to me finding out your address, stealing your meter, stealing the code from SPI bus. That bus normally is not even exposed, so I would have to ruin your meter with a "syringe", all the while hoping that you do not notice your stolen meter (and no electricity). And what do I get from it? Very little, as I would not even be able to join the power meter network or fake output from other meters.
Hacking someone's home network is likely much easier. I have enough scripts that I usually crack a WEP network in under 10 minutes.
i
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

http://freaklabs.org/index.php/Blog/Misc/Clearing-the-Air-About-Hacking-Into-The-Smart-Grid.html
I dont think anyones gonna hack chips, you get in thru the transmitter and take control of meter that way.
All you need now is the SDK from the chip makers to steer you in the right direction. I havent checked but you might be able to download the sofware form the manufactures websites.
Rick Merritt EE Times (06/07/2010 12:01 AM EDT)
SAN JOSE, Calif. - Arch Rock is releasing a software stack based on Internet Protocol standards for a new generation of radio chips aimed at smart meters. Analog Devices Inc. and Texas Instruments are expected to make the chips that will create neighborhood wireless mesh networks linking smart meters to utility networks. The chips will be based on the IEEE 802.15.4g and .4e standards. They aim to replace largely proprietary radios, typically in sub-gigahertz bands, used in current smart meters.
Arch Rock's PhyNet-Grid software supports a range of standards. They include the 6LoWPAN, Roll and CoRE specifications from the Internet Engineering Task Force. The software also supports XML and EXI standards from the World Wide Web Consortium to deliver Web services over power and bandwidth constrained networks.
http://www.eetimes.com/news/latest/showArticle.jhtml?articleID "5402030
Best Regards
Tom.
begin 666 spacer.gif M1TE&.#EA`0`!`)'_`/___P```,# P ```"'Y! $```(`+ `````!``$`0 (" $5 $`.P`` ` end
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.