root labs rdist

February 15, 2010

Reverse-engineering a smart meter

Filed under: Embedded,Hacking,Hardware,Reverse engineering,RFID,Security — Nate Lawson @ 7:00 am

In 2008, a nice man from PG&E came out to work on my house. He installed a new body for the gas meter and said someone would come by later to install the electronics module to make it a “smart meter“. Since I work with security for embedded systems, this didn’t sound very exciting. I read up on smart meters and found they not only broadcast billing information (something I consider only a small privacy risk) but also provide remote control. A software bug, typo at the control center, or hacker could potentially turn off my power and gas. But how vulnerable was I actually?


I decided to look into how smart meters work. Since the electronics module never was installed, I called up various parts supply houses to try to buy one. They were quite suspicious, requesting company background info and letterhead before deciding if they could send an evaluation sample. Even though this was long before IOActive outed smart meter flaws to CNN, they had obviously gotten the message that these weren’t just ordinary valves or pipes.

Power, gas, and water meters have a long history of tampering attacks. People have drilled into them, shorted them out, slowed them down, and rewired them to run backwards. I don’t think I need to mention that doing those kinds of things is extremely dangerous and illegal. This history is probably why the parts supplier wasn’t eager to sell any smart meter boards to the public.

There’s always an easier way. By analyzing the vendor’s website, I guessed that they use the same radio module across product lines and other markets wouldn’t be so paranoid. Sure enough, the radio module for a water meter made by the same vendor was available on Ebay for $30. It arrived a few days later.

The case was hard plastic to prevent water damage. I used a bright light and careful tapping to be sure I wasn’t going to cut into anything with the Dremel. I cut a small window to see inside and identified where else to cut. I could see some of the radio circuitry and the battery connector.


After more cutting, it appeared that the battery was held against the board by the case and had spring-loaded contacts (see above). This would probably zeroize the device’s memory if it was cut open by someone trying to cheat the system. I applied hot glue to hold the contacts to the board and then cut away the rest of the enclosure.


Inside, the board had a standard MSP430F148 microcontroller and a metal cage with the radio circuitry underneath. I was in luck. I had previously obtained all the tools for working with the MSP430 in the Fastrak transponder. These CPUs are popular in the RFID world because they are very low power. I used the datasheet to identify the JTAG pinouts on this particular model and found the vendor even provided handy pads for them.


Since the pads matched the standard 0.1″ header spacing, I soldered a section of header directly to the board. For the ground pin, I ran a small wire to an appropriate location found with my multimeter. Then I added more hot glue to stabilize the header. I connected the JTAG cable to my programmer. The moment of truth was at hand — was the lock bit set?


Not surprisingly (if you read about the Fastrak project), the lock bit was not set and I was able to dump the firmware. I loaded it into the IDA Pro disassembler via the MSP430 CPU plugin. The remainder of the work would be to trace the board’s IO pins to identify how the microcontroller interfaced with the radio and look for protocol handling routines in the firmware to find crypto or other security flaws.

I haven’t had time to complete the firmware analysis yet. Given the basic crypto flaws in other smart meter firmware (such as Travis Goodspeed finding a PRNG whose design was probably drawn in crayon), I expect there would be other stomach-churning findings in this one. Not even taking rudimentary measures such as setting the lock bit does not bode well for its security.

I am not against the concept of smart meters. The remote reading feature could save a lot of money and dog bites with relatively minimal privacy exposure, even if the crypto was weak. I would be fine if power companies offered an opt-in remote control feature in exchange for lower rates. Perhaps this feature could be limited to cutting a house’s power to 2000 watts or something.

However, something as important as turning off power completely should require a truck roll. A person driving a truck will not turn off the mayor’s power or hundreds of houses at once without asking questions. A computer will. Remote control should not be a mandatory feature bundled with remote reading.

40 Comments

  1. “I would be fine if power companies offered an opt-in remote control feature in exchange for lower rates. Perhaps this feature could be limited to cutting a house’s power to 2000 watts or something.”

    The power company (PSE&G? I can’t remember) that serves a relatives’ house in New Jersey has been doing this for something on the order of a decade. My relatives get better electricity rates in the summer in exchange for PSE&G being able to disable their central A/C for up to two hours in peak load times. (The agreement has stated limits on how long and for how often the central A/C can be disabled for.)

    In nearly all cases, this just results in the A/C running harder during the non-disabled periods, however this is advantageous for PSE&G because they can control which A/C units are running when, as opposed to the possibility that all A/C units on the system will trip their thermostats at the same time.

    Comment by Andy — February 15, 2010 @ 10:54 am

    • Right, that’s the way I think it should work. There should be a local override so if you really want to turn your AC on, you just end up paying more. Having a remote disconnect feature is what I find most dangerous about these systems. After that, maybe forged billing records would be a secondary concern.

      Comment by Nate Lawson — February 15, 2010 @ 11:20 am

      • That seems like an alright idea from the angle you’re looking, but consider it from the POV of the average consumer. Telling them the power company can remotely disable the A/C in peak periods may go over fine, but add the “you can pay extra to turn it back on”, and now what they hear is “you’ll be charged extra to use it when you really want it”, and it goes from a good idea to a scam in their eyes.

        Comment by Rena — February 15, 2010 @ 10:22 pm

      • Rena, that is what they would opt-in for. If that’s a problem for the customer, they shouldn’t opt-in.

        Comment by Nate Lawson — February 16, 2010 @ 9:17 am

  2. We’re interested in your findings — keep us posted. We’re most interested in getting real time consumption information from meters like these. Thanks for your insights.

    Comment by Wattvision — February 15, 2010 @ 10:58 am

    • Sorry, I did this work back in November and ran out of time to reverse-engineer the firmware. There won’t be any more info released.

      Comment by Nate Lawson — February 15, 2010 @ 11:25 am

      • …because you don’t think the public should know, or because there isn’t any?

        Comment by Rena — February 15, 2010 @ 10:23 pm

      • Because if IOActive writing a worm for smart meters doesn’t change anything, nothing I do will either.

        Comment by Nate Lawson — February 16, 2010 @ 9:24 am

  3. actually remote power shutoff is one of the advertised features of these devices — that’s the whole concept in turning off some power meters or rate-limiting them to save $$…. I am not afraid of any of this — yes people will take advantage of it — and yes the neighborhood kids will be turning off your power as pranks for the first couple years — it’s a natural technology progression — don’t fear — we will get more security in the future

    although I do agree that these devices should NOT be mandatory unless the owner wants it — at least for now — although even this request is kinda going to have to change in the future

    Comment by ian — February 15, 2010 @ 2:14 pm

    • I appreciate optimism, but the author is, after all, a security researcher in the area of embedded systems. In that world, one cannot and does not embrace new applications of technology — especially when the stakes are control over our power personal supply, our usage patterns, privacy, etc. are at stake. A security researcher exposes these flaws, advises of issues, and recommends potential solutions. That is the process by which “we will get more security in the future”.

      Comment by Tom — February 15, 2010 @ 5:05 pm

      • Sorry…incomplete statment:

        …one cannot and does not embrace new applications of technology without careful deliberation and, yes, skepticism.

        Comment by Tom — February 15, 2010 @ 5:06 pm

    • Don’t fear? Sure, but why not fix it too?

      Comment by Nate Lawson — February 16, 2010 @ 9:27 am

    • Remote shutoff is a key aspect of these systems – they have been fairly heavily marketed to power companies and consumers. Consumer saves a bit of $$$, power company needs to build less plants, hackers get new things to own.

      Comment by Jolly — February 16, 2010 @ 1:59 pm

  4. SDG&E here in San Diego has offered lower rates to those who would agree to have smart meters installed. I did not respond to their numerous requests and won’t until the security issues are worked out. I will not be signing up for turning control of my power over to a computer.

    Comment by Paulette — February 15, 2010 @ 7:46 pm

  5. I wonder if the the interface for your gas meter is similar to if not identical to similar electric meters by companies like Itron. http://j.mp/9ePy50

    Comment by Adam — February 16, 2010 @ 12:56 am

  6. “I expect there would be other stomach-churning findings in this one.”

    You really shouldn’t imply such things without any proof.

    Comment by steve — February 16, 2010 @ 8:15 am

    • Care to make a bet on this one, steve? I can do $10000. djb backs his code up with $500 guarantees. Do you think djb writes smart meter firmware?

      Comment by Nate Lawson — February 16, 2010 @ 9:19 am

  7. @steve: Why not? It’s a fairly safe expectation given: 1) the history of similar embedded products, and 2) the initial indication that they didn’t bother to lock the JTAG interface.

    Comment by Jordan — February 16, 2010 @ 8:40 am

  8. Unfortunately, “cutting a house’s power to 2000 watts” is not really feasible, without the fine-grained ability to turn individual appliances on/off. It is, however, possible to put “non-critical” appliance on a separate circuit and just switch that circuit – that’s often done with air-conditioners.

    By the way, the power company already has the ability to cut your power if the situation is dire enough – the difference is that without “smart meters” they can only do it at the granularity of an entire suburb (or worse).

    Comment by kme — February 28, 2010 @ 5:04 pm

    • Right. I think the ultimate goal of these systems is to link the remote control circuit of external meters to a house-area-network in order to control individual appliances.

      Comment by Nate Lawson — March 7, 2010 @ 8:52 pm

  9. Well, here in Dallas, TX, Oncor (local power bullies) installed “smart” meters against everyone’s wishes and it’s been a fiasco ever since. The installation was carried out in stages across the city, and as the meters were installed, rates soared. When it was revealed a few months later that the power company hadn’t even been receiving information from many of the meters, and so had been doing their famous “estimating your bill” trick, you should have heard the public outcry – for about a week. That’s the attention span of people today, it seems. Then they forget all about whatever the outrage was, because it’s time for American Midol or whatever crap they’re watching.

    We also received a letter from TXU Energy, offering us a special deal if we agreed to have our power lowered during the day; however, since I’m home during the day, I explained that I didn’t see that as much of a deal. I reminded them that we don’t have central a/c, just window units. They keep telling me that our electricity usage would be so much lower if we installed central air – but all of my neighbors’ bills are triple what ours is. I’m sure the utility companies would never lie to me. I mean, again.

    Comment by Swan Thompson — March 14, 2010 @ 12:54 pm

  10. I have question about my smart elec. meter. Saturday my power went off for about 2 minutes. It came back on, and I noticed a smell of smoke around my central heater. The heater would not come on, even when I raised the house temp. Finally it came on, ran for just two minutes and went off again. This happened two or three times, but after about 15 minutes it began to work normally again. It had been cold that morning, 33,and I wondered could pg&e have lowered my voltage and thus causing my heater motor to overheat? Thank you Ed N

    Comment by Ed Noonen — March 16, 2010 @ 1:04 pm

    • No, extremely unlikely. However, I recommend you contact an electrician or HVAC person immediately.

      Comment by Nate Lawson — March 17, 2010 @ 2:30 pm

    • Contact an HVAC place to inspect it, but this sounds like normal behavior — the power went out, so the heat the furnace was generating wasn’t being moved out of the furnace by the blower. The high-limit switch in the furnace was activated, and didn’t reset until the temperature dropped to safe levels.

      Comment by Dave — May 13, 2010 @ 11:04 am

      • Dave, thank you for this explanation, sounds right to me. Haven’t had any other problems since this incident. Ed

        Comment by Ed Noonen — May 13, 2010 @ 11:35 am

  11. Hey Nate,
    NYC DEP installed a water AMR in my building 5 months ago and my bill skyrocketed 200% Now let me say from the beginning I am neither interested in tampering nor have I have tampered with my meter. If these meters can be used to shut off supply can someone hack into the star rf transmitter ( I dont know if its two way) and change the reading on the meter itself. The DEP said that there was huge usage in Jan & February but then it disappeared. I’ve had it checked and there has been no leak either. I have other friends in NY who are experiencing the same close encounters of the third kind with their water meters since the amr install.
    Thanks
    Joe

    Comment by Joe S — April 11, 2010 @ 4:38 pm

    • If an attacker has the meter’s keys, he could definitely spoof false readings. However, I think the more likely culprit is ordinary billing mistakes (e.g., a typo in serial number results in you being billed for someone else’s meter).

      Smart meters don’t increase or decrease the possibility of such mistakes. They do decrease mistakes in reading (digits transposed in your usage). I’m not against smart meters in general, just the automated remote shutoff feature and poor security practices. Most people complaining about higher rates from their meters are loons.

      Comment by Nate Lawson — April 12, 2010 @ 1:22 pm

  12. How exactly does a smart meter “read” the power usage. Our electricity bill shot up by $70 dollars in one month. I traced it down to one circuit on our home. When I turn off that circuit the Kwhr drops by .600 (our average total Kwhr for all circuits is .300). I turned off all other circuits and unplugged all the devices from all the outlets on the circuit in question. It still registered .600. Just to be sure, I disconnected all the outlets on that circuit (three bedrooms). It still registers a power consumption of about .600Kwhr. This defies the laws of electricity. There is no load on the circuit, still the meter is registering a power consumption. Do smart meters read or fingerprint individual circuits in a home? Could the smart meter have recorded something in memory about a particular circuit or simply be misreading a particular circuit’s power consumption? In my case reading a power consumption, a load, when there is none? How exactly does a smart meter read and record a home’s power usage?

    Comment by Chris Bea — April 13, 2010 @ 9:36 am

    • Are you sure outlets are the only things on that circuit? What about water heaters or something else not visible at an outlet? You’d have to trace down everything that was shut off in addition to the outlets to be sure.

      You’ll note that your power meter has dials on the front in addition to the remote radio read feature. So you should be able to track it yourself and compare to the numbers the power company is reporting. Here’s how to read the dials:

      http://www.rp-l.com/meters.htm

      Here’s a good article on how both older and newer meters work. Basically, smart meters work the same as an ammeter.

      http://blogs.howstuffworks.com/2009/06/11/how-does-an-electricity-meter-work/

      Comment by Nate Lawson — April 16, 2010 @ 10:16 pm

  13. Thanks Nate. Our water heater is gas, and yes I’m sure nothing else is ocnncected to that circuit but the outlets. Also our smart electic meter (PG&E) has no dials and is all digital. It continuously displays a cumulative or to-date Kwhr usage and below that it alternates between displaying the volts (247) and the current Kwhr reading.

    Comment by Chris Bea — April 17, 2010 @ 10:48 am

    • It sounds like there is something drawing power on that circuit. I’d contact an electrician since they can save you $70/month. Perhaps it’s a high-resistance short circuit? I’d still put my money on a refrigerator, freezer, motor, or other high-draw appliance that you’re missing.

      Comment by Nate Lawson — April 20, 2010 @ 11:19 am

  14. My main problem with these smart meters is privacy. These units allow anyone with access to know what your doing most of the time. Figure you have a smart electric meter and water which with many tools from the likes of google will allow you to monitor excactly what your useing and when. Its able to determing wether you have a light bulb on and in the future what outlet its plugged into. So they whoever they end up being will be able to know about when you wake up, go to bed, watch tv, use computer, cook, open a fridge, turn on the light to the bathroom and how regular you do these things. With the smart meter on your water they can know when you flush estimateing about how long it takes to fill a tank of water to the federal law of something like 2.7L vs running water after you flush to wash your hands. Now I know most will poo poo all this and say who cares. I DO, I care because its my personal space. At some point we have to say enough is enough. I also find it funny that If you were to buy gas and they made you pay $2.50 for the first 25 gals and then a differant rate after and then of course with smart meters during peak time the rate would double, you know to shift damand I think people would be very upset and rightly so. There would be charges levied against the gas stations for price gulging. We are buying units of energy. I cant see how everyone got duped into this scam. Everyone remembers Enron but not the lesson. They were Ripping everyone off buy saying they didnt have the power and so rolling blackouts accured to force people to accept highier rates (You know to shift demand), But it was all a scam. They had the power and did the brown/black outs on purpose.

    Theres many other issues includeing health reasons since some believe that the cancer rate is much higher along cell phone towers and major power lines. Some get major headaches from WiFi which is basically all this is. I would be much more in favor of meters which simply allow a once a month reading of your power to eliminate 1000’s of jobs, I mean save the power company money (Which you know they wont pass the savings on to us)

    Comment by James — July 21, 2010 @ 8:22 pm

  15. Won’t this new ‘smart meter’ be vulnerable to a ‘mini’ EMP attack..or s reasonably powerful electro magnate? A strong magnate for that matter..Just wondering

    Comment by ron matt — August 21, 2010 @ 10:58 am

    • I don’t know what you mean about “vulnerable”. I’ll guess you mean someone can game the system to reduce their power bill.

      Power meters have had to deal with attempted cheating for as long as they’ve existed. The only thing about smart meters that makes them more vulnerable is that a software patch that underreports your usage would be much harder to detect than the physical gimmicks of the past. But the sensing technology itself is very similar to the old days and no more or less vulnerable to the old techniques.

      BTW, a hammer would be more effective than an EMP attack and less likely to burn out your toaster.

      Comment by Nate Lawson — August 22, 2010 @ 10:14 am

  16. Has anyone been able to determine the frequency the SmartMeters use to communicate with the PG&E Network Access Point and how much RF power they use? Lots of folks around here allege health effects associated with the RF signal. I suspect the power use dis low bu I haven’t been able to find the actual specifications on line. The main interest in our area is the PG&E smart electric meter.

    Thanks,

    RD

    Comment by Richard Dillman — September 9, 2010 @ 11:50 am

    • It’s in the 900 Mhz range. You can find specs for this online. The amount of power is relatively low, similar to digital cellphones, but I don’t know how much exactly.

      Comment by Nate Lawson — September 10, 2010 @ 11:59 am

  17. “There’s always an easier way. By analyzing the vendor’s website, I guessed that they use the same radio module across product lines and other markets wouldn’t be so paranoid. Sure enough, the radio module for a water meter made by the same vendor was available on Ebay for $30. It arrived a few days later”

    Could you please tell me the site (and of course, the RF module)!
    what about the power supply?
    for hardware hacking, can we find the whole schematic?

    Comment by j.mod — September 14, 2010 @ 9:35 pm

    • No, I’ve decided not to give out more details. Suffice to say, there are a lot of security flaws in the firmware and helping hackers turn off my gas is not something I am going to do.

      Comment by Nate Lawson — September 21, 2010 @ 7:39 am

      • So, you mean we have to open our module!!! Or it doesn’t help?

        Comment by j.mod — September 21, 2010 @ 10:50 pm

  18. Can you tell me — apart from the electronic broadcasting and registering circuitry — how is the power itself measured. In other words: what sensing device is used in these “smart meters” to measure the power (or energy over time) used? Do these meters still use little electric motors or do they perhaps use nonmoving elements?

    I heard that one can monitor his consumption via internet — is this true and, if so, how?

    Comment by Vlado Bevc — October 15, 2010 @ 1:58 pm


RSS feed for comments on this post.

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 93 other followers