Inside Smart Meters Hack Chat

Hash will host the Hack Chat on Wednesday, April 14 at noon Pacific.

Time zones got you down? Try our handy time zone converter.

That electrical meter on the side of your house might not look like it, but it's pretty packed with technology. What was once a simple electromechanical device that a human would have to read in person is now a node on a far-flung network. Not only does your meter tote up the amount of electricity you use, but it also talks to other meters in the neighborhood, sending data skipping across town to routers that you might never have noticed as it makes its way back to the utility. And the smartest of smart meters not only know how much electricity you're using, but they can also tease information about which appliances are being used simply by monitoring patterns of usage.

While all this sounds great for utility companies, what does it mean for the customers? What are the implications of having a network of smart meters all talking to each other wirelessly? Are these devices vulnerable to attack? Have they been engineered to be as difficult to exploit as something should be when it's designed to be in service for 15 years or more?

These questions and more burn within Hash, a hardware hacker and security researcher who runs the RECESSIM reverse-engineering wiki. He's been inside a smart meter or two and has shared a lot of what he has learned on the wiki and with some in-depth Smart Meter Hacking videos. He'll stop by the Hack Chat to discuss what he's learned about the internals of smart meters, how they work, and where they may be vulnerable to attack.

Event Logs

Collapse

Hack Chat Transcript, Part 2
Dan Maloney • 04/14/2021 at 20:04 • 0 comments

farmboy12:30 PM
anything good in there?!

Hash12:30 PM
Also the bootloader the M15C processor uses

Hash12:30 PM
M16C

james12:30 PM
Water flow is not a reliable power source. The meters degrade over time and need to be replaced every 20 years

Hash12:30 PM

Hash12:30 PM
Working on disassembling it now

farmboy12:30 PM
dang

Hash12:30 PM
Leave no stones unturned....

FrostWizard412:31 PM
which is why we should all go subscribe if you get what im saying :)

Hash12:31 PM
@FrostWizard4 Much appreciated!

James Murphy12:31 PM
Subscribe Link?

FrostWizard412:31 PM

https://www.youtube.com/channel/UCVa4o0P6xhhSDi3rgLm2SBw

YouTube

RECESSIM

RECESSIM is Latin for "moving backwards" which is what we do when we Reverse Engineer. I hope you enjoy the content here, feel free to contact me to suggest other content you are interested in seeing. Always looking for a new project! -Hash

Read this on YouTube

Beat me to it...

farmboy12:32 PM
forget that. where's your patreon ?!

James Murphy12:32 PM
Done! Subscribed!

Todd Christell12:32 PM
Subscribed.

dolsongte12:32 PM
What about people who think that putting a magnet on the top of the smart meter resets it to zero, you guys consider that a hack?

Hash12:32 PM
@farmboy Nice!!

james12:33 PM
Does not work.

FrostWizard412:33 PM
The link or the magnet thing?

james12:33 PM
Magnet

Hash12:33 PM
@dolsongte Funny you should mention that, they do have a magnetic sensor on top...

farmboy12:33 PM
there actually is a reed switch in there to detect a magnet. but it doesn't do much interesting.

Wim Ton12:33 PM
B.t.w. this is a USA discussion. Non USA meters are totally different (rectangular instead of round to start with)

Hash12:34 PM
But I have seen videos were people had a strong magnet near their meters and got a leter from the power company accusing them of tampering

james12:34 PM
Besides, resetting to zero woul git you a huge bill. The utility would think wrap around on max digits and bill you for heavy usage

Hash12:34 PM
@Wim Ton Correct, I haven't looked at the meters outside North America

Wim Ton12:34 PM
magnets can be used to saturate the current sensor and to disable switching mode power supplies.

Todd Christell12:34 PM
So it appears that the "tamper switch" is a standard alarm system setup, magnet and reed switch.

james12:34 PM
The magnet migh trigger tamper alarms. In some places that is a felony

farmboy12:34 PM
you can certainly screw up the hall effect sensor with a big magnet. not recommended.

Hash12:35 PM
All my invasive experimenting has been done with meters I purchased on eBay... Anything with the live network around me is strictly listening to understand traffic

Wim Ton12:36 PM
In Europe, detection of strong magnetic fields and a tamper switch is a regulatory requirement

Hash12:36 PM
Ultimately we don't own the meters on our house, so can't use those to experiment

farmboy12:36 PM
but you paid for them?

farmboy12:36 PM
i mean... the meter on my house.

Hash12:36 PM
I think a big reason people don't experiment with these is getting hardware, and fear of legal troubles

Wim Ton12:36 PM
Indirectly yes

Hash12:36 PM
No, you pay for service, the meter is part of the service

Bernard12:37 PM
And you pay for the power they use!

Hash12:37 PM
@Bernard I plan to measure how much power they use soon!

Hash12:37 PM
Interesting to see

james12:37 PM
Had the circuit breaker box on the side of my house explode. While the electrician was here working. he messed with the meter. 10 minutes later, a utility truck drove up to find out what we were doing.

Wim Ton12:37 PM
About 5 watt

FrostWizard412:38 PM
@Hash Are you guessing the amount of power the meters will use will be significant or no?

Bernard12:38 PM
5 Watt seems about right

Hash12:38 PM
@FrostWizard4 I'm guessing not super significant, but curious compared to the old analog meters

Hash12:39 PM
@james Here's an older version of the same meter, two boards like you mentioned earlier

farmboy12:39 PM
i believe the meter is powered...
Read more »
Hack Chat Transcript, Part 1
Dan Maloney • 04/14/2021 at 20:03 • 0 comments

OK, folks, here we go! Welcome to the Hack Chat, I'm Dan and I'll be moderating today along with Dusan as we welcome Hash to the Hack Chat for a discussion on smart meters. Really looking forward to this one!

Hash, I saw you one before, you still out there? If so, can you tell us a little about how you got interested in meter hacking?

felix1063 joined the room.12:00 PM

Todd Christell12:00 PM
It also lets them evaluate electrical outages and prioritize their dispatch -- if you're looking for a positive.

Darrin B joined the room.12:00 PM

Hash12:00 PM
Hey everyone!

Maxwell Faraday joined the room.12:00 PM

And just for the record, when we say "meter hacking", we're not talking about anything illegal -- just listening in on meter comms.

James Murphy12:01 PM
Hey Hash!

Hash12:01 PM
Exactly

Hash12:01 PM
I was always interested in hacking and using devices for reasons other than their intended purpose. It’s like a game between me and the device, a puzzle with an unknown number of pieces and no box with an image showing you how it should look when you are done. The prize is the feeling humans have been searching for since the beginning of time: Discovering new places no one else has been.

2rkoester joined the room.12:01 PM

Hash12:01 PM
Now I can afford a nice lab setup so in my spare time I hack for fun, hardware and RF interest me most and I program when needed towards those ends. Power meters caught my eye initially because they get deployed and then basically stay the same for 15 years! This allows me to leisurely hack them knowing what I learn won’t be obsolete in 6 months like with consumer goods.

a.mordicus joined the room.12:02 PM

dbcorbin joined the room.12:02 PM

Hash12:02 PM

Edmund joined the room.12:02 PM

Hash12:02 PM
Smart Meter networks are pretty huge, but look like this in a very basic view

James Murphy12:02 PM
Hey Hash, assuming I have no testing hardware whatsoever what would it take for me to get in to this game?

I noticed so many routers on light poles today on my morning walk. Never really saw them before for some reason.

Nicolas Tremblay12:03 PM
2 finger and a plug?

james12:03 PM
That is not necessarily a correct view.

Hash12:03 PM
@James Murphy Could start with a RTL-SDR, learn the basics of RF and SDR and you're well on your way for $30

Wim Ton joined the room.12:03 PM

james12:03 PM
Not all smart meters are mesh

John joined the room.12:03 PM

James Murphy12:03 PM
RTL-SDR ??

Hash12:04 PM
@james Indeed, I am specifically looking at Landis+Gyr

Hash12:04 PM
@Dan Maloney You'll see them all over the place now!

https://www.rtl-sdr.com/about-rtl-sdr/

rtl-sdr.com

About RTL-SDR

What is RTL-SDR? RTL-SDR is a very cheap ~$25 USB dongle that can be used as a computer based radio scanner for receiving live radio signals in your area (no internet required). Depending on the particular model it could receive frequencies from 500 kHz up to 1.75 GHz.

Read this on rtl-sdr.com

james12:04 PM
Yes, The comm module on a Landis Gyr can be replaced.

nicklapolis joined the room.12:04 PM

Hash12:04 PM

baldrick (NE2Z)12:04 PM
As @Hash was saying ..

Hash12:04 PM
This a view of the boards I am analyzing

dbcorbin12:05 PM
how can you tell what tech is inside the smart meter on my house?

james12:05 PM
Ususally depends on the Utility for the tech.

weberzach joined the room.12:05 PM

James Murphy12:05 PM
Thank's Hash...

Hash12:05 PM
@dbcorbin Take a pic of it and post it here, if it has a FCCID then you got something worth analyzing

Those two long zig-zaggy chains of resistors are curious...

loop1712:06 PM
https://fccid.io/ is better than the offficial FCC site for looking that up

andrellobbello joined the room.12:06 PM

James Murphy12:06 PM
FCCID ??

loop1712:06 PM
yes, the identifier for the FCC

John12:06 PM
Some utilities still use power-line carrier systems.

Hash12:06 PM
Yea, I am working on reverse engineering the layout of the PCB as well....

james12:06 PM
https://sensus.com/communication-networks/sensus-technologies/flexnet-north-america/...
Read more »