OK, folks, here we go! Welcome to the Hack Chat, I'm Dan and I'll be moderating today along with Dusan as we welcome Hash to the Hack Chat for a discussion on smart meters. Really looking forward to this one!
Hash, I saw you one before, you still out there? If so, can you tell us a little about how you got interested in meter hacking?
It also lets them evaluate electrical outages and prioritize their dispatch -- if you're looking for a positive.
And just for the record, when we say "meter hacking", we're not talking about anything illegal -- just listening in on meter comms.
I was always interested in hacking and using devices for reasons other than their intended purpose. It’s like a game between me and the device, a puzzle with an unknown number of pieces and no box with an image showing you how it should look when you are done. The prize is the feeling humans have been searching for since the beginning of time: Discovering new places no one else has been.
Now I can afford a nice lab setup so in my spare time I hack for fun, hardware and RF interest me most and I program when needed towards those ends. Power meters caught my eye initially because they get deployed and then basically stay the same for 15 years! This allows me to leisurely hack them knowing what I learn won’t be obsolete in 6 months like with consumer goods.
Smart Meter networks are pretty huge, but look like this in a very basic view
Hey Hash, assuming I have no testing hardware whatsoever what would it take for me to get in to this game?
I noticed so many routers on light poles today on my morning walk. Never really saw them before for some reason.
2 finger and a plug?
That is not necessarily a correct view.
@James Murphy Could start with a RTL-SDR, learn the basics of RF and SDR and you're well on your way for $30
Not all smart meters are mesh
@james Indeed, I am specifically looking at Landis+Gyr
@Dan Maloney You'll see them all over the place now!
What is RTL-SDR? RTL-SDR is a very cheap ~$25 USB dongle that can be used as a computer based radio scanner for receiving live radio signals in your area (no internet required). Depending on the particular model it could receive frequencies from 500 kHz up to 1.75 GHz.
Yes, The comm module on a Landis Gyr can be replaced.
@Hash was saying ..As
This a view of the boards I am analyzing
how can you tell what tech is inside the smart meter on my house?
Ususally depends on the Utility for the tech.
@dbcorbin Take a pic of it and post it here, if it has a FCCID then you got something worth analyzing
Those two long zig-zaggy chains of resistors are curious...
https://fccid.io/ is better than the offficial FCC site for looking that up
yes, the identifier for the FCC
Some utilities still use power-line carrier systems.
Yea, I am working on reverse engineering the layout of the PCB as well....
https://sensus.com/communication-networks/sensus-technologies/flexnet-north-america/ list an alternative that is not mesh.
@James Murphy note the FCC id in his photo.
It is what is on my house.
is there no audio sound with these chats?
No, text only
@Hash , are you interested in their ability to communicate, or measure usage accurately?
@felix1063 Like oldschool IRC Hacking days!
The zigzag resistors are used because a single resistor is not specified for the full mains voltage
Are they reporting Brown-Outs?
@weberzach I am interested in the mesh network, how they route messages, what messages get sent etc
@James Murphy They report power outages for sure, likely line conditions and brownouts too but not sure what data they would send for that
Mine is a PGE FCC-id: OWS-NIC514 Silver Spring networks
Hod do they measure correct power factor?
@hash is there any easy way to monitor with an RTL my own home's usage? Or is the best bet still the "IR" sensors?
@felix1063 They use a chip made by Teridian (Maxim now) to do that
@hash what is the protocol format?
and is it LoRa on 900 Mhz ?
@richard I have one of those as well but in Dallas they killed that functionality recently
Mine is Open Wave, FCC ID: SK9ACT1
Depending on the Utility. The communications can be encrypted.
@baldrick (NE2Z) More info on the protocol here. https://wiki.recessim.com/view/Landis%2BGyr_GridStream_Protocol
Have you checked out rtlamr?
9600 baud with start/stop bits
Yea, it doesn't work for these meters unfortunately
RTLAMR doesn't apply to smart meters.
Landis+Gyr engineers wrote a paper about how their routing protocol works that was very interesting, here's an excerpt
link to the paper?
I had to pay for it on IEEE...
but might be available somewhere with some googling
The idea of a geographic routing protocol was very interesting
The PDF looks like a presentation based on the paper, could be useful
Yea, that's a solid presentation
The paper and testing was done in Dallas where I live!
there was a lot of mesh research going on.... back in 2000s. this looks like a university paper.
what's the date on it the IEEE doc from L&G? i wonder if that just ended up becoming the "standards" for field area network routing... . published in Wi-Sun/ RPL / 802.15.4g ?
@farmboy It's from the same IEEE paper
zigbee isn't the network hash is decoding.
@richard These use Zigbee for a local home area network, and 900MHz proprietary mesh for comms back to power company
ahh ok, thanks
@Hash what do you suppose is the next step decoding this L&G fan?
You can see under the RF cans on this pic, left side zigbee, right CC1020 for mesh
There is usually a daughter board for the actual comm.
cc1020 is publically documented - so.... if there is a static key in there... you could get it sniffing the spi bus when it boots
@Hash what software are you using to explore/decode the protocol? GNU Radio?
So then what is the Zigbee network talking to? Stuff inside the customer property?
(assumming the key is in the host processor)
@james On these ones it's all one PCB, I have some others that are split
@farmboy Decode the power data, so far I don't have it yet
@farmboy The keys are different for each meter.
@Todd Christell Yes, custom block I wrote to decode L+G and Frequency hopping utilities by Sandia Labs
Where do you get electric meters from?
@Dan Maloney Correct, zigbee to consumer
SO maybe one of those little dongles that customers can use to view their usage, etc?
@Hash do you know of any cheap enough hardware to play with zigbee? i tried the ApiMote but stopped working after a while. I have a hackrf too but it can't do duplex tx/rx. didn't find any reasonable alternatives... :/
I used to have one of these dongle and SCE stopped supporting them
@andrellobbello I'd say get a board dedicated to ZigBee, I haven't worked with it though
SCE: Southern California Edison
@Bernard Same here in Dallas
yes, SCE gave up on SEP 1.x (zigbee). they shut down their home energy portal.
Yeah the ApiMote was supposed to but it let me down haha thanks tho! :)
HAN (home area network) ZigBee / consumer <- Meter -> FAN (field area network) / utility
Is anyone addressing forensic analytics to identify the hack after it happens?
If I'm doing things correctly it appears to be a "chirp." I know that the water and gas communicate with the electric meter and that is higher power signal to an intermediate node so not sure which I'm seeing.
@dolsongte What do you mean?
@Todd Christell Your water/gas/power meters all made by same manufacturer?
very few utilities cover gas, water, and electric.
so all the meters are usually different.
SCE is maybe the exception there.
That's how it is out here
@Hash Yes, they bought it as a package.
Database analytics that the utility may use to identify when and where the meter was hacked
Good for them, probably more efficient that way
what are some of the common rf frequencies used for communications of the network?
you guys are going to love the NEXT generaiton smart meter. have you heard about it?
400, 900, and 2.4
And the meters have tamper switch
@felix1063 902-928MHz is what these use
Linux and WiFi. hackers DREAM
@farmboy That's going to be fun
@dolsongte I am sure at the head end system they have ways of detecting suspicious activity and flagging it
My utility in MI, DTE, uses itrons, and customer can also get a Powerley 'energy bridge' from zigbee->wifi/eth->cloud->phone app, and it even has an mqtt server on it that's open to subscribe to on local network. The meter configuration for what tariff or rate you have is programmed in by a technician using the IR interface, or they also can change the configuration remotely over the mesh network. Have you noticed different sets of messages on the mesh network depending on what tariff the customer has? ie: fixed flat rate, time of use, demand rate, etc.
nothing like a stranded linux distro on the side of your house! connected with wifi and bot-net ready :)
Thanks. Do the meters transmit in a set interval and if so, what is that interval?
Interval is configurable by utility
@Dale I haven't noticed traffic differences there that I could discern, but it's a good idea of what to search for!
Meters tend not to use Linux, too resource hungry
@felix1063 Mine transmit once a minute normally and power data every 15 mins
Lots of other traffic as well
there's some old meters that only transmit once a month! (gas)
That sounds like it got wiped to a default rate
@farmboy I worry more about the utility screwing things up than hackers out here.Yeah, people worry about that with the energy bridge, it is linux.
Gas meters I looked at were VERY interesting... Battery powered FOR 10 YEARS!
transmit is usually not that often to reduce traffic
What worries me is ransomware. Bad guy targets the utility company. Accesses their system. Turns off everyone's meter then encrypts their system and sits back waiting for a ransom to be paid before giving them the key. Meanwhile, the end-user sits in the dark.
@Dale that's a good point. utlities are kinda only good at... uhhh... collecting bills and turning off your power
@james Nope, all the live meters around here transmit once a minute
Gas meter; 10 year battery, this is why they cannot transmit very often
TONS of traffic to snoop
Not all meters have remote disconnect.
@hash, not necessarily can the head end systems detect it. Depends on the utility's scada/ems systems.
Firmware update are digitally signed on modern meters
I know of water meters with 20 year batteries.
So yeah, that brings up a good point -- what about powering water meters? Battery too I'd imagine
@dolsongte That's true
Yes, both out gas an water are battery powered which is why they communicate locally with our power meter which has the "available" power for a more powerful radio. They had to replace all of the water pit covers with plastic so the RF could get out :)
Never looked at water meters but probably...would be cool to power them based on water flow spinning some kind of generator
^ i don't think you'll get the firmware of the meter.... but you can sure as heck get the data (before it goes over rf)... via the spi bus between the meter's micro and the radio micro.
@farmboy I already got the firmware off the meter :)
anything good in there?!
Also the bootloader the M15C processor uses
Water flow is not a reliable power source. The meters degrade over time and need to be replaced every 20 years
Working on disassembling it now