44CON London 2015 - Smart Muttering; a story and toolset for smart meter platform

[SensePost – 2015]
Smart Mutterings
–
A Tale of Hardware Haxory
ian@sensepost.com

`whoami`
Ian de Villiers

Why ?
• The South African perspective…

Why ?
• Same hardware used in:
– Smart Metering (Duh…)
– Industrial / Process Control
– Transport Management
– Building Automation

Why ?
• Same hardware used in:
– Smart Metering (Duh…)
– Industrial / Process Control
– Transport Management
– Building Automation
– Garden Irrigation Platform 

Why ?
• Utility Networks && Increased Attack
Surface

Why ?
Surface
Electricity
Data (Ex: Geyser Control)

Why ?
Surface
Electricity
Data

Why ?
Surface
• Privacy Concerns

Why ?
Surface
• Mike Davis. IO Active. BlackHat 2009

Why ?
Surface
– (I was there, but didn’t see this talk )

Why ?
Surface
– (I was there, but didn’t see this talk )
• Program Errors. strcpy Anyone ?

What ?
• Wouldn’t it be cool to interface with the
stuff natively ?
– Look at attacks against other devices (ala IO
Active)
– Look at attacks against infrastructure

Echelon ?
• Developed the Neuron Chip
– Often used in 3rd party solutions
• Sold Smart Meter business in 2014
• “Industrial Internet of Things”
(We really need some new clichés)

Echelon ?
• Developed the Neuron Chip
– Often used in 3rd party solutions
• Sold Smart Meter business in 2014
• “Industrial Internet of Things”
(We really need some new clichés)
• Developed and Standardised the LonMark
protocol
– Now termed LonWorks or ANSI/CEA-709.1

Echelon ?
• Approximately 90 million devices deployed
in 2010
• Train control systems
• Electro-Pneumatic Braking Systems
• Fuel Control
• Building Automation
• Appliance Control and Monitoring

Echelon ?
• Approximately 90 million devices deployed
in 2010
• Train control systems
• Electro-Pneumatic Braking Systems
• Fuel Control
• Building Automation
• Appliance Control and Monitoring
• (and as I said – Garden Irrigation to come)
• …

Echelon ?
• Also: “Saffers” are cheap 

Echelon ?

LonWorks Protocol ?
• LonWorks Protocol
– IEC 14908-1

TP/FT-10 ?
• TP/FT-10
– IEC 14908-2

TP/FT-10 ?
• Twisted Pair Medium
• Linear Bus or “Free Topology”
• Maximum length 2.7km + 500m
• 64 Devices per bus
• 78kbps
• Shared Medium :D/
• Need to be terminated
– #include <disclaimer.h>

TP/FT-10 ?

Communications ?
• Tragedy…. 

Communications ?
• Tragedy…. 
• Show must go on...

Communications ?

Communications ?
• Demonstrate partially working bus sniffing
(Via a very creative approach… )

Communications ?
• Demonstrate partially working bus
“injection”
• Lots of bad packets:
– Exceptions in UsbLta.dll
– Smart Meter Crashes (int over-run)

Communications ?
• Demonstrate partially working bus
“injection”
• Lots of bad packets:
– Exceptions in UsbLta.dll
– Smart Meter Crashes
• Demonstrate toolset by intercepting other
digital comms

Communications ?
• 78kbps (I’ve mentioned that)
• Manchester Encoded bit-stream (I’ve not
mentioned that yet)
• Not serial (although you can DoS the bus
with it)
– Observed strange things with LTAUSB.dll
• Media agnostic
• Determines reversed polarity
– Makes it very easy to just “plug and play”

Communications ?
• Differential Manchester Encoding
• Allows retrieval of the clock cycle
• Encodes bits alongside this clock
– Full clock-cycle L or H == 1
– Half clock-cycle L or H == 0

Communications ?
• No communication == Line state is
undriven
• Followed by “Byte Sync”. Series of
“Manchester ones” opposite to un-driven
line state
• Followed by “Bit Sync”. One “Manchester
zero”

Communications ?
• No communication == Line state is
undriven
• Followed by “Byte Sync”. Series of
“Manchester ones” opposite to un-driven
line state
• Followed by “Bit Sync”. One “Manchester
zero”
• Followed by packet data
• Followed by CRC

Communications ?
• Addressing
– Domain (48 bits)
– Subnet (4 bits)
– Node (48 bits)

Communications ?
• Authentication
– Key-based
• Key distributed via LonWorks Protocol message
• (Did I mention the TP-FT-10 media is shared?)
– Challenge response-based
– Not published

Communications ?
• Application-Level “Messages”
struct message {
int destin_type;
int data[];
}

Communications ?
• 00...... – Application Message
• 10...... – Incoming Network Variable
• 1d...... – Outgoing Network Variable
• 011..... – Network Management
• 0101.... – Diagnostics

Shunting Data
• Injecting Data into <insert name here >
communication streams
– Input Arduino
– PC
– Java
– Output Arduino

Shunting Data

Demo Time
VIDEO

Demo Time

Tools ?
• Need to build the JNI components for JNI
and OS/X
• Will publish on GIT by next week
• Watch www.sensepost.com/blog for post

Conclusion
• A lot to shoot at in this field
• A lot of stuff will probably break
• Never release the “Magic Smoke”

Questions ?
ian@sensepost.com
www.sensepost.com/blog

44CON London 2015 - Smart Muttering; a story and toolset for smart meter platform

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to 44CON London 2015 - Smart Muttering; a story and toolset for smart meter platform

Similar to 44CON London 2015 - Smart Muttering; a story and toolset for smart meter platform (20)

More from 44CON

More from 44CON (20)

Recently uploaded

Recently uploaded (20)

44CON London 2015 - Smart Muttering; a story and toolset for smart meter platform