Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tel+41 55 214 41 60 Fax +41 55 214 41 61 Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Energy Fraud and Orchestrated.

Published byRaymond Horsey Modified over 10 years ago

Similar presentations

Presentation on theme: "Tel+41 55 214 41 60 Fax +41 55 214 41 61 Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Energy Fraud and Orchestrated."— Presentation transcript:

1 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Energy Fraud and Orchestrated Blackouts Issues with Wireless Metering Protocols (wM-Bus) RHUL ISG DL Weekend Conference, Sun Sept 8 th 2013, Egham cyrill.brunschwiler@csnc.ch

2 © Compass Security AG Slide 2 www.csnc.ch Agenda Intro Making Of Smart Grids Smart Metering Wireless M-Bus Identified Issues Practical Issues Conclusion

3 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Intro

4 © Compass Security AG Slide 4 www.csnc.ch Intro – Making Of Thesis on Smart Energy Summer 2011:Got attention of wireless M-Bus Autumn 2012:Started MSc thesis X-mas 2012:German BSI/OMS group published Security Report X-mas 2012:Short mention of M-Bus being inadequate February 2013:Spent some time digging through EN paperwork February 2013:Spent some time in an M-Bus lab environment March 2013:Finished analysis of M-Bus current resp. draft standards March 2013:German BSI mentions wM-Bus security being insufficient Summer 2013:Publication at Black Hat USA Thesis Contents Introduction Defensive part (identification of 43 controls for smart meters) Offensive part (analysis of wireless M-Bus protocol vulnerabilities)

5 © Compass Security AG Slide 5 www.csnc.ch Intro – Smart Grids Smart Grid Blue Print

6 © Compass Security AG Slide 6 www.csnc.ch Intro – Smart Metering Metering Infrastructure Blue Print Legend DSODistribution System Operator NANNeighbourhood Area Network Wireless M-Bus

7 © Compass Security AG Slide 7 www.csnc.ch Intro – Smart Metering – Collector Collectors Various Vendors Neuhaus is just an example of a Multi Utility Controller (MUC) Support Head-end side GPRS Ethernet (Web Interface) WLAN WiMAX Support Meter side Wired Serial (RS-485) Wired M-Bus ZigBee Wireless M-Bus

8 © Compass Security AG Slide 8 www.csnc.ch Intro – Smart Metering – Collector GUI

9 © Compass Security AG Slide 9 www.csnc.ch Intro – Smart Metering – Meter Electricity Meters Various Vendors Kamstrup is just an example Interfaces Optical Wired Interfaces GPRS ZigBee Wireless M-Bus Functionality Meter reading Pre-payment Tariffs Disconnect

10 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Wireless M-Bus

11 © Compass Security AG Slide 11 www.csnc.ch Application Market segment Popular in remote meter reading Heat, Water, Gas, Electricity 15 million wireless devices deployed (figures from 2010) Mainly spread across Europe Usage Remote meter reading Drive-by meter reading Meter maintenance and configuration Becoming popular for smart metering applications Tariff schemes, real-time-pricing Demand-response Pre-payment Load-limit Remote disconnect

12 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Protocol Overview

13 © Compass Security AG Slide 13 www.csnc.ch Protocol Overview - Data Link Layer First Block (Frame Header) Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 FieldValueInterpretation Length1E30 bytes frame length (exclusive length byte) Control44Indicates message from primary station, function send/no reply (SND-NR) Manuf. ID2D 2CCoded for Kamstrup (KAM) calculated as specified in prEN 13757 3. ID is managed by the flag association. Address07 71 94 15 01 02Identification:15 94 71 07 (little-endian) Device Type:02 (electricity meter) Version:01 ISSUE #1 Information Disclosure

14 © Compass Security AG Slide 14 www.csnc.ch Protocol Overview – Application Layer Data Header Example Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 FieldValueInterpretation Access numberB3Current access number is 179. The standard mandates to choose a random number on meter start. The standard suggests to use timestamps and sequence counters since ACC is insufficient to prevent replay. Status field00Message is meter initiated and there are no alarms or errors. Configuration10 85Encryption mode is 5 h which is AES-128 in CBC mode. 10 h indicates a single encrypted block containing meter data (without signature). The field further indicates a short window where the meter listens for requests (8 h ) ISSUE #2 Insufficient replay prevention

15 © Compass Security AG Slide 15 www.csnc.ch Wireless M-Bus Sniffer Protocol sniffers display wireless M-Bus data record contents provided you know the key. The standard suggests at least 8 bytes of the key shall be different for each meter ISSUE #3 None, short and stupid keys

16 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona wM-Bus Protocol Analysis

17 © Compass Security AG Slide 17 www.csnc.ch Encryption Modes Dedicated Application Layer (DAL) Encryption Modes 0no encryption 1reserved 2DES in CBC mode, zero IV 3DES in CBC mode, non-zero IV 4AES-128 in CBC mode, zero IV 5AES-128 in CBC mode, non-zero IV 6reserved for future use 7ffreserved Extended Link Layer (ELL) Encryption Modes 0no encryption 1AES-128 in CTR mode ISSUE #4 Weak encryption modes 2 and 3

18 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Are we safe with AES?

19 © Compass Security AG Slide 19 www.csnc.ch Are we safe with AES? Encryption Mode 4 (DAL) AES-128 in CBC mode All-zero IV Uses static key k C 1 = Enc k (P 1 IV) = Enc k (P 1 00 00 … 00 00) = Enc k (P 1 ) Equal PT result in same CT Standard workaround Standard mandates to prefix value with date and time record Date and time (record type F) maximum granularity is minutes Side note Type I and J records allow for a granularity of seconds ISSUE #5 Zero consumption detection

20 © Compass Security AG Slide 20 www.csnc.ch Is encryption mode 5 our friend? Encryption Mode 5 (DAL) AES-128 in CBC mode Non-zero IV Uses static key k IV built from frame info and data header Mode 5, IV Example Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 ISSUE #6 IVs repeat => detect zero consumption

21 © Compass Security AG Slide 21 www.csnc.ch IV in encryption mode 1 CCSignal communication direction, prioritise frames... SNEncryption mode, time field, session counter (4 bits) FNFrame number BCBlock counter Predictable IVs result in 85-bits security due to TMTO How to get the key stream to repeat? Cause device to reuse the same IV If someone could adjust the device time the IV could be repeated How about Counter Mode? ISSUE #7 Predictable IV => 85-Bit security

22 © Compass Security AG Slide 22 www.csnc.ch Can we adjust the device time? Encryption in Special Protocols Alarms and errors Signalled within status byte Header is not subject to encryption Application resets (CI 50 h ) Special upper layer protocol Security services of the DAL and ELL do not apply Clock updates Special upper layer protocol Set, add and subtracts (TC field) ISSUE #8 Keystream repetition

23 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Issues with message integrity?

24 © Compass Security AG Slide 24 www.csnc.ch Integrity, Authentication Analysis General There are two mention on how one could approach authentication. However there are neither authentication methods nor protocols specified DAL Integrity Protection CRCs There are CRCs at the frame level CRCs are not considered integrity protection Signatures Encryption mode 5 and 6 can signal digitally signed billing data Not widely used => due to meter display has priority MACs Not available Manipulation of Ciphertexts or IVs In CBC mode, the manipulation of ciphertexts is pointless Manipulation of the IV is difficult but feasible ISSUE #9 Inexistent authentication and integrity

25 © Compass Security AG Slide 25 www.csnc.ch IV Manipulation Example Example of Consumption Value Manipulation P 1 ' = Dec k (C 1 ) IV' => Dec k (C 1 ) = P 1 ' IV' = P 1 IV P 1 ' = P 1 IV IV' Precondition Original value read from meter display 341 kWh (08 34 05 00 ) Calculate Plaintext P 1 ' P 1 2F 2F 04 83 3B 08 34 05 00 2F 2F 2F 2F 2F 2F 2F IV2D 2C 07 71 94 15 01 02 B3 B3 B3 B3 B3 B3 B3 B3 IV' 2D 2C 07 71 94 15 01 05 B3 B3 B3 B3 B3 B3 B3 B3 P 1 ' 2F 2F 04 83 3B 08 34 02 00 2F 2F 2F 2F 2F 2F 2F Result P1 144'392 Wh (08 34 02 00) ISSUE #10 Alter consumption value or cmds

26 © Compass Security AG Slide 26 www.csnc.ch Partial Encryption in wM-Bus Partial Encryption Dedicated Application Layer allows for partial encryption How does the receiver handle doubled data records? Expansion Attack Example Value in CT: 04 83 3B 08 34 05 00 (341'000 Wh) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 Value attached: 04 83 3B 08 34 02 00 (144'392 Wh) 25 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 04 83 3B 08 34 05 00 ISSUE #11 Consumption value or cmd pollution

27 © Compass Security AG Slide 27 www.csnc.ch Integrity Analysis ELL Manipulation Example C a = E7 8E 1B 7B 9D 86 (Intercepted Ciphertext) P a = CC 22 01 FD 1F 01 (On Command) P b = F1 47 01 FD 1F 00 (Off Command) C b = C a P a P b C b = E7 8E 1B 7B 9D 86 CC 22 01 FD 1F 01 F1 47 01 FD 1F 00 C b = DA EB 1B 7B 9D 87 (Manipulated Ciphertext) ISSUE #12 Bit flipping

28 © Compass Security AG Slide 28 www.csnc.ch Which messages are affected? Integrity with Special Protocols No integrity protection at all Alarms and errors Application resets Clock synchronization Commands Network management Precision timing ISSUE #13 Wrong tariffing, Cmd manipulation

29 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Practical Issues

30 © Compass Security AG Slide 30 www.csnc.ch Shield and Replay I Capture messages from original device Shield device and replay messages Issues with Packet Replay

31 © Compass Security AG Slide 31 www.csnc.ch Shield and Replay II Shield device, have a receiver with the device Submit messages to collector at maybe lower pace Issues with Packet Replay

32 © Compass Security AG Slide 32 www.csnc.ch Issues with Packet Replay Jam and Replay Meter Collector Sender Device

33 © Compass Security AG Slide 33 www.csnc.ch Prepare Attack Drop Devices War Drive Setup Sender Bring Flashlight ! Orchestrated Blackouts

34 Tel+41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Conclusion

35 © Compass Security AG Slide 35 www.csnc.ch Conclusion I picture is worth a thousand words…

36 © Compass Security AG Slide 36 www.csnc.ch Conclusion General Issues Key size 64 bits Zero consumption detection Disclosure of consumption values Plaintext errors and alarms Information Disclosure Man-in-the-middle in routed environments Key disclosure Energy Fraud Manipulation of consumption value Orchestrated Blackouts Manipulation of valve and breaker open/close commands

37 © Compass Security AG Slide 37 www.csnc.ch Outlook Counter Measures Efforts of the OMS Group and the German Federal Office for Information Security (BSI Germany) Integrity-preserving authentication and fragmentation layer (AFL), Additional encryption mode relying on AES-128 in CBC mode using ephemeral keys TLS 1.2 support for wM-Bus Published on X-Mas 2012 Looks promising, no independent public analysis so far

38 © Compass Security AG Slide 38 www.csnc.ch Battery pack empty.

39 © Compass Security AG Slide 39 www.csnc.ch Presentation http://www.csnc.ch/misc/files/2013/energy_fraud_and_blackouts.pdf Whitepaper http://www.csnc.ch/misc/files/2013/wmbus_security_whitepaper.pdf Sniffer & MUC (credits lukas@statuscode.ch) https://github.com/CBrunsch/WMBus-Sniffer-MUC Python Sniffer Scambus https://github.com/CBrunsch/scambus GNU Radio wM-Bus (credits neundorf@kde.org) https://github.com/oWCTejLVlFyNztcBnOoh/gr-wmbus Cliparts http://openclipart.org

Download ppt "Tel+41 55 214 41 60 Fax +41 55 214 41 61 Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Energy Fraud and Orchestrated."

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
1 A B C 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52.

1 A B C
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.

Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.

Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory

AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory
Module 3: Block 3 Call Management

Module 3: Block 3 Call Management
1

1
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Network Layer: Address Mapping, Error Reporting, and Multicasting

Network Layer: Address Mapping, Error Reporting, and Multicasting
Sequential Logic Design

Sequential Logic Design
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2013 Elsevier Inc. All rights reserved.

Copyright © 2013 Elsevier Inc. All rights reserved.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Hyades Command Routing Message flow and data translation.

1 Hyades Command Routing Message flow and data translation.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
Add Governors Discretionary (1G) Grants Chapter 6.

Add Governors Discretionary (1G) Grants Chapter 6.

Similar presentations

Ads by Google