Documente Academic
Documente Profesional
Documente Cultură
Blackouts
Issues with Wireless Metering Protocols (wMBus)
RHUL ISG DL Weekend Conference, Sun Sept 8th 2013,
Egham
cyrill.brunschwiler@csnc.ch
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 1
team@csnc.ch
Agenda
Intro
Making Of
Smart Grids
Smart Metering
Wireless M-Bus
Identified Issues
Practical Issues
Conclusion
Compass Security AG
www.csnc.ch
Slide 2
Intro
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 3
team@csnc.ch
Intro Making Of
Thesis on Smart Energy
Summer 2011:
Got attention of wireless M-Bus
Autumn 2012:
Started MSc thesis
X-mas 2012: German BSI/OMS group published Security Report
X-mas 2012: Short mention of M-Bus being inadequate
February 2013: Spent some time digging through EN paperwork
February 2013: Spent some time in an M-Bus lab environment
March 2013: Finished analysis of M-Bus current resp. draft standards
March 2013: German BSI mentions wM-Bus security being insufficient
Summer 2013:
Publication at Black Hat USA
Thesis Contents
Introduction
Defensive part (identification of 43 controls for smart meters)
Offensive part (analysis of wireless M-Bus protocol vulnerabilities)
Compass Security AG
www.csnc.ch
Slide 4
Compass Security AG
www.csnc.ch
Slide 5
Legend
DSODistribution System Operator
NANNeighbourhood Area Network
Wireless M-Bus
Compass Security AG
www.csnc.ch
Slide 6
Compass Security AG
www.csnc.ch
Slide 7
Compass Security AG
www.csnc.ch
Slide 8
Interfaces
Optical
Wired Interfaces
GPRS
ZigBee
Wireless M-Bus
Functionality
Meter reading
Pre-payment
Tariffs
Disconnect
Compass Security AG
www.csnc.ch
Slide 9
Wireless M-Bus
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 10
team@csnc.ch
Application
Market segment
Popular in remote meter reading
Heat, Water, Gas, Electricity
15 million wireless devices deployed (figures from 2010)
Mainly spread across Europe
Usage
Remote meter reading
Drive-by meter reading
Meter maintenance and configuration
Becoming popular for smart metering applications
Tariff schemes, real-time-pricing
Demand-response
Pre-payment
Load-limit
Remote disconnect
Compass Security AG
www.csnc.ch
Slide 11
Protocol Overview
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 12
team@csnc.ch
Value
Interpretation
Length
1E
07 71 94 15 01
02
Identification:
15 94 71 07 (little-endian)
Device Type: 02 (electricity meter)
Version:
01
Control
Manuf.
ID
Address
e
r
u
os
l
c
s
1
i from primary station,
#
D
44
Indicates message
E function
n
o
U
send/no reply (SND-NR)
i
t
S
a
S
I
m
r Coded for Kamstrup (KAM) calculated as
2D 2C
o
f
specified in prEN137573. ID is managed by
In
the flag association.
Compass Security AG
www.csnc.ch
Slide 13
e
v
re
n
o
i
nt
Field
Valu
e
Interpretation
Access
number
B3
10
85
Status field
p
y
p la
2 re
#
E
t
n
U
ISS fficie
u
s
00
is meter initiated and there are no alarms
In Message
or errors.
Configuration
Compass Security AG
3
#
t
E
r
U
o
IS S e , s h
n
o
N
Compass Security AG
s
d
an
www.csnc.ch
s
y
e
k
d
i
p
tu
Slide 15
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 16
team@csnc.ch
Encryption Modes
Dedicated Application Layer (DAL) Encryption Modes
0 no encryption
1 reserved
2 DES in CBC mode, zero IV
3 DES in CBC mode, non-zero IV
4 AES-128 in CBC mode, zero IV
d
n
a
5 AES-128 in CBC mode, non-zero IV 2
s
6 reserved for future use
e
d
o
7ff reserved
m
n
o
4
i
t
#
p
y Encryption Modes
E Layerc(ELL)
Extended Link
r
U
S encryption
n
0ISno
e
ak in CTR mode
1 AES-128
e
W
Compass Security AG
www.csnc.ch
Slide 17
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 18
team@csnc.ch
= Enck(P1 00 00 00 00)
n
o
i
= Enck(P1)
t
c
e
Equal PT result in same CT
et
d
n
Standard workaround
o
i
t
5
p
Standard mandates
to
prefix
value with date and time
#
m
E
u
U
s
record
S
n
o
IS and
c
Date
time (record type F) maximum granularity is
o
r
minutes
Ze
Side note
Type I and J records allow for a granularity of
seconds
Compass Security AG
www.csnc.ch
Slide 19
>
#
=
E
t
U
a
S
IS repe
IV s
Compass Security AG
www.csnc.ch
Slide 20
ty
i
r
cu
e
s
CCSignal communication direction,
prioritise
frames
t
i
B
5
...
8
> field, session counter (4
SNEncryption
mode, time
=
7
bits) E # le IV
U
b
S
FNFrame
a
number
S
t
I
c
i
d
BCBlock
re counter
P
Slide 21
c
IS stre
i
l
b
y
0
u
e
K E #1 of p
n
U
o
i
S
IS rypt
c
n
E
Compass Security AG
www.csnc.ch
Slide 22
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 23
team@csnc.ch
t
n
i
d
ty
i
r
eg
CRCs
There are CRCs at the frame level
CRCs are not considered integrity protection
Signatures
Encryption mode 5 and 6 can signal digitally signed billing data
Not widely used => due to meter display has priority
MACs
Not available
n
e
ut h
io
t
a
t ic
n
a
n
9
#
a
E of n
t
U
Manipulation
Ciphertexts
or IVs
S
e
S
I In CBC imode,
t the manipulation of ciphertexts is pointless
s
x
Manipulation
of the IV is difficult but feasible
e
In
Compass Security AG
www.csnc.ch
Slide 24
IV Manipulation Example
Example of Consumption Value Manipulation
P1' = Deck(C1) IV' => Deck(C1) = P1' IV' = P1 IV
P1' = P1 IV IV'
s
Precondition
d
Original value read from meter displayr 341
cmkWh (08
o
e
34 05 00 )
lu
a
Calculate Plaintext P1'
v
n
o
i
0
P1 2F 2F 04 83 3B
1 08 34 p05t 00 2F 2F
#
m
E71 94 15
IV 2D 2C 07
01 02 B3 B3 B3
u
s
U
SS2C r07co
IV'
71n94 15 01 05 B3 B3
I2D
e
B3
t
l
A 2F 04 83 3B 08 34 02 00 2F
P1'
2F
2F
Result
P1 144'392 Wh (08 34 02 00)
Compass Security AG
www.csnc.ch
2F 2F 2F 2F 2F
B3 B3 B3 B3 B3
B3 B3 B3 B3 B3
2F 2F 2F 2F 2F
Slide 25
o
i
t
u
l
l
02 7A B3 00 p
10o 85 BF 5C
d
27 D3 c
03
58 C8
m
r
o
e
u 34 02 00 (144'392 Wh)
Value attached:104 83 3B
al08
25
93
08
1
v
#
n
E
io
44 S
2DU2C 07 p
71t 94 15
m
IS 04 76
u
72
59
50 24 16
s
n
o 00
34C05
Compass Security AG
01 02 7A B3 00 10 85 BF 5C
93 27 D3 03 58 C8 04 83 3B
www.csnc.ch
Slide 26
Integrity Analysis
ELL Manipulation Example
C = E7 8E 1B 7B 9D 86 (Intercepted Ciphertext)
P = CC 22 01 FD 1F 01 (On Command)
P = F1 47 01 FD 1F 00 (Off Command)
C = C P P
C = E7 8E 1B 7B 9D 86
CC 22 01 FD 1F 01
2
F1 47 01 FD 1F 00
1
# (Manipulated Ciphertext)
E
C = DA EB 1B 7B 9D
87
g
U
a
a
b
b
Compass Security AG
ISS flippin
Bit
www.csnc.ch
Slide 27
3
1
# iffin
E
r
U
a
S
t
IS ng
o
r
W
Compass Security AG
d
m
C
,
g
www.csnc.ch
n
a
m
n
o
i
t
a
l
ipu
Slide 28
Practical Issues
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 29
team@csnc.ch
Compass Security AG
www.csnc.ch
Slide 30
www.csnc.ch
Slide 31
Collector
Sender Device
Compass Security AG
www.csnc.ch
Meter
Slide 32
Orchestrated Blackouts
Prepare Attack
Drop Devices
War Drive
Setup Sender
Bring Flashlight !
Compass Security AG
www.csnc.ch
Slide 33
Conclusion
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 34
team@csnc.ch
Conclusion
I picture is worth a thousand words
Compass Security AG
www.csnc.ch
Slide 35
Conclusion
General Issues
Key size 64 bits
Zero consumption detection
Disclosure of consumption values
Plaintext errors and alarms
Information Disclosure
Man-in-the-middle in routed environments
Key disclosure
Energy Fraud
Manipulation of consumption value
Orchestrated Blackouts
Manipulation of valve and breaker open/close commands
Compass Security AG
www.csnc.ch
Slide 36
Outlook
Counter Measures
Efforts of the OMS Group and the German Federal Office for Information
Security (BSI Germany)
Integrity-preserving authentication and fragmentation layer (AFL),
Additional encryption mode relying on AES-128 in CBC mode using
ephemeral keys
TLS 1.2 support for wM-Bus
Published on X-Mas 2012
Looks promising, no independent public analysis so far
Compass Security AG
www.csnc.ch
Slide 37
Compass Security AG
www.csnc.ch
Slide 38
Presentation
http://www.csnc.ch/misc/files/2013/energy_fraud_and_blackouts.pdf
Whitepaper
http://www.csnc.ch/misc/files/2013/wmbus_security_whitepaper.pdf
Sniffer & MUC (credits lukas@statuscode.ch)
https://github.com/CBrunsch/WMBus-Sniffer-MUC
Python Sniffer Scambus
https://github.com/CBrunsch/scambus
GNU Radio wM-Bus (credits neundorf@kde.org)
https://github.com/oWCTejLVlFyNztcBnOoh/gr-wmbus
Cliparts
http://openclipart.org
Compass Security AG
www.csnc.ch
Slide 39