WM-BUS Issues - Cyrill - Brunschwiler

Energy Fraud and Orchestrated
Blackouts
Issues with Wireless Metering Protocols (wMBus)
RHUL ISG DL Weekend Conference, Sun Sept 8th 2013,
Egham
cyrill.brunschwiler@csnc.ch
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
www.csnc.ch CH-8645 Jona
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 1
team@csnc.ch
Agenda
Intro
Making Of
Smart Grids
Smart Metering
Wireless M-Bus
Identified Issues
Practical Issues
Conclusion
Compass Security AG
www.csnc.ch
Slide 2
Intro
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 3
team@csnc.ch
Intro Making Of
Thesis on Smart Energy
Summer 2011:
Got attention of wireless M-Bus
Autumn 2012:
Started MSc thesis
X-mas 2012: German BSI/OMS group published Security Report
X-mas 2012: Short mention of M-Bus being inadequate
February 2013: Spent some time digging through EN paperwork
February 2013: Spent some time in an M-Bus lab environment
March 2013: Finished analysis of M-Bus current resp. draft standards
March 2013: German BSI mentions wM-Bus security being insufficient
Summer 2013:
Publication at Black Hat USA
Thesis Contents
Introduction
Defensive part (identification of 43 controls for smart meters)
Offensive part (analysis of wireless M-Bus protocol vulnerabilities)
Compass Security AG
www.csnc.ch
Slide 4
Intro Smart Grids

Smart Grid Blue Print
Compass Security AG
www.csnc.ch
Slide 5
Intro Smart Metering

Metering Infrastructure Blue Print
Legend
DSODistribution System Operator
NANNeighbourhood Area Network
Wireless M-Bus
Compass Security AG
www.csnc.ch
Slide 6
Intro Smart Metering Collector

Collectors
Various Vendors
Neuhaus is just an example of
a Multi Utility Controller (MUC)
Support Head-end side

GPRS
Ethernet (Web Interface)
WLAN
WiMAX
Support Meter side

Wired Serial (RS-485)
Wired M-Bus
ZigBee
Wireless M-Bus
Compass Security AG
www.csnc.ch
Slide 7
Intro Smart Metering Collector GUI
Compass Security AG
www.csnc.ch
Slide 8
Intro Smart Metering Meter

Electricity Meters
Various Vendors
Kamstrup is just an example
Interfaces
Optical
Wired Interfaces
GPRS
ZigBee
Wireless M-Bus
Functionality
Meter reading
Pre-payment
Tariffs
Disconnect
Compass Security AG
www.csnc.ch
Slide 9
Wireless M-Bus
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 10
team@csnc.ch
Application
Market segment
Popular in remote meter reading
Heat, Water, Gas, Electricity
15 million wireless devices deployed (figures from 2010)
Mainly spread across Europe
Usage
Remote meter reading
Drive-by meter reading
Meter maintenance and configuration
Becoming popular for smart metering applications
Tariff schemes, real-time-pricing
Demand-response
Pre-payment
Load-limit
Remote disconnect
Compass Security AG
www.csnc.ch
Slide 11
Protocol Overview
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 12
team@csnc.ch
Protocol Overview - Data Link

Layer
First Block (Frame Header)
Example Capture (Sent by meter, CRCs removed)
1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C
93 72 04 76 59 50 24 16 93 27 D3 03 58 C8
Field
Value
Interpretation
Length
1E
30 bytes frame length (exclusive length byte)
07 71 94 15 01
02
Identification:
15 94 71 07 (little-endian)
Device Type: 02 (electricity meter)
Version:
01
Control
Manuf.
ID
Address
e
r
u
os
l
c
s
1
i from primary station,
#
D
44
Indicates message
E function
n
o
U
send/no reply (SND-NR)
i
t
S
a
S
I
m
r Coded for Kamstrup (KAM) calculated as
2D 2C
o
f
specified in prEN137573. ID is managed by
In
the flag association.
Compass Security AG
www.csnc.ch
Slide 13
Protocol Overview Application Layer

Data Header Example
Example Capture (Sent by meter, CRCs removed)
1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C
93 72 04 76 59 50 24 16 93 27 D3 03 58 C8
e
v
re
n
o
i
nt
Field
Valu
e
Interpretation
Access
number
B3
Current access number is 179. The standard

mandates to choose a random number on meter
start. The standard suggests to use timestamps and
sequence counters since ACC is insufficient to
prevent replay.
10
85
Encryption mode is 5h which is AES-128 in CBC mode.

10h indicates a single encrypted block containing
meter data (without signature). The field further
indicates a short window where the meter listens for
requests (8
h)
www.csnc.ch
Slide 14
Status field
p
y
p la
2 re
#
E
t
n
U
ISS fficie
u
s
00
is meter initiated and there are no alarms
In Message
or errors.
Configuration
Compass Security AG
Wireless M-Bus Sniffer

Protocol sniffers display wireless M-Bus data record contents
provided you know the key. The standard suggests at least 8
bytes of the key shall be different for each meter
3
#
t
E
r
U
o
IS S e , s h
n
o
N
Compass Security AG
s
d
an
www.csnc.ch
s
y
e
k
d
i
p
tu
Slide 15
wM-Bus Protocol Analysis
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 16
team@csnc.ch
Encryption Modes
Dedicated Application Layer (DAL) Encryption Modes
0 no encryption
1 reserved
2 DES in CBC mode, zero IV
3 DES in CBC mode, non-zero IV
4 AES-128 in CBC mode, zero IV
d
n
a
5 AES-128 in CBC mode, non-zero IV 2
s
6 reserved for future use
e
d
o
7ff reserved
m
n
o
4
i
t
#
p
y Encryption Modes
E Layerc(ELL)
Extended Link
r
U
S encryption
n
0ISno
e
ak in CTR mode
1 AES-128
e
W
Compass Security AG
www.csnc.ch
Slide 17
Are we safe with AES?
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 18
team@csnc.ch
Are we safe with AES?

Encryption Mode 4 (DAL)
AES-128 in CBC mode
All-zero IV
Uses static key k
C1 = Enck(P1 IV)
= Enck(P1 00 00 00 00)
n
o
i
= Enck(P1)
t
c
e
Equal PT result in same CT
et
d
n
Standard workaround
o
i
t
5
p
Standard mandates
to
prefix
value with date and time
#
m
E
u
U
s
record
S
n
o
IS and
c
Date
time (record type F) maximum granularity is
o
r
minutes
Ze
Side note
Type I and J records allow for a granularity of
seconds
Compass Security AG
www.csnc.ch
Slide 19
Is encryption mode 5 our friend?

Encryption Mode 5 (DAL)
AES-128 in CBC mode
n
Non-zero IV
o
i
t
p
Uses static key k
m
IV built from frame info and data header nsu
o
c
Mode 5, IV Example
o
r
e removed)
Example Capture (Sent by meter, zCRCs
t
1E 44 2D 2C 07 71 94 15 01te
02c 7A B3 00 10 85 BF 5C
e 27 D3 03 58 C8
93 72 04 76 59650 24 16d93
>
#
=
E
t
U
a
S
IS repe
IV s
Compass Security AG
www.csnc.ch
Slide 20
How about Counter Mode?

IV in encryption mode 1
ty
i
r
cu
e
s
CCSignal communication direction,
prioritise
frames
t
i
B
5
...
8
> field, session counter (4
SNEncryption
mode, time
=
7
bits) E # le IV
U
b
S
FNFrame
a
number
S
t
I
c
i
d
BCBlock
re counter
P
Predictable IVs result in 85-bits security due to

TMTO
How to get the key stream to repeat?
Cause device to reuse the same IV
Compass Security AG
www.csnc.ch
Slide 21
Can we adjust the device time?

Encryption in Special Protocols
Alarms and errors
Signalled within status byte
s
t
e
Header is not subject to encryption
es
r
Application resets (CI 50h) nd
a
s
Special upper layer protocol
r
o
r
9
r
Security
services
of the DAL and n
ELL do not apply
#
e
,
E
o
i
U
m
SClock
t
updates
i
r
t
s
laupper#layer
e
t
IS Special
8
a
p
n
protocol
e
e
ff
r
t
i
E
n
n
SSet, add
SUand subtracts
am (TC field)co
c
IS stre
i
l
b
y
0
u
e
K E #1 of p
n
U
o
i
S
IS rypt
c
n
E
Compass Security AG
www.csnc.ch
Slide 22
Issues with message integrity?
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 23
team@csnc.ch
Integrity, Authentication Analysis

General
There are two mention on how one could approach authentication.
However there are neither authentication methods nor protocols
specified
DAL Integrity Protection
t
n
i
d
ty
i
r
eg
CRCs
There are CRCs at the frame level
CRCs are not considered integrity protection
Signatures
Encryption mode 5 and 6 can signal digitally signed billing data
Not widely used => due to meter display has priority
MACs
Not available
n
e
ut h
io
t
a
t ic
n
a
n
9
#
a
E of n
t
U
Manipulation
Ciphertexts
or IVs
S
e
S
I In CBC imode,
t the manipulation of ciphertexts is pointless
s
x
Manipulation
of the IV is difficult but feasible
e
In
Compass Security AG
www.csnc.ch
Slide 24
IV Manipulation Example
Example of Consumption Value Manipulation
P1' = Deck(C1) IV' => Deck(C1) = P1' IV' = P1 IV
P1' = P1 IV IV'
s
Precondition
d
Original value read from meter displayr 341
cmkWh (08
o
e
34 05 00 )
lu
a
Calculate Plaintext P1'
v
n
o
i
0
P1 2F 2F 04 83 3B
1 08 34 p05t 00 2F 2F
#
m
E71 94 15
IV 2D 2C 07
01 02 B3 B3 B3
u
s
U
SS2C r07co
IV'
71n94 15 01 05 B3 B3
I2D
e
B3
t
l
A 2F 04 83 3B 08 34 02 00 2F
P1'
2F
2F
Result
P1 144'392 Wh (08 34 02 00)
Compass Security AG
www.csnc.ch
2F 2F 2F 2F 2F
B3 B3 B3 B3 B3
B3 B3 B3 B3 B3
2F 2F 2F 2F 2F
Slide 25
Partial Encryption in wM-Bus

Partial Encryption
Dedicated Application Layer allows for partial encryption
How does the receiver handle doubled data records?
Expansion Attack Example
Value in CT: 04 83 3B 08 34 05 00 (341'000 Wh) n
1E 44 2D 2C 07 71 94 15 01
93 72 04 76 59 50 24 16 93
o
i
t
u
l
l
02 7A B3 00 p
10o 85 BF 5C
d
27 D3 c
03
58 C8
m
r
o
e
u 34 02 00 (144'392 Wh)
Value attached:104 83 3B
al08
25
93
08
1
v
#
n
E
io
44 S
2DU2C 07 p
71t 94 15
m
IS 04 76
u
72
59
50 24 16
s
n
o 00
34C05
Compass Security AG
01 02 7A B3 00 10 85 BF 5C
93 27 D3 03 58 C8 04 83 3B
www.csnc.ch
Slide 26
Integrity Analysis
ELL Manipulation Example
C = E7 8E 1B 7B 9D 86 (Intercepted Ciphertext)
P = CC 22 01 FD 1F 01 (On Command)
P = F1 47 01 FD 1F 00 (Off Command)
C = C P P
C = E7 8E 1B 7B 9D 86
CC 22 01 FD 1F 01
2
F1 47 01 FD 1F 00
1
# (Manipulated Ciphertext)
E
C = DA EB 1B 7B 9D
87
g
U
a
a
b
b
Compass Security AG
ISS flippin
Bit
www.csnc.ch
Slide 27
Which messages are affected?

Integrity with Special Protocols
No integrity protection at all
Alarms and errors
Application resets
Clock synchronization
Commands
Network management
Precision timing
3
1
# iffin
E
r
U
a
S
t
IS ng
o
r
W
Compass Security AG
d
m
C
,
g
www.csnc.ch
n
a
m
n
o
i
t
a
l
ipu
Slide 28
Practical Issues
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 29
team@csnc.ch
Issues with Packet Replay

Shield and Replay I
Capture messages from original device

Shield device and replay messages
Compass Security AG
www.csnc.ch
Slide 30

Shield and Replay II
Shield device, have a receiver with the device

Submit messages to collector at maybe lower pace
Compass Security AG
www.csnc.ch
Slide 31

Jam and Replay
Collector
Sender Device
Compass Security AG
www.csnc.ch
Meter
Slide 32
Orchestrated Blackouts
Prepare Attack
Drop Devices
War Drive
Setup Sender
Bring Flashlight !
Compass Security AG
www.csnc.ch
Slide 33
Conclusion
Compass Security AG
Compass Security AG
Werkstrasse 20
P.O. Box 2038
Tel
+41 55 214 41
60
Fax +41 55 214 41
61
Slide 34
team@csnc.ch
Conclusion
I picture is worth a thousand words
Compass Security AG
www.csnc.ch
Slide 35
Conclusion
General Issues
Key size 64 bits
Zero consumption detection
Disclosure of consumption values
Plaintext errors and alarms
Information Disclosure
Man-in-the-middle in routed environments
Key disclosure
Energy Fraud
Manipulation of consumption value
Orchestrated Blackouts
Manipulation of valve and breaker open/close commands
Compass Security AG
www.csnc.ch
Slide 36
Outlook
Counter Measures
Efforts of the OMS Group and the German Federal Office for Information
Security (BSI Germany)
Integrity-preserving authentication and fragmentation layer (AFL),
Additional encryption mode relying on AES-128 in CBC mode using
ephemeral keys
TLS 1.2 support for wM-Bus
Published on X-Mas 2012
Looks promising, no independent public analysis so far
Compass Security AG
www.csnc.ch
Slide 37
Battery pack empty.
Compass Security AG
www.csnc.ch
Slide 38
Presentation
http://www.csnc.ch/misc/files/2013/energy_fraud_and_blackouts.pdf
Whitepaper
http://www.csnc.ch/misc/files/2013/wmbus_security_whitepaper.pdf
Sniffer & MUC (credits lukas@statuscode.ch)
https://github.com/CBrunsch/WMBus-Sniffer-MUC
Python Sniffer Scambus
https://github.com/CBrunsch/scambus
GNU Radio wM-Bus (credits neundorf@kde.org)
https://github.com/oWCTejLVlFyNztcBnOoh/gr-wmbus
Cliparts
http://openclipart.org
Compass Security AG
www.csnc.ch
Slide 39

WM-BUS Issues - Cyrill - Brunschwiler

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

WM-BUS Issues - Cyrill - Brunschwiler

Încărcat de

Drepturi de autor:

Formate disponibile

Energy Fraud and Orchestrated

Intro Smart Grids

Intro Smart Metering

Intro Smart Metering Collector

Support Head-end side

Support Meter side

Intro Smart Metering Collector GUI

Intro Smart Metering Meter

Protocol Overview - Data Link

30 bytes frame length (exclusive length byte)

Protocol Overview Application Layer

Current access number is 179. The standard

Encryption mode is 5h which is AES-128 in CBC mode.

Wireless M-Bus Sniffer

wM-Bus Protocol Analysis

Are we safe with AES?

Are we safe with AES?

Is encryption mode 5 our friend?

How about Counter Mode?

Predictable IVs result in 85-bits security due to

Can we adjust the device time?

Issues with message integrity?

Integrity, Authentication Analysis

DAL Integrity Protection

Partial Encryption in wM-Bus

Which messages are affected?

Issues with Packet Replay

Capture messages from original device

Issues with Packet Replay

Shield device, have a receiver with the device

Issues with Packet Replay

Battery pack empty.

S-ar putea să vă placă și