Wireless M-Bus - Royal Holloway

Wireless M-Bus - Royal Holloway

Energy Fraud and Orchestrated Blackouts Issues with Wireless Metering Protocols (wMBus) RHUL ISG DL Weekend Conference, Sun Sept 8th 2013, Egham [email protected] Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] Agenda Intro Making Of Smart Grids Smart Metering Wireless M-Bus Identified Issues Practical Issues Conclusion Compass Security AG

www.csnc.ch Slide 2 Intro Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] Intro Making Of Thesis on Smart Energy Summer 2011: Autumn 2012: X-mas 2012: Report X-mas 2012: February 2013: paperwork February 2013: environment March 2013:

draft standards March 2013: being insufficient Summer 2013: Got attention of wireless M-Bus Started MSc thesis German BSI/OMS group published Security Short mention of M-Bus being inadequate Spent some time digging through EN Spent some time in an M-Bus lab Finished analysis of M-Bus current resp. German BSI mentions wM-Bus security Publication at Black Hat USA Thesis Contents Introduction Defensive part (identification of 43 controls for smart meters) Compass AG Security Offensive part (analysis ofwww.csnc.ch wireless M-Bus protocol vulnerabilities)Slide 4 Intro Smart Grids Smart Grid Blue Print Compass Security AG

www.csnc.ch Slide 5 Intro Smart Metering Metering Infrastructure Blue Print Legend DSODistribution System Operator NANNeighbourhood Area Network Wireless M-Bus Compass Security AG www.csnc.ch Slide 6 Intro Smart Metering Collector Collectors Various Vendors Neuhaus is just an example of a Multi Utility Controller (MUC) Support Head-end side

GPRS Ethernet (Web Interface) WLAN WiMAX Support Meter side Wired Serial (RS-485) Wired M-Bus ZigBee Wireless M-Bus Compass Security AG www.csnc.ch Slide 7 Intro Smart Metering Collector GUI Compass Security AG www.csnc.ch Slide 8

Intro Smart Metering Meter Electricity Meters Various Vendors Kamstrup is just an example Interfaces Optical Wired Interfaces GPRS ZigBee Wireless M-Bus Functionality Meter reading Pre-payment Tariffs Disconnect

Compass Security AG www.csnc.ch Slide 9 Wireless M-Bus Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] Application Market segment Popular in remote meter reading Heat, Water, Gas, Electricity 15 million wireless devices deployed (figures from 2010) Mainly spread across Europe Usage

Remote meter reading Drive-by meter reading Meter maintenance and configuration Becoming popular for smart metering applications Tariff schemes, real-time-pricing Demand-response Pre-payment Load-limit Remote disconnect Compass Security AG www.csnc.ch Slide 11 Protocol Overview Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected]

Protocol Overview - Data Link Layer First Block (Frame Header) Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 Field Value Interpretation Length 1E 30 bytes frame length (exclusive length byte) 07 71 94 15 01 02 Identification: 15 94 71 07 (little-endian) Device Type: 02 (electricity meter) Version: 01 Control Manuf. ID

Address e r u os l c s 1 i from primary station, 44 Indicates message # D E function n send/no reply (SND-NR) o U i t S a for Kamstrup (KAM) calculated as IS rmCoded 2D 2C o specified in prEN 137573. ID is managed by

f n I the flag association. Compass Security AG www.csnc.ch Slide 13 Protocol Overview Application Layer Data Header Example Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 e v re n o i nt Field Valu e

Interpretation Access number B3 Current access number is 179. The standard mandates to choose a random number on meter start. The standard suggests to use timestamps and sequence counters since ACC is insufficient to prevent replay. 10 85 Encryption mode is 5h which is AES-128 in CBC mode. 10h indicates a single encrypted block containing meter data (without signature). The field further indicates a short window where the meter listens for requests www.csnc.ch (8h) Slide 14 Status field p y la

2 rep # E t n U ISS fficie u s 00 is meter initiated and there are no alarms or In Message errors. Configuration Compass Security AG Wireless M-Bus Sniffer Protocol sniffers display wireless M-Bus data record contents provided you know the key. The standard suggests at least 8 bytes of the key shall be different for each meter 3 # t E r U

o ISS e, sh n o N Compass Security AG s d an www.csnc.ch d i p tu s y ke Slide 15 wM-Bus Protocol Analysis Compass Security AG Werkstrasse 20 P.O. Box 2038

CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] Encryption Modes Dedicated Application Layer (DAL) Encryption Modes 0 1 2 3 4 5 6 7ff no encryption reserved

DES in CBC mode, zero IV DES in CBC mode, non-zero IV AES-128 in CBC mode, zero IV AES-128 in CBC mode, non-zero IV reserved for future use reserved 2 s e d o m n 3 d an o 4 i t # p y E r U c

S n S e (ELL) Encryption Modes I k Extended Link Layer a e 0W no encryption 1 AES-128 in CTR mode Compass Security AG www.csnc.ch Slide 17 Are we safe with AES? Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60

Fax +41 55 214 41 61 [email protected] Are we safe with AES? Encryption Mode 4 (DAL) AES-128 in CBC mode All-zero IV Uses static key k C1 = Enck(P1 IV) = Enck(P1 00 00 00 00) = Enck(P1) Equal PT result in same CT e t de n o i ct

n o i t 5 Standard workaround p # m E u Standard mandates to prefix value with date and time record U s S n o (record type F) maximum granularity is IS Date andc time o r minutes e Z Side note Type I and J records allow for a granularity of seconds Compass Security AG

www.csnc.ch Slide 19 Is encryption mode 5 our friend? Encryption Mode 5 (DAL) AES-128 in CBC mode Non-zero IV Uses static key k IV built from frame info and data header c o zer m u s on n o i pt

Mode 5, IV Example t c emeter, CRCs removed) Example Capture (Sent e by t d 1E 44 2D # 2C607 71> 94 15 01 02 7A B3 00 10 85 BF E 04 a76t = 5C S 93U72 59 50 24 16 93 27 D3 03 58 C8 IS repe IVs Compass Security AG www.csnc.ch Slide 20 How about Counter Mode? IV in encryption mode 1 ty

i r u c e s t i Bprioritise frames ... CC Signal communication direction, 5 8 SN Encryption mode, time > field, session counter (4 bits) = 7 #numbere IV FN Frame E l U b BC S Block counter a t IS

c i d e r P Predictable IVs result in 85-bits security due to TMTO How to get the key stream to repeat? Cause device to reuse the same IV If someone could adjust the device time the IV could be Compass Security AG www.csnc.ch repeated Slide 21 Can we adjust the device time? Encryption in Special Protocols Alarms and errors Signalled within status byte Header is not subject to encryption Application resets (CI 50h) Special upper layer protocol Security services of the DAL and ELL do not apply Clock updates Special upper layer protocol Set, add and subtracts (TC field)

e 8 p # e r E U m S a S I re t s y e K Compass Security AG n o i ti t www.csnc.ch Slide 22

Issues with message integrity? Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] Integrity, Authentication Analysis General There are two mention on how one could approach authentication. However there are neither authentication methods nor protocols specified DAL Integrity Protection t n i d ty i r

eg CRCs There are CRCs at the frame level CRCs are not considered integrity protection Signatures Encryption mode 5 and 6 can signal digitally signed billing data Not widely used => due to meter display has priority MACs Not available 9 # E nt a U ISS iste x e In n e u th io t a t ic n

a n Manipulation of Ciphertexts or IVs In CBC mode, the manipulation of ciphertexts is pointless Manipulation of the IV is difficult but feasible Compass Security AG www.csnc.ch Slide 24 IV Manipulation Example Example of Consumption Value Manipulation P1' = Deck(C1) IV' => Deck(C1) = P1' IV' = P1 IV P1' = P1 IV IV' Precondition o e lu s d m c r Original value read from meter display 341 kWh (08 34 05

00 ) a v n o i 0 t 1 Calculate Plaintext P' p # m E 3Bsu U P 2F S 2F 04 83 n 08 34 05 00 2F 2F 2F 2F 2F 2F 2F o S I c71 94 15 01 02 B3 B3 B3 B3 B3 B3 B3 B3 r IV 2D 2Ce07 lt IV' A 2D 2C 07 71 94 15 01 05 B3 B3 B3 B3 B3 B3 B3

1 1 P1' B3 2F 2F 04 83 3B 08 34 02 00 2F 2F 2F 2F 2F 2F 2F Result P1 144'392 Wh (08 34 02 00) Compass Security AG www.csnc.ch Slide 25 Partial Encryption in wM-Bus Partial Encryption Dedicated Application Layer allows for partial encryption How does the receiver handle doubled data records? Expansion Attack Example n o i t Value in CT: 04 83 3B 08 34 05 00 (341'000 u l

l Wh) o p 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF d m c 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 r o e u l 1 04 v83a 3B 08 34 02 00 (144'392 Wh) 1 Value attached: # i on E t 71 94 15 01 02 7A B3 00 10 85 BF U p 25 44 2D 2C 07

S m I5CS 93 72 u s 04 76 59 50 24 16 93 27 D3 03 58 C8 04 n o 08 34 05 00 83C3B Compass Security AG www.csnc.ch Slide 26 Integrity Analysis ELL Manipulation Example C = E7 8E 1B 7B 9D 86 (Intercepted Ciphertext) P = CC 22 01 FD 1F 01 (On Command) P = F1 47 01 FD 1F 00 (Off Command) C = C P P C = E7 8E 1B 7B 9D 86 2 CC 22 01 FD 1F 011 # E F1 47 01 FDU1F 00 ng i S

p S I C = DA EB 1B 7B 9D ip87 (Manipulated Ciphertext) a a b b a a b b b Compass Security AG fl t i B www.csnc.ch Slide 27

Which messages are affected? Integrity with Special Protocols No integrity protection at all Alarms and errors Application resets Clock synchronization Commands Network management Precision timing 3 , 1 g # iffin E r U a S t IS n g o r W Compass Security AG d m

C www.csnc.ch n a m n o i t a l ip u Slide 28 Practical Issues Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected]

Issues with Packet Replay Shield and Replay I Capture messages from original device Compass Security AG www.csnc.ch Shield device and replay messages Slide 30 Issues with Packet Replay Shield and Replay II Compass Security AG www.csnc.ch Slide 31 Issues with Packet Replay Jam and Replay Collector Sender Device Compass Security AG www.csnc.ch

Meter Slide 32 Orchestrated Blackouts Prepare Attack Drop Devices War Drive Setup Sender Bring Flashlight ! Compass Security AG www.csnc.ch Slide 33 Conclusion Compass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 Jona Tel +41 55 214 41

60 Fax +41 55 214 41 61 [email protected] Conclusion I picture is worth a thousand words Compass Security AG www.csnc.ch Slide 35 Conclusion General Issues Key size 64 bits Zero consumption detection Disclosure of consumption values Plaintext errors and alarms Information Disclosure Man-in-the-middle in routed environments

Key disclosure Energy Fraud Manipulation of consumption value Orchestrated Blackouts Manipulation of valve and breaker open/close commands Compass Security AG www.csnc.ch Slide 36 Outlook Counter Measures Efforts of the OMS Group and the German Federal Office for Information Security (BSI Germany) Integrity-preserving authentication and fragmentation layer (AFL), Additional encryption mode relying on AES-128 in CBC mode using ephemeral keys TLS 1.2 support for wM-Bus Published on X-Mas 2012 Looks promising, no independent public analysis so far Compass Security AG www.csnc.ch

Slide 37 Battery pack empty. Compass Security AG www.csnc.ch Slide 38 Presentation http://www.csnc.ch/misc/files/2013/energy_fraud_and_blackouts.pdf Whitepaper http://www.csnc.ch/misc/files/2013/wmbus_security_whitepaper.pdf Sniffer & MUC (credits [email protected]) https://github.com/CBrunsch/WMBus-Sniffer-MUC Python Sniffer Scambus https://github.com/CBrunsch/scambus GNU Radio wM-Bus (credits [email protected]) https://github.com/oWCTejLVlFyNztcBnOoh/gr-wmbus Cliparts http://openclipart.org Compass Security AG www.csnc.ch Slide 39

Recently Viewed Presentations

  • No Child Left Behind, Common Core, and the

    No Child Left Behind, Common Core, and the

    © 2015, Richard P PHELPS . Governor's Council on Common Core Review, Arkansas State Captiol, May, 2015. No Child Left Behind, Common Core, and the Lost Benefits of ...
  • Welcome to All Day Kindergarten - Moore Public Schools

    Welcome to All Day Kindergarten - Moore Public Schools

    Goal for the packet is at the top. Please follow the step-by-step instructions on at least three different occasions. If your child can read the words the first time without assistance, this is marvelous. Please be sure to discuss the...
  • Regional Food Security and Nutrition Working Group Food

    Regional Food Security and Nutrition Working Group Food

    Il est toujours prévu qu'en 2019 les échanges mondiaux de riz se contractent de pas moins de 3,1 pour cent, mais les prévisions provisoires de la FAO indiquent que les échanges de riz pourraient rebondir en 2020 et atteindre le...
  • 2014 ACS Guidelines

    2014 ACS Guidelines

    Serial cardiac troponin I or T levels (when a contemporary assay is used) should be obtained at presentation and 3 to 6 hours after symptom onset (see Section 3.4, Class I, #3 recommendation if time of symptom onset is unclear)...
  • 1 3+2 Collaborative Programs Faculty of Engineering, uOttawa

    1 3+2 Collaborative Programs Faculty of Engineering, uOttawa

    uOttawa.ca. Faculty of Engineering, uOttawa. 3+2 Collaborative Programs. ... Ottawa is one of Canada's most respected tech hubs with 1750 knowledge-based companies and nearly 72,000 jobs. uOttawa.ca. International students on campus fromChina. Faculty.
  • Moto a Luogo

    Moto a Luogo

    In ambedue i casi il costrutto usato è cum + ablativo; possono essere usate le locuzioni prepositive simul cum e una cum, cioè insieme con. Veniam domum cum fratre meo. [Verrò a casa con mio fratello.] Con i pronomi di...
  • Two Ways to Write a Compare and Contrast Essay

    Two Ways to Write a Compare and Contrast Essay

    Two Ways to Write a Compare and Contrast Essay. ... It is easy to chew and swallow. On the outside, the apple is shiny with a smooth surface. The skin is thin and easy to bite into, but it is...
  • Refining Key Questions: Interactive Case Study Quiz

    Refining Key Questions: Interactive Case Study Quiz

    Approved by the FDA for use in patients with hemophilia A or B with inhibitors, acquired hemophilia, and congenital factor VII deficiency. Increasingly used off-label beyond hemophilia-related indications to prevent excessive bleeding for a range of surgical and medical conditions.