Black Hat 2012: Limited release for tool allowing smart meter hacks

LAS VEGAS -- A hacking tool designed to target and control a smart meter is getting a controlled release following a presentation Wednesday at the 2012 Black Hat Briefings conference.

"Our tool is providing the capabilities for the utility to understand what information can be pulled out without using a security code. Then they can get a change implemented."

Don Weber, InGuardians

Don Weber, a senior security analyst at Washington D.C.-based InGuardians Inc., is releasing his OptiGuard smart meter assessment toolkit to utilities, vendors and vendor-vetted smart meter security researchers. Weber, who was pressured to cancel an earlier talk about his research at the 2012 ShmooCon conference, described how his research led him to the creation of the smart meter assessment toolkit to a large Black Hat audience Wednesday.

"We decided not to release the tool publicly," Weber said. "[It will be released] only to people within the industry: vendors, utilities and researchers that are working on smart meter assessments that we can validate."

Weber also declined to demonstrate the tool saying that it wouldn't be fair to use it publicly against a specific smart meter, because the toolkit works on all of them.

OptiGuard is built in Python, Weber said, and can be easily assembled to communicate and interact with any smart meter. It was designed to use a smart meter's infrared port to read, write and run procedures.

Weber said the tool is highly configurable. A security code is needed to modify tables or run procedures, but Weber described a way to brute force the smart meter password in less than seven hours. A feat, he said, which would likely make the attempt far too difficult and cost prohibitive for cybercriminals and fraudsters. Weber said he has never gotten his tool to communicate with the meter for longer than 20 minutes at a time.

"Our tool is providing the capabilities for the utility to understand what information can be pulled out without using a security code," Weber said. "Then they can get a change implemented."

An attacker could use the tool to conduct smart meter hacks, accessing the firmware to turn the device on or off and make other adjustments to the meter. In order to develop the tool, Weber said he had to buy a commercial optical probe, a device that can be purchased online for about $350. The company is working with a Gainesville, Fla.-based manufacturer to build an open source optical probe. 

Don Weber of InGuardians talks to reporters and attendees following his Black Hat presentation. Credit: Robert Westervelt

Weber points out that smart meter hacking has been documented since about 2009. Customers use a variety of techniques over the years to try to cut down on electricity expenses from using powerful magnets against the device to taping in and modifying a meter's firmware.

The good news, Weber said, is that if a customer tampers with a smart meter, most utility companies should have the capability to identify the unauthorized configuration changes. Utilities, however, need to improve their incident response teams to monitor logs and detect and respond to anomalous activity.

Encryption also introduces issues. Current American National Standards Institute (ANSI) C12 smart grid meter standards, which define how meters can pass communication, use limited code obfuscation, Weber said.

"Everything is passed in the clear," he said, without encryption.

He said a newer ANSI C12 specification requires a DES-encrypted token to conduct mutual authentication, but then the rest of the exchanges are passed in the clear. Weber said most vendors will wait to implement a newer specification until an encryption algorithm is approved by the National Institute of Standards and Technology (NIST), a problem that is delaying development for vendors.

Weber said there are smart meter makers that use obfuscated protocols â€" they don't write the security code sequentially â€" making it extremely difficult to brute force a security code. It's a good practice, he added, because it makes attacking a smart meter a much more lengthy and costly process.