athcon.org
Athens, 3-4 May, 2012
Day2, Track1, 11:00-11:50
"Smart Meter PLC - Communication Security worth 0.37 EUR",
Stefan Riegler & Johannes Greil

"Smart Meter PLC - Communication Security worth 0.37 EUR",

EEPROM Contents
    48bit unique neuron id 
    Spoofing chip id
        Use EEPROM_LOCK?
        chip id is at address F000

PL3150
    PL 3120 and PL 3150 Power Line Smart Transceivers
    Memory map - external boot ROM
    write own neuron boot ROM
        ignores read/write protects

USB PLC Network Interface (U20) (PL20)
    http://store.echelon.com/item.asp?PID=48
    A-band
    C-band (consumer)

Bands
    CENELEC EN50065-1
    C-band consumer
        HVAC
        Automation
        home network

    A-band utilities
        reserved for power utilities

PL20U (C-Band) vs PL20A (A-Band)
    The crystal/oscillator
    A-Band - 10 packets/sec, clock ~ 6Mhz
    C-Band - 15 packets/sec, clock 10 Mhz

U20 USB adapter
    UID = 0x0920
    PID = 0x7500

Toolkit
    perl p20-usb lonworks sniffer
    plugin to the wireshark

Oscillator soldering + perl kit = gets you transceiver for the A-Band

Demo kit
    Hardware
        1 sniffer device
        2 development kit, also support the chip
        1 of the dev boards is a 3150 with the external boot-rom connected
        The boards have custom devices with exchange some packets when pressed the power button
    
    Software
        Echelon LonScanner FX Protocol Analyzer

The demo
    Demonstrated the use of the Echelon LonScanner proprietary software
    Then it demonstrated the packets in the wireshark (saw just the serial unique id broadcast by the device)
    Then started the perl p20 software in tandem with the wireshark showing packets flowing between the devices
    
Other findings
    communication channels besides PLC (GPRS, WiFi)
    etc

Further Attacks
    Currently just the sniffer is implemented
    Currently No crypto, or authentication attack implemented
    
    TODOs
    cryptanalysis of used encryption
    sniff/jam communication
    dumping the firmware memory of dc/meter (external boot ROM)
    spoofing of the chip id
        rewrite chip ip through external boot ROM
    attack the p2p network protocol/design

Security implications
    Disconnect homes (breaker unit)
    Manipulation
    Fraud (most likely from my point of view)
    Privacy implications

Conclusions
    Still a lot of work to be done, it's just scratching the surface
    Seems like a prospective avenue (especially in the fraud direction)
    Security through obscurity does not work