US-13-Blackouts-Issues-with-Wireless-Metering-Protocols-Slid

Energy Fraud and Orchestrated BlackoutsIssues with Wireless Metering Protocols (wM-Bus)Black Hat USA 2013, Las Vegas, July 31st - Aug 1st 2013 cyrill.brunschwiler@csnc.chCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

AgendaIntroMaking Of Smart Grids Smart Metering¡ ¡ ¡Wireless M-BusApplication Protocol Stack Communication Modes Protocol Overview (Frames, Transport Layer, Data Headers, Relaying) Protocol Analysis (Privacy, Confidentiality, Integrity) Attack Scenario¡ ¡Demo Conclusion, Outlook© Compass Security AG www.csnc.ch Slide 2¡¡¡¡

IntroCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Intro – Making OfTimelineSummer 2011: Autumn 2012: X-mas 2012: X-mas 2012: February 2013: February 2013: March 2013: March 2013: Summer 2013: Got attention of wireless M-Bus in smart metering Started MSc thesis on smart meters and wireless M-Bus German BSI/OMS group published Security Report“ Short mention of M-Bus being inadequate“ at CCC in Hamburg, Germany Spent some time digging through EN paperwork Spent some time in an M-Bus lab environment Finished analysis of M-Bus current resp. draft standards German BSI mentions wM-Bus security being insufficient Publication at Black Hat USA                 © Compass Security AGwww.csnc.chSlide 4

Intro – Smart GridsSmart Grid Blue Print© Compass Security AGwww.csnc.chSlide 5

Intro – Smart MeteringSmart Metering Blue PrintLegendDSO Distribution System Operator NAN Neighbourhood Area Network Wireless M-Bus¢ ¢ ¢© Compass Security AGwww.csnc.chSlide 6

Intro - Smart MeteringHome InstallationLegendHAN Home Area Network Wired and Wireless M-Bus£ £© Compass Security AGwww.csnc.chSlide 7

Wireless M-BusCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

ApplicationMarket segmentPopular in remote meter reading Heat, Water, Gas, Electricity 15 million devices deployed (figures from 2010) Mainly spread across Europe¤ ¤ ¤ ¤ ¤ ¤ ¤UsageRemote meter reading Drive-by meter reading Meter maintenance and configuration Becoming popular for smart metering applications Tariff schemes, real-time-pricing Demand-response Pre-payment Load-limit Remote disconnect¤ ¤ ¤ ¤© Compass Security AG¤¤www.csnc.chSlide 9

Communication ModesModesStationary Mode (S) is to be used for communication with battery driven collectors. Specific modes exist for one-way and two-way communication. Frequent Transmit Mode (T) is optimised for drive-by readout. Mode T does provide specific modes for one-way and two-way communication. Frequent Receive Mode (R2) allows for simultaneous readout of multiple meters. Mainly used for gateways and drive-by meter reading. Compact Mode (C) is comparable to mode T but allows for increased data throughput. This is achieved by using NRZ for line coding. Narrowband VHF Mode (N) is optimised for transmission within a lower frequency narrow band. It is intended for long range repeater use and does specify modes for one-way, two-way and relay communication. Frequent Receive and Transmit Mode (F) is optimised for long range communication and is also split into one-way and two-way sub modes. Precision Timing Protocol Mode (Q) provides distribution of time information taking network latency and battery optimised nodes into account. Router based Protocol Mode (P) changes addressing to include source and destination to allow for real routingwww.csnc.ch Slide 10¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥© Compass Security AG

Protocol StackInvolved StandardsLayer Application Network Data Link Physical Standard prEN 13757-3 EN 13757-5 prEN 13757-4 prEN 13757-4 Description M-bus dedicated application layer (specified application layer security) Wireless relaying (optional for meters supporting the router approach) Wireless meter readout (specifies link layer security) Wireless meter readout (specifies use of 868MHz, 433MHz, 169MHz bands)LegendEN pr European Norm Draft Standard¦ ¦© Compass Security AGwww.csnc.chSlide 11

Protocol OverviewCompass Security AG Werkstrasse 20 P.O. Box 2038 CH-8645 JonaTel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Protocol OverviewPhysical LayerLine coding (depends on communication mode) 3 of 6 code (constant-weight code) Manchester coding NRZ coding§ § § § § § § § §Data Link LayerFrames Device addressing Specification of payload (CI field) Cyclic redundancy checks (polynomial is 0x3d65) Types A and B (B has less redundancy checks) Extended Link Layer Provides encryption (AES-128 in CTR mode)§ §© Compass Security AGwww.csnc.chSlide 13

Protocol OverviewData Link Layer: CRC calculation using reveng….© Compass Security AGwww.csnc.chSlide 14

Protocol OverviewData Link Layer, First Block Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8Field Length Control Manuf. ID Address Value 1E 44 2D 2C 07 71 94 15 01 02 Interpretation 30 bytes frame length (exclusive length byte) Indicates message from primary station, function send/no reply (SND-NR) Coded for Kamstrup (KAM) calculated as specified in prEN 13757-3. ID is managed by the flag association. Identification: Device Type: Version:www.csnc.ch15 94 71 07 (little-endian) 02 (electricity meter) 01Slide 15© Compass Security AG

Protocol OverviewData Link Layer, Control Information Field Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8 TypesResponse from device (consumption value …) Command to device (open/close valve or breaker …) Error from device (cmd unknown, encryption mode unsupported …) Alert from device (power low, tamper switches, permanent failure …) Time sync (update time service on device) Application reset (reset app values, tariff, instantaneous values, calibration…¨ ¨ ¨ ¨ ¨ ¨© Compass Security AGwww.csnc.chSlide 16

Protocol OverviewNetwork Layer (Relaying)Protocol using Routers Allows for full routing Communication mode P Introduces dual addressing Introduces network mgmt functions (maintain routes, detect broken links) Not compatible with EN 13757-5 unaware devices Protocol using Gateways Makes use of address translation Supports EN 13757-5 unaware devices Introduces management functions to manage node lists, trusted gateways and end-nodes© © © © © © © © © ©© Compass Security AGwww.csnc.chSlide 17

Protocol OverviewApplication Layer (data headers)No header Short header Indicates access number (frame number) Signals errors and alerts Indicates data encryption supporting several modes Long header See short header Additionally propagates a device address Signals addresses behind bridges or virtual devices        Bridge Addr.Meter Addr. Wireless/wired bridgeMeter Addr.© Compass Security AGwww.csnc.chSlide 18

Protocol OverviewData Header Example Example Capture (Sent by meter, CRCs removed) 1E 44 2D 2C 07 71 94 15 01 02 7A B3 00 10 85 BF 5C 93 72 04 76 59 50 24 16 93 27 D3 03 58 C8Field Value Interpretation Standard suggests to use timestamps and sequence counters Access nrumber points out that ACC is insufficient replay prevention mandates to Current access number is 179. The standard Standard B3 choose a random number on meter start. The standard suggests to use timestamps and sequence counters since ACC is insufficient to prevent replay. 00 10 85 Message is meter initiated and there are no alarms or errors. Encryption mode is 5h which is AES-128 in CBC mode. 10h indicates a single encrypted block containing meter data (without signature). The field further indicates a short window where the meter listens for requests (8h)Status field Configuration© Compass Security AGwww.csnc.chSlide 19

本文来源：https://www.bwwdw.com/article/tx5q.html