Smart Meters are Vulnerable to this Attack

Yea, I remember that… they also mostly had a single function and you could look at the board and figure out what it’s purpose was! Now I need a damn scanning electron microscope to figure anything out :)

That made me smile Larry, thanks. I found a RUclips, (I think), clip at one point where someone asked how big would a modern day computer be if it was built using valve technology. Whoever made the calculation used as a base model the last computer ever to be built by IBM, again I think, which used valve technology. He then used the tech data for that computer, how powerful it was and how large it was and then multiplied it up to fit the tech data of a modern super computer and the estimate finally came out at around 340 acres, fantastically unbelievable.

@@richardchurch9709 Imagine the power draw on something that size! I wonder if he factored in the massive power generation plants that would be required

@@AndrewAHayes The mind boggles Andy.

@@richardchurch9709 And, besides the physical size and electrical power requirements, the thing would never be stable (or even work at all) due to the sheer distances of all the wiring, which would induce signal delay, be susceptible to noise, etc.

There is literally so much to hack and so much to learn! By the time I get close to done, they will install a new system and I get to attack all over again!

You need at Btc wallet address on your page....

We’ll ALL be looking at firmware soon… 😀

Because 2nd ver of smart allows meters to "Factor". . .they easily know load on any branch, Factor function is adjustable, causing meter to indicate anything. Instead of 1, meter may indicate 1.001, or any value. You pay for a factored reading, not actual. The excuses for doing this vary from company . . .or state.

@@jsunit5354 Clearly I've been factored and fu@ked!

I built free energy devices I'm telling you you just take a toll and they still charge you taxes like probably $43 a month it's ridiculous they are on top of things and a lot of times just keep charging the same amount 140 or $259.61 it was one month and it'll be almost the same the next month which is completely impossible and ridiculous the thing is look at the killer watch and you can see it's half is less that month because of the device that I have hooked up and it'll say oh well the computer didn't get it will be sending you a check

You got to look at the kilowatts on the bottom part of the bill otherwise I'll just keep charging the same amount every month which is I know they're lying they just take a toll and if you call them on it you see the kilowatts is different and it still charging the same amount here's what they say oh the computer didn't get it yet so we'll be sending you a check for all those months

Electronic meters and electromechanical meters react differently on distorted currents, for example from a SMPS.

Thanks! Glad you enjoyed it. Working on the next one now to show how we control the glitch in time to go from random effects to controlled disruptions with repeatable results.

Me too! :)

Look forward to buying some meters used in other countries as well

​@@RECESSIM I'm an electrician and can get access to plenty of them, noticed too on those modems they're just serial rx tx from the meter so that might be another non destructive way in!

They might be entirely relying on the cellular network for any encryption and just sending raw unencrypted data via serial port. Or perhaps no encryption and just hoping no one can see... :)

@@RECESSIM Modern meters do the encryption on the application level. You cannot trust the mobile network operator to do it.

@@WimTon The question is what’s deployed in the field, modern anything always fix the sins of the past.

I really enjoyed that book as well, definitely worth the money to see state of the art attacks documented well.

Joe Grand? Yea, great video!

Yeah crypto is not as safe as it is supposed.

98%? Ummmm 100 percent certain it’s illegal to do this to the meter one is using on their house! Anything used to defraud a utility….. well anyone really is illegal.

Love that movie!

I remember hearing about that technique back then but never knew how it worked in-depth. Look forward to sharing exactly how it works over the next few videos!

Those were the Good Ole Days, the cat & mouse game was epic..

@@mrreddog agree!

I remember as well. They were called Unloopers. When your card was looped, it meant the death of it in the old smart card readers. The one way to fix it was to glitch it in an unlooper. They were expensive at first, but eventually cheap and necessary. Everyone had their favorite glitch settings, it was fun.

@@x1xBryanx1x exactly! they got good at that

Thanks a lot for a very interesting comment! I've heard a number of stories like this, so I don't think you are alone. There are a lot of factors that could go into something like this, but regardless as a consumer I think it's hard to prove your case and have the power company care. They don't make money lowering people's bills or discovering issues that lead to less revenue!

@@RECESSIM Bypass the meter, "They steal from you , So you steal from them"
Some electricians would have no problem helping you.

Had a similar "glitch" with my power last winter, try deep-throating an $800 power bill...
Here in Aus, most of our meters are being replaced, so no real choice in that matter, and my issues were on a 'normal' power plan. Switched to the "smart" plan for testing on my new place - at least they can give me some data! (The fact that there is a time chart can allow me to precisely quantify this shit)
If you thought paying too much for power is crook, try getting a solar installation; after you generate more power than you consume, the utility stops counting the power (they USED to rack up a negative bill if you generated heaps, and managed to offset your usage + connection fee)
And recently, they dropped the value of generated power - such that you continue to pay top dollar, maybe 40% less...
It's funny seeing houses with all the kit necessary to run self-sufficiently, but doing the exact opposite!

Same thing happened to me. Notice that the News Consumer advocates will never cover this story about thieving utility companies and smart meters. They are too busy chasing Mexicans who cross the border illegally. They like coming after the poor and helpless who have no voice. But come after the big boys who steal a lot more. Nope. They stay away from that.
Consumer advocates are worthless.

I build free energy devices that pull from the environment to work well they save about 60% they have no moving parts it just goes to show that the AC current wire is leaked current sideways here's the thing I have people that obtain these devices and it shows the kilowatts being half as much and they're still charging the same amount for the month and you they called them and ask them why it's still the same and kilowatts is different and they said oh the computer didn't get it yet so we're going to go ahead and send you a check for every month that was off on a map the kilowatts changed on the bill but they still were charging them the same amount every month

Hacking our cars to unlock features we didn't pay for but are in it anyways is 100% the future

@@saxtonhine4843 No doubt about it I agree! To some degree though we've been doing a form of it for years, it just been called "modifying". At least from an analog standpoint haha! Where I am at with it is having the ability to flash a PCM/ECU for updates instead of taking a vehicle to a stealership. Honda already offers them for free for most of their's as far as I am aware. One just needs a VAG OBD cable I reckon and a laptop and they can perform drivetrain updates on them.

@@betterthannotgoodmtb Same with toyota ;)

You can catch up to see if they're skimming and they usually are because how could the power bill be the same amount 25169 and 251 60 next month completely impossible

Glad you like it! Thanks for commenting.

Appreciate that! Only 10 type of people in this world, those who understand binary and those who don’t get this joke! 😀

@@RECESSIM Right on binary brother. That is what control's literally the world right now. v

I’ve just loved electronics, programming and reverse engineering since I was a kid. I keep trying to learn something new every day and over time it adds up.
I don’t have a particular draw to smart meters other than they are a fun target with RF, microcontrollers, lack of documentation and they’re deployed everywhere for long periods of time. A fun way to do black-box attacks… Like playing Chess ♟️

Glad you enjoyed it

Correct, it’s the CW-lite. Happy to share any code, find me in discord or send me an email. The Glitchy app I have on GitHub might also be what you can use now.
github.com/BitBangingBytes/Glitchy

Haha!

Wow, you are related to Jack Kilby?

@@dakrontu
Yes sir. He was my cousin.
Peace ,✌

@@CKILBY-zu7fq I never met Jack Kilby. I did shake hands with J Fred and Mark Shepard while they were passing thru on goodwill tours, and I got a tour of the CIC computer system in Dallas (as I recall, 127 mag tape drives, tape numbers up in the 5 digits, 4 mainframe back-to-back redundant pairs each with about 4 MB of RAM (or maybe more, not sure, but RAM was small 4 decades ago), and a truck-size hole in the centre of the floor where they had to extend down to the floor below when they ran out of space, with hundreds of big black cables running down thru the hole). I never got to see the ASC. I was in Austin the weekend the gold was stolen (wasn't me!!!) and watched cars pass by with gold badgers going to investigate. I remember the deer in the grounds wore company badges, as did the automated mail delivery robot. Due to delays, our rental car was late being returned, so National Car Rental had informed the police to watch out for it, which may have tied in with suspicions about the gold heist.

@@dakrontu
wow brother. Thats awesome, so. How long did you work there.?
These are the stories.
So I have never been to the KILBY MUSEUM, have you been?
I would like to go one day.
Its so cool to chat with you.
You know?????
The gold went missing at the TRADE TOWER event.
They claimed it was evaporated.
But it impossible, otherwise the city would be covered in gold just like they coat glass.
SO.... I BELIEVE WE SEE THE USE OF THAT GOLD EACH DAY THIS TYPE OF PEOPLE IN OFFICE FIND WAY MORE MONEY THEN ANYONE ELSE.
So, it makes me wonder, who where why and how.
PEACE BRO.✌

@@CKILBY-zu7fq 8 years. As a software developer. Us softies were always treated as leftie 5th-columnists by the hardies. It was my time in the fast lane, travelling a lot. TI, the hire'em fire'em company, was boot camp for many new engineers. If you worked there and thrived, you were sought after. One of my colleagues was the guy who got company policy changed so he could wear Bermuda shorts to work. Engineering was a seat-of-the-pants activity back then. Today it is much more formalised.

No wonder people don’t want to install updates 😳

Sounds like the problem is with windows and old hardware.
You might try putting some Linux on it

Thanks, will try to post sooner if only to share progress so you aren't waiting forever!

These meters by Landis+Gyr don’t work with the existing SDR tools to read meters. Working on some tools of my own though on GitHub. They operate in the 915MHz ISM band. 73

@@RECESSIM Great thanks for that info. I'm looking forward to trying out any new software in the near future. Thanks again. 73.

@@RECESSIM Don't hold your breath. For privacy reasons, there is the regulatory requirement that all consumption data must be encrypted. And for security reasons, commands to the meter are signed or MACed.

Are you referring to the Teridian chip in the case of these meters?

Precisely, if you are planning to let something live in the wild for a long time, you better also have a plan on how you address the inevitable vulnerabilities.

Thanks! That's interesting they used glitching as a way to check for an authentic device. What sort of device was this? High dollar specialized equipment or consumer grade? Playing with glitching tools has always been interesting to me, nice to make some videos to focus the learning a bit. Glad you enjoyed it.

@@RECESSIM High dollar.. it was a Voicemail system back in the late 90s.. the Voice processing cards were sold by the manufsacturer in generic form that anyone could buy.. the particuar voicemail company wanted you to buy their OEM named card which was 3X the price.. since the interwebs were new and everyone pirated everything.. the Special firmware was easy to get and field load.. so they turned to hardware.. they actually separated 2 of the Power supply pins.. or should I say they "burnt one out" and the chip would still work except for a certain function.. so the voicemail system called on that function.. if that function succeeded they new the board was generic even if the proprietary firmware was loaded.. most people gave up when the board didnt work out of the box.. a few more tried the firmware.. but only a few went further to dig.. wow if we only had today's debugging tools back then!!

@@eldoradoboy Wow! Yea, very interesting. Equipment like Smart Meters and other stuff with a long life in the field is very interesting to me for that exact reason. The tools to attack are progressing at a rapid pace, but the equipment in the field is still using yesterdays technology that becomes more vulnerable every day.

@@RECESSIM a lot of devices are built with a probable impact of breach engineering.. exploiting a smart meter and cracking the hashes related to turning on or off the power to the building has a High impact.. but hacking the meter with the intention of reduced cost electricity has a low impact.. the power company profiling is designed and getting better at detecting pattern changes in usage.. if they come to your house and determine the meter is "bad" ie recording 10% less than actual usage, then they replace it.. and expect to see an increase of 10% over prior profiles.. smart meters are pretty well protected against physical access since you get heavily fined by the power company if you cut the tag-lock and pull the meter.. in that case as a manufacturer you would design for highly secure comms but not necessarily so much against physical breach.. so if it can be hacked and firmware replaced OTA thats a HUGE vulnerability.. but if you have to open it up and JTAG it.. thats a non issue in the real world..

@@eldoradoboy Agree completely, getting the firmware is just to enable debug mode on a meter I control and to search for OTA vulnerabilities as you mention.

Thanks, seems a lot of people are curious like I am. We’re gonna keep digging until there’s no where left to go!

I like to find a way to make my light bill cheaper 😋

You find them occasionally on auction sites such as eBay. The FW is totally custom. It is basically a hard-coded database with a process that writes the measurements and events to it, and a process that transmits the content at regular intervals to the power company. The processor is the somewhat exotic Renesas RX.

@@WimTon Well I dont know. Here the use Powerline ~50khz I see them transmitting via my SDR.

@@nowaymuller6643 The lower protocol layer is G3 PLC, ODFM modulated (G.9903). The data is encrypted with a key common to the physical network. The next layer is DLMS green book, an ASN.1 dialect. Encrypted with a meter-specific key, a network-specific key, or plaintext, depending on the use case. The data model is DLMS blue book.

This is all just laying the ground work for a remote attack. First is physical to gather intelligence to construct a remote attack.

Thanks for following me! If I can clarify anything or answer any questions hit me up on TikTok/Twitter.

Thanks for the tip! Probably a great event to check out what will eventually replace what I’m playing with now.

I have a couple water meters I took apart, but crossed signals doesn’t seem likely. They probably transmit a serial number followed by your reading. The ones I have show the reeding with an analog odometer looking display. I would check to see if that matches your bill. If so, perhaps you have a problem pipe or something else causing water loss. If not, then perhaps it’s the meter, but I wouldn’t jump to that as the first thing.

Not really power usage data, it’s going to get that either way

@@RECESSIM
Is the new meter numbers calibrated to the old calculations of units of electricity??
How is flow of electricity measured?

💪🏽

Thanks for reminding me of this, I remember reading about that.

Copyright law in the USA allows reverse engineering of software for the purpose of learning how it functions/behaves and to interface some new software with with the old software. So basically only the original code cannot be duplicated, but the API is fair game, and you can distribute a bit of foss (written from scratch) to access that api.

Yes that is what is known as cleanrooming, typically you would also have the companies patent lawyers looking over everything sent from the analysis team to the design team too. That is to say checking to make sure nothing slips though that would contaminate the new product, you don't want things slipping though that read like a paraphrasing of the competitors patent claims on one of the parts for example. So they are usually involved to make sure nobody opens the whole thing up to liability by being a little too on the nose with their documentation.

@@seraphina985 Thanks for the additional information, that’s very interesting!

I agree with Scott just use an amp meter and record everything that the power is being used in the dally up to see if it lines up with the bill if they're charging you

Here's something I build free energy devices that work in the first state of matter and the thing is that these devices condition the house and save electricity about probably up to 60% sometimes the deal is they're not illegal or anything and they work well and sometimes I have to call him and tell him look the kilowatts is different but why you charge me the same amount and then they say well the computer didn't catch it yet and will be sending you a check

I agree with Scott. I would just comment that most smart meters also allow the provider to Factor the meter. Pick any value you wish, ie 1.10, which would have your meter read 1100 instead of 1000. The excuses are many, from fuel adjustment to peak-vs- non-peak periods. The factor can be changed at any time, easily handled by an algorithm in the program. It can be set to gradually increase the factor as a user consumes various levels; the first 1000KWh can be at a base-rate, then factor-up for usage beyond that level.
The first line of defense is "Our meters are very accurate. We constantly test to assure customer confidence in our product and service "
You can feel free to change the boiler-plate verbage as you wish.

It's a useful method used by many people to unlock these processors. A great video to see it in action and it's explained for the most part here: ruclips.net/video/dT9y-KQbqi4/видео.html

I'm not sure what OP is going to try to do exactly, but sometimes the aim is to attempt a normal read of the internal firmware from the programming pins and just glitch out the hardware check that the code protect fuse is blown. Other possibilities are finding a timing where an address is set up to send some data externally from flash, and just keep screwing up the address over and over until it sends out something of interest. For example, if the device sends a startup message from Flash when it first boots up, that could be a prime target because the timing of it is easily accessible (it's happening in early startup, and likely the timing is identical run to run).
This sort of attack gets much easier once you gain access to some of the code where you can control when it executes and then control the glitch timing against it. Like, that's to say, if you had the whole program listing in front of you, you could look through and find something interesting and say "oh, here's part where the diagnostic mode enable bit is checked, if I can convince it it's in diagnostic mode, I can just send these external commands to get control", etc. Obviously you don't have the full program listing, but if you can get a glitch to send you a part of code with something interesting in it, maybe that's enough to make more progress.

Luckily I have a few meters to test on, but if one happens to wipe unexpectedly some protection or accidental activation of code could be the case like you mention.

Look forward to EVERYONE dumping firmware!

That’s a possible outcome of reverse engineering the smart meters and decoding the protocols, able to feed that data into other systems!

That's a cool idea, I have seen that method and also EMP using some other tools NewAE make. As for the first one, to trigger a glitch at a very specific time like I will need to do in order to dump the firmware I think the lighter method would be hard.
I would need a way to reliably generate that spark at a specific microsecond after booting which isn't possible I think. But for general glitching I think it could work.

@@RECESSIM Just discharge. Thats all. In first minute of this video, you see the ideea. ruclips.net/video/N31kQzxk7BQ/видео.html

@@ciobanurivelino3844 You missed his point, how do you time the discharge exactly at the required time after a processor reset?

If that works, the designer did a bad job ...

Too less energy! One of the tricks I heard off, was to put a coil of a few turns in series with the flashbulb of a single-use camera.

Landis+Gyr and a LOT of utilities use them, in Dallas Oncor and CoServ. You can search for BitBangingBytes on GitHub and see the gr-smart_meters code which lists a few utilities people have confirmed.

Thanks for your detailed comment, I’m interested in the overall design and security as it relates to devices like this living in the wild for 10+ years. Not really interested in stealing energy, but any vulnerabilities in the design are definitely of interest.

@@RECESSIM I know it is not you point of interest but probably some viewer could find this "useful" LOL. Sure they have vulnerabilities ... But even if you get the code, you wont find nothing interesting on it ... believe me. The metering part could be derived from some app note (or not), but ussually full of intricate stuff, with parts in ASM, digital filters etc. The application section ... you need to understand how a multi rate meter works, rate scheduling, profiles for Energy, RMS, billing, tons of logs, alarma controls, demand control ... and when you get into the protocol part, you will fell asleep if the meter is intended to be sell in Europe ... its implementation is probably as complex as a TCP / IP stack but useless outside this industry. This protocol models a generic device with n generic objects, implementes a number of logical servers ..... BORING AS HELL. It goal was to be "interoperable" ... LOL. If meters is intended to US market, probably still dealing with old ANSI legacy stuff ... but still pretty criptic since is table based mostly works under base addr + length read and writes. If you dont have the dictonary ... good luck.

@@38911bytefree that's what i was thinking - it would be an awful lot of work to go to to get caught stealing energy anyway!

@@billynomates920 Across the years analitics have been taken an important place. The solution that manage the Smart meter on field, is actually a suite of services, with different modules you can pay extra for. And one of their modules is Non Technical losses (basically .... fraud detection). 20 years ago, the meter was the money keeper ... a little "safe". Today they keep polling the meters so the dont need to rely on the meter as a "safe" anymore. More like and audit / telemtry device IMHO. Metering part can be very complex (avawy from calculations) but security, networking, data transport, protocols are probably more bigger and complex thant metering part itself. It is like a GPRS / PLC / ETH with Metering LOL. Some meter act as gateways or repeaters, helping to build up the network. It is a network device.

If he can gather the software for the specific meter he has… then he can always delete any tamper triggers. Shit… he can even change the Ratio at which he is charged to like… .10:1 for every dial increment rather than 10:1 😂 but… idk.

Save the other half of the bottle for the next video I should have up in a day or two! Badass^2

This depends on your country and power supplier. For example, in the Netherlands, smart meters have a serial port (called "P1") that spits out the measurements every second. The UK has the option for a Zigbee-connected in-home display.

Hell yeah. Thats what I'm saying, but we will never see this type of Independence because we are out numbered by the other part of society that are the very reason why this garbage still exists.
Peace ,✌

@@CKILBY-zu7fq I don't know what you are talking about. I am not being sarcastic or rude, I just have no idea what your point is.

@@theephemeralglade1935
Another 💩🤡?

🙏

Thanks, recently upgraded and it’s nice to have some newer features like connecting to it via computer

I feel it’s one of those “I wonder if” situations. We could all just keep “wondering if” or we could take a look and see what’s actually there. But we can’t know what’s at the destination without going on the journey.

Thanks for checking out the RUclips channel

Such a great movie

Very cool, I've yet to meet a piece of hardware I didn't want to buy!

@@RECESSIM I'm jealous of your faraday cage with gloves and viewing window. Tots cool. I think I'd like to eventually test a whole multinode mesh with a gateway which will need a little more space. ya know... get the full experience.

@@awesomedee5421 Absolutely! If you put some connectors on the side you can run large devices externally and just cable their antenna's into the box. Then run smaller devices inside the cage. Adding attenuators on the devices with antenna connections help to drop power too.

I agree completely, systems of power must be checked

Usually on the mobile or ISM UHF frequencies, 820 to 950 MHz. PLC between 10 kHz and 500 kHz.