Using SDR To Read Your Smart Meter

[BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle.

Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work.

[BeMasher]’s Itron C1SR smart meter broadcasts both interval data and standard consumption in the 915MHz ISM band using a Manchester encoded, frequency hopping spread spectrum protocol. [BeMasher] used the RTL-SDR dongle to do the signal capture and analysed the resulting signal in software afterwards. [BeMasher] did a great job of going through the theory and implementation of analysing the resulting data capture, so be sure to check it for an in-depth analysis.

If the RTL-SDR dongles are too limited for you taste, you might want to check out some hacker friendly SDRs with a little more punch.

76 thoughts on “Using SDR To Read Your Smart Meter

    1. Imagine: Burglary Specialist checking to see if you home based on consumption or 3 letter agency check to see if you home before installing surveillance device in your home…I no use smart meter…

      1. This high-tech burglar would just use RADAR and sound to check, or check for the presence of a smartphone in the house to make it even more easy.

        Also, since when do powercompanies give you a choice?

          1. Was that a real question, or were you just being a Jackass? Smart meters transmit so that the power companies don’t have to pay meter readers to go out and read meters. The NSA, FBI, police, etc. have always been able to ask the power company about your usage. That’s how they used to bust larger scale illegal marijuana grow operations…now, all they have to do is listen for the tree rf signal from your meter.

          2. 1) The power companies don’t have to send out meter readers
            2) Not announced, but coming soon! The power companies are preparing to charge all customers based upon time of use at much higher rates. This is why they are claiming that it will help you save money, after they raise their rates.

    2. I was thinking this might be possible with my new smartmeter. To think I have been getting day old usage info from my power company when I could be getting it real time without even walking outside. Hope he comes up with some user friendly software.

      1. My grow lights are on 24-7, as well as my air pumps and all the other electronics involved in my aquaponic vegetable garden, as well as a couple servers. Good luck figuring out when I’m not home, based on meter readings, at least. Most people just look for my motorcycle…if it’s not there, they assume I’m not, but then again, that’s often inaccurate, too. I will leave the bike at a friend’s and grab my truck or his car (both are stored on his property) if I may be having to haul groceries or other stuff. It may use a lot of electricity, but if you are that worried, just don’t ever turn off your lights and tv…sleeping mask it up and hit the mute button…but then they’d know you were asleep when the tv sound stopped, so maybe, you should just leave that turned up, too and just wear ear plugs…

        1. “Good luck figuring out when I’m not home, based on meter readings, at least. ”

          It is nice to think this, but IMO you are arrogant and naive to do so. Don’t you turn on lights, open a fridge door, etc. when home? Targets can have 15-second sampling rates and at least 4 decimals of accuracy. So they can know if you are home if you are targeted. That’s the point. See http://techalabs.com/US20050075836A1-20050407-D00002r.png and http://techalabs.com/US20050075836A1-20050407-D00012r.png .

          An interesting thing about this and some related technologies: unless I win an appeal, the uspto denied a patent to me on the grounds that use to track people is obvious. What is strange is they had to combine 13 references. About 5 others were also used. This is close to a record for an obviousness rejection, where 3 references is considered stretching it, although this is not the first time strange things have happened with my patent applications. See http://techalabs.com/3.pdf page 24 if you are curious.

          Jason, before you get upset for me calling you arrogant please read this post here: https://www.facebook.com/jasontaylor7777777/posts/10202245562084010?comment_id=10202245890692225&offset=0&total_comments=5 (Comment of relevance starts with “Mr.”)

          Cheers

    1. Yep, American meters tend to do that for some weird reason. They have RF/WiFi meters that shout their stuff into the open and power companies have people in vans that drive around the neighbourhood reading the meters(!).

      I’m not sure if it’s a legislation thing or are they just stupid.

      European power companies use GPRS/3G and PLC to communicate in most cases. Meshnets are used only when they are the last option.

      1. It would probably be cheaper to get a clamp on current probe and measure the current and voltage yourself. To even install your own meter, you’d have to have their meter disconnected which probably involves fees to send a guy out.

  1. I just tested this software in Australia (Melbourne). We’ve just had a new smart meter installed (model i-Credit 500) and it appears to use SilverSpring Network’s gear (http://www.silverspringnet.com/pdfs/SilverSpring-Datasheet-Communications-Modules.pdf) rather than the ERT protocol this looks for. I tested with two rtl modules for about an hour and couldn’t find anything.

    Apparently these new meters have zigbee compatibility though, so that could be intestine…

    Anyone know any more for us Australians?

    1. Yeah, I’ve messed with mine too. They seem to do hourly or more frequent reporting, so I think they are “smarter” than the American ones. Mine have real time monitoring on the providers website, so maybe they’re gsm instead of 900mhz?

    2. I’m also in Melbourne. The 900MHz utility-side and Zigbee SE home area network (HAN) radio interfaces are much more secure than ERT (i.e. they actually have encryption). There are ways to access the meter data, but it requires the cooperation of your utility.

  2. All your data are belong to us. Looks like a bigger problem just from privacy concerns. Not to mention when someone gets their hands on a device that can send bogus data out.

    I wonder what we will see when things like hackrf finally go main stream

    1. Smart meters probably have some level of protection against spoofing or tampering. (that’s part of why electricity companies like them, they are harder to bypass or fake out than the old spinning disk meters)

  3. HOLY CRAP! I asked my Dad several months back (before this article) if he wanted to help me attempt hacking a smartmeter! I got no response, and then he sends me this link a month later…

    NICE work, thanks for free power ;) Its neat that you can access not only YOUR meter, but EVERY meter within your MeshNet that Hydro has set up. This MeshNet can be tiny (10-15 houses) or large (50-100 houses) and larger with no problems.

    Thanks to Hydro for using insecure health affecting wireless technologies and installing them without ANY consent from the consumers, and NO long term health effect studies… And studies prove this technology will cause insomnia, headaches, ringing in the ears and MUCH more, depending how close you are to your smartmeter for most of the day (or night – sleeping)

    Again thanks, the article is very interesting!

    1. Ahh you are one of “those” people. Aluminum foil folder over and formed into a hat will solve your “health issues” concern. Wear it all the time, I also suggesting covering your man-parts as well in foil, run a grounding wire between the two for extra protection.

      1. NO!!! The tin foil hat myth was spread by the CIA and the NSA. They wanted a good way to “get rid of” people who were attached to the group of those who are “in the know”, so they spread the tin foil hat deal and developed a microwave beam that is harmless normally, but due to the thin film effect, the beam frequency alters when it enters the hat, such that it reflects back when it hits the opposite wall of the hat and fries the brain of the wearer…one of these days, I’m going to say something ridiculous like that and have men in black suits knocking on my door asking me how I got access to their secret plans…

    1. Fired off Gqrx and I don’t see anything near 915MHz. If my meter works similarly to [BeMasher]’s, am I supposed to? Mind you, I’m just using the silly little antennae that comes with the USB receiver.

        1. After a bit of looking I think I should see something. This is a short blurb I found about my meter: uses a frequency hopping spread spectrum (FHSS) transceiver operating in the unlicensed band ISM Band of 902 MHz–928 MHz.

          It does also mention that it transmits periodically, though, and not continuously. So, may be I just didn’t leave it on long enough. I’ll try again later.

          Thanks.

          1. Were you ever able to get a reading? I’ve been trying with mine – C2SOD, which according to bemasher list is supported. I’ve tried both regular center frequency of 920 MHz and 915 MHz and couldn’t get anything. I wonder if the 915 MHz signals from LaCrosse temperature sensors are clobbering the signal?

  4. Well, here from portugal, nothing that i haven’t remembered of yet, but i did not tryied it because i don’t know what comunictaion the meter is using.

    It is a bruno janz hybrid, and when it was intalled i saw the guys holding a “kind of” calculator to configure it, and they had to lean the device on the meter to be able to configure it.

    https://energia.edp.pt/media/21862/hibrido_janz.jpg

    Anything special with this? anyone knows the comunication protocol and frequency used by these?

    Thks.

  5. This is interesting. Our electric meters are still a bit old fashioned, But our city just upgraded all our water meters to a wireless. I bet they operate in the same band and in a similar way. I will start looking into this. Anyone have wireless water meter info?

  6. This is beyond my technical abilities but I have a 2838 dongle and downloaded the two win-binaries. RTL_ATSB.EXE shows this, with continuing lines of data similar to the one shown in the last line. Is there some simple win-stuff I can use to see what that means?
    Found 1 device(s):
    0: Realtek, RTL2838UHIDIR, SN: 00000001
    Using device 0: Generic RTL2832U OEM
    Found Rafael Micro R820T tuner
    Tuner gain set to automatic.
    Tuned to 1090000000 Hz.
    Exact sample rate is: 2000000.052982 Hz
    Sampling at 2000000 S/s.
    *ac334045c09d6868190624ca3bd6;

      1. Ahh, OK, thanks, that’s what I bought the dongle for after reading here recently about the aircraft movements passing over. It worked great but then saw that this used a radio dongle and hoped this one might be programmable for the smart-meter frequency. Which is by the way, is an Elster R2SD. It is outside and about 10-feet from where I am sitting. :) Nope, not worried about the radiation!! {gasp}

        1. Go get this software http://www.sdrsharp.com/ and read the manual, you already use the driver so skip that and all you need it to get the RTL dll’s and bung those in the SDRsharp folder once you unpacked it and move the config file to the main folder. Then select rtl-usb on the screen and press start and start checking out the radio spectrum. Try the FM radio frequencies first.

  7. I read about the demonstration where they used one of these smart meters to detect which TV channel someone was watching, and I wondered about the required accuracy. Looks like it tracks down to 0.01 kWh, which would certainly be enough.

    1. Smart meters don’t really reveal as much information as people think they do, for example my meter will often transmit the same consumption value multiple times before transmitting a new value where the difference is greater than the minimum 0.01 kWh increment. It seems like Itron considered the security ramifications of blaring your commodity consumption at fine-grain amounts in the clear.

    2. The case you’re remembering was a really idiotic 3rd party German power metering company. They used insane sample rates (think seconds) “to help people conserve power”. Also the idiots piggybacked their UNENCRYPTED data over the customers ADSL connection. The hackers used this and drew the Manhattan skyline in the power graph on the website :)

      Just think about the amount of data generated when the meter is measuring 10+ different things and logging it all every few seconds, then all that data needs to be transferred to the power company over a slow comm link.

      This is why most (european) power companies use a 15 minute sample rate for domestic metering, in some cases it’s 60 minutes. Industrial meters (the ones measuring stuff in the megawatts each day) have greater accuracy and sample rate. Also they cost more than the house your domestic meter is in.

  8. I’ve cheked my meter and it is not smart :( to interact with it, i supose it is with infrared, and i need a devive to lean on the meter. It is what the technicians do, and i don’t have a infrared device, plus i don’t know if i am able to receive, or only transmit data to meter. So better keep quiet and not mess up with it. The smartiest thing the meter has is a button to show and iterate over diferen values on a matrix 7segment display and as the meter is sealled one there is no chance to play around with it.

    1. Usually there’s a LED in there that blinks at a specified rate. Usually it’s 1000 impulses per kilowatt hour. You can use that.

      The connection used in the meters is an optical link, there should be a round indentation with two dark spots somewhere, you can connect to that with the correct hardware.

      Just note that the meter is designed to notice electronic and electromagnetic tampering, which WILL be logged and WILL raise an alarm.

  9. The sampling rate is set by the utility company. In OK our meters sample in 15 minutes increments and our customers see that data on a website in 1 hour increments (about 4 hours later). The meter cant tell us what is using the power, only how much kwh is consumed during that time frame.

  10. What a great project, thanks for posting it online. I was able to get this project to work using a NooElec Brand RTL-SDR on Windows 7. With the Windows OS you have to use a utility called Zadig http://www.rtl-sdr.com/tag/zadig/ to load the USB port drivers on the USB port that you want plug the RTL-SDR into. My laptop with XP did not recognize the NooElec Brand RTL-SDR even though I loaded the Zadig utility for XP

  11. Do any of these “Smart Meter Shields” so called, designed by an electrical engineer, work? I see several on eBay. If they shield 98% of the radiation, is the power low enough for the electric company to still read the correct data? FHSS is pretty immune to RFI (It was invented by Heddy Lamar, the gorgeous movie actress). Also, what’s wrong with meter readers? I have a street-readable meter that is queried once a month by a reader who merely drives down the street. These guys and gals will be out of a job. Are we actually trying to put more people on the relief rolls, or what?

  12. Actually i am going to make the project with title ‘wireless electrical power theft monitoring using micro-controller based system’ so i need to know how to connect transmitter with digital energy meter to transmit measured power.

  13. I spent a bit of time getting this working with my meter. I had everything graphing beautifully. About a month later, a guy from the electric company knocks on my door and hands me a flyer. They were switching over our neighborhood to smart meters that transmit over the power lines back to the CO. And that day was the end of monitoring my energy usage. Now, I have to come up with a low cost alternative.

  14. we all have smart meters right I would think we do by now but I think I may have accidentally jammed the signal from my smart meter to the power company with a stronger signal and were most people would look at this as a A++ it is not in my situation I was trying to avoid a $5,000 charge when hooking my solar panels up and when I switched on the gridtie inverters the wifi signal from my enecsys gen 2 microinverters stopped the signal from my Itron smart meter to the grid repeater. Does any one have any ideals on how to fix this issue with out involving the power company.

Leave a Reply to CyberatsCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.