25C3: Power Line Communication


[Florian] and [Xavier Carcelle] started the day at 25C3 by covering power line communication. PLC technology is not widespread in the US, but has gained popularity in countries like France where it’s included in set-top boxes. PLC lets you create a local network using the AC wires in your wall. The team started exploring PLC because despite being newer technology, it had a few principles that made it similar to old networks. There’s no segmentation in the wiring, which means it behaves like a layer 2 hub. You get to see all of the traffic unlike a switched network. Most power meters don’t filter out the signal, so it’s possible that you might see your next-door neighbor’s traffic on your line. [Florian] reports having seen all the traffic in a six-story building just by plugging in. The wiring also acts as a large antenna so you could employ tempest attacks.

The technology involved is certainly interesting, but they found a lack of tools to work with it. They wrote FAIFA to fill this gap. It’s currently a command line tool for probing and configuring Intellon-based PLC devices (Intellon is the majority chip supplier for PLC). You can query devices and it even has a sniffer mode. Sniffing may not seem interesting since devices that support the HomePlug AV standard use encryption, but they’re all shipping from the factory with the same default key. In the future, they hope to build their own open source FPGA based PLC device to take even more control of the system.

13 thoughts on “25C3: Power Line Communication

  1. plc is a very bad thing radiofrequency-wise : it is marketed for those against wifi, but the signal it sends through unshielded power wires makes your whole installation a big antenna.
    Much worse than wifi.
    Stil it it handy for when wifi does not come through huge walls.

  2. I think there is nothing better than
    just passing the UTP cable inside plastic
    guides hot glued into the wall.

    If the network topology changes in the
    future, there is no problem in cutting
    the cable and guides to fit.

  3. I don’t like the idea of some one being able to sniff out all my appliances…can’t think of a single reason to have a toaster hooked up to my network…yet I’m still slightly interested in having my kitchen and everything else in the house wired up

  4. Wouldn’t it be more correct to say that it works like an old-fashioned (coax) ethernet? It’s a shared medium with no hub at all.

    At least there is no need for terminators at the end of the line. I remember the “good” old days of 10Mbps coax LAN parties. There was always a bad connection somewhere and someone would step on a cable bringing the whole network down…

  5. It’s a total nightmare for radio amateurs like myself, because although ‘in theory’ the gear is filtered to prevent excessive unwanted radiation wiping out the amateur allocations, there’s a lot of cheap gear already doing the rounds wither either faked approval or with designs that have been illegally-modified after type-approval that don’t have the correct filtering to save a few cents.
    It also appears there’s no real attempt at enforcing the law from either the fcc in the states or ofcom in the uk because they prefer to believe unapproved equipment cannot reach the market – as long as ebay exists that’s bs, as we all know!

    Because the signals amateurs are trying to receive are so weak they’re easily disrupted by stuff like this, and I’m given to understand by service personnel that the military have exactly the same problem for exactly the same reason – a poor-quality plc adaptor is basically a broadband jammer and totally disrupts shortwave communications for a considerable distance around.

    In experiments, we’ve been able to detect the hash from a ‘legal’ plc up to about 5 miles away and illegal ones considerably further, so I strongly suggest giving the technology a miss if you value the integrity of your system… if ‘we’ can hear it, so can somebody equipped and motivated to cut your filesystem wide open.

    It’s a fundamentally flawed concept.

  6. It also interferes with HAM radio operations. In experiments in the USA it was found to interfere with communications. The FCC was ordered to shut down several test areas after it was found to cause problems. Here they call it BPL.

  7. Actually, BPL is one form of PLC.

    BPL is the term typically used when referencing distribution (service provider to home), while PLC is typically used when referencing on-premise only (i.e. take the signal from your broadband router, put it into a PLC converter plugged into your power lines…)

  8. Regardless of whether we are talking about the DOD/Internet 4 layer model or OSI 7 Layer model. Hubs are a passive device and are designed within 1st layer specifications in the OSI and DOD. A bridge/switch is specified within the 2nd layer of the OSI and within the 1st on the DOD.

    This was described incorrectly. Due to the shared bus like nature of household power the only place layer 2 would be specified on an endpoint or if it was necessary to change media and/or join like networks at a transformer.

    All in all this video was just affirmation that plc is interesting but a bad idea in many situations.

  9. This technology will be a problem in Australia as it causes interference to the (HAM) radio amateurs on the Hf bands. When a disaster happens it is the radio operators who provide communications in bush fires and floods not the police or government.They do not have the resources or equipment.
    VK2JCC Australia

  10. Richard :
    You said you can get a “hash” from a “legal” PLC devices at 5miles away ? Could you explain what do you mean by hash ? Do you mean OFDM recognition of the signal ?
    Receiving with a signal analyzer the OFDM schema and decoding on the fly the data are quite different from the decryption point of view.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.