Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Smart meters form mesh networks among themselves and transmit your usage data all around. Some of them even allow the power company to turn off your power remotely, through the mesh. You might want to know if any of this information is sensitive, or if the power shutdown system has got glaring security flaws and random people could just turn your house off. Hash Salehi has set out to get inside these meters, and luckily for the rest of us, he was kind enough to share his findings during Remoticon 2021. It’s a journey filled with wonderful tidbits about GNU Radio, embedded devices, and running your own power company inside a Faraday cage.

The smart meter in question is deployed by a power company known as Oncor in the Dallas, Texas, area. These particular meters form an extensive mesh network using a ZigBee module onboard that allows them to to pass messages amongst themselves that eventually make their way to a collector or aggregator to be uploaded to a more central location. Hash obtained his parts via everyone’s favorite online auction house and was surprised to see how many parts were available. Then, with parts in hand, he began all the usual reverse engineering tricks: SDR, Faraday cages, flash chip readers, and recreating the schematic.

To continue further down the rabbit hole, Hash took a two-pronged approach and started pouring over the firmware (over 300 kB) and attempting to capture traffic in his area. Starting with just listening on one channel, he expanded to listen on all 240-260 channels but found that listening on each channel separately was eating all the compute power he threw at it. A talk from GNU Radio con gave him the inspiration needed to employ a frequency hopping approach that allowed him to decode all the packets. A drive down a freeway with an antenna in his car allowed him to capture fascinating graphs showing the area’s meters and how long they’ve had uptime.

The true test of understanding the protocol isn’t just receiving, however. He would also like to send some packets. But, of course, the power companies wouldn’t be too thrilled with rogue actors on their network, regardless of intentions. So Hash needed his own network, effectively starting a power company that doesn’t provide any power.

He had previously bought a collector and found a whole Intel processor inside running Windows 7 Embedded. The main program was .Net, so that makes it trivial to tweak. Now that he had a receiver, it was time to make a transmitter he could control. He’s still working on that, but it’s all out in the open on GitHub and other places. The coolest trick here is his workaround on the frequency hopping schedule that the receivers expect: he simply broadcasts all 240 channels at once! Gotta love SDRs.

This is clearly not a weekend project, and we have had a Hack Chat with Hash about smart meters before if you’re interested. We’re looking forward to what else he discovers.

26 thoughts on “Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

  1. What ever happened to Broadband over powerlines that was supposed to give rural users internet and wipe out the HF spectrum? Even a little of that would have made all this Zigbee stuff moot. After all they have all those wires allover the place. Obviously this would have been even less secure than what is presented here. As with so many other instances smart=dumb.

    1. Running cable is much more expensive. Using existing cable company was a non starter…they wanted to let utility use only 6khz at low (ie noisy) freqs
      ..and it would be a party line(shared among 100’s to 1000’s of meters)…so your ops would need hr and hrs to upload hourly usage from all the meters. Outage would have a combination of polling meters and a “last gasp” message from meter to head end.

  2. “ Hash Salehi has set out to get inside these meters, and luckily …”
    I really hoped that sentence was going to end “… the devices and their communication proved heavily encrypted and impregnable.”

    Hash being able to decode it all doesn’t seem “lucky” to me.. 😭

    Thankfully I’ve still avoided getting a smart meter. My power company realised it was cheaper to just ask me to report myself once a month.

    1. “Thankfully I’ve still avoided getting a smart meter. My power company realised it was cheaper to just ask me to report myself once a month.” i feel the opposite way…i’m glad i got a smart meter. it means i don’t have to feel bad about failing to keep all the thorn bushes far from the meter, because there’s no meter reader going back there every month. plus, there’s no surprising interactions with strangers going around my back way. ironically, sharing my power consumption information with anyone that cares to know actually increases my effective privacy.

      i think this is a core lesson from opsec. security is not some abstract thing, it is dependent on the operation. i don’t have any operational need to hide the hours when i run my dryer or oven, and i do have a (mild) operational preference not to have people stomping through my yard. so this unambiguously improves my security.

      of course, if one of my neighbors starts monkeying around and turning my power off, i’ll feel rather differently! but as plausible as that result seems, my non-battery-backed pc has 406 days of uptime…i remember that power outage 406 days ago. one of my neighbors hacked the power grid with their car and a bottle of vodka. quite amazingly, the electric company dragged off the car and the old pole and put up a new one all between the hours of 2am and 6am, before i even woke up. real operational durability always ultimately comes down to the ability to respond to incidents, whatever they are.

      1. 406 days? WOW!

        I’d love 46 days.

        Or, for than matter two weeks.

        Unfortunately, that is a dream. The mean downtime over the last ten years has been over two weeks per year. A couple long ones due to major weather events, but MTBF has been less than a fortnite over this time frame, with most of the failures falling into the sub-15 minute frame that is, apparently, not reported. When I moved in ten years (and 6 months) ago, I plugged in a classic office clock with day and date from the 1960’s. I have an accurate downtime total for the period, and the utility response is that the recommend that all of their customers have a backup generator, which they will happily have their partner contractor install.

        If you have solar, on the other hand, they fought tooth and nail to have the system shut down during utility outage (not just disconnect from the utility like with a backup gen, but shut down) so on a sunny summer mid-day, the generator starts to power you 1KW AC unit, rather than the 5KW of solar powering it.

        They had a “surcharge” for “Infrastructure upgrade” on the bill for years. Never did any, but paid industry high dividends.

        Smart meter? No way. Never.

      2. Not sure why they need a Windows computer inside a smart meter(consuming power) where a microcontroller could do the work.
        If they don’t care about security then it should only report usage and not enable any remote switching on/off the power.
        It’s never a problem until it happens, just wrong attitude from the electrical company.

        1. Its not the smart meter that has the Windows PC, its the device that collects all the data from the smart meters and forwards it on to the central power company servers.

        2. My smart meter does have remote shut-off capability, a lookup for the model number lists it as a capability. As for choosing not to get one, well, they were going to charge me if they had to send out a meter-reader every month. However, they were going to raise the rates to fund the switch-over, so there was going to be an increased overhead fee either way.

      3. Will you change your mind when you start paying variable rates per kwh depending on grid demand ? Or depending on which device inside your home us drawing the power? Ie your EV or luxury items lie a hit tub or a freezer…

        No smart meter thanks.
        Rule #483 Anything with smart in the name invariably is there toymaker money from you.

        1. i mean, no? i don’t think that forcing them to apply a single flat rate is necessarily some sort of panacea. and i am in favor of things to more accurately pass costs through to consumers. for example, if electricity is cheaper in the daylight because of all the solar capacity, i think it’s efficient to represent that to the end user. *shrug*

          i know they’ll use it to try to wring money out of me, but i don’t think that’s any different than any other billing system. that part is taken for granted. i just expect my power company to know how i use electricity, just like i know my telco knows about my phone calls. i’m not crazy about their attempts to charge me for financing (“fixed bill”) but fundamentally i just want a good service at a price i can afford, the details don’t matter. if electricity becomes unreasonably expensive, i probably wouldn’t be a fan, but it might be possible to convince me it’s good climate policy or at least a fair representation of the resources consumed.

          1. On the report I get from the electric company they estimate how much my electric water heater uses.

            I don’t have an electric water heater.

            If you think this is about accuracy – it’s not. It’s about hiding price increases that aren’t represented by cost increases.

          1. So the current rate will be the night time rate and everything else will be more expensive from that point onward.
            If you really think a for profit power company if going to treat you fairly, I have a bridge to sell you.

            Oh and BTW we have someone bidding a higher price for electric than you are and there is a lack of power. So we’re going to cut you off for 3 hours. But dont worry the battery pack you bought or your connected EV will work as a UPS on your dime.

          2. dave, power delivery is kind of organizationally and politically complicated. it’s not really adequately described by “a for profit power company”. distribution and production can be decoupled. a lot of times, especially in rural markets, distribution is handled by a user-owned or employee-owned cooperative. they are both heavily regulated, like in indiana all rate changes have to be approved by the state’s Public Utility Commission.

            this isn’t to say that they aren’t gonna screw you over. even if they weren’t regulated, old fashioned spinning meters wouldn’t prevent them from hiking prices! but what i am saying is that if you want to ensure that they have fair prices, that the overall market is healthy and that there aren’t artificial constraints on supply, or that the constraints on supply align with your values. if you care how you are billed. the place to achieve that goal is generally in state politics. the technology in your meter doesn’t make any difference if you’ve lost the political battle. they will gouge you regardless.

            in most states, this doesn’t paint a rosy picture.

  3. > You might want to know if any of this information is sesnsitive, or if the power shutdown system has got glaring security flaws and random people could just turn your house off.

    I worked on writing a driver for one utility energy meter once… the protocol used AES-256-CBC to provide confidentiality.

    The AES-256 key is set to a trivial key at the factory.

    The configuration software for said meter provided no mechanism to change that factory-default trivial key.

  4. I work with smart meters in Poland. Now they all use either wireless mbus or are read one by one with optical IR reader. Those with wmbus are now all encrypted, but several years ago some had either full zeros or one key for all meters. Now each one has its own key and some electricity providers even provide that key on request so that you could read your meter yourself with any compatible device. My company makes a system to provide that data from different companies to users, but we are still ramping that up.

  5. We’ve had a full rollout of smart meters here in Norway over the past few years. A good portion of these are made by Aidon, which use Wirapas mesh:

    I’m not the right guy to do a deep-dive into their claims of end-to-end encryption, but I do have some experience working with and deplying Haltian’s Thingsee sensors and RuuviTags with Wirepas firmware. To the best of my knowledge theirs is the only proper self-healing, self-configuring, all-nodes-are-equal* mesh tech out there. The mesh sensors I have at work and at home are always “online” and report measurements ever couple of minutes for at least 1-2 years on two AAA batteries. Equally chatty RuuviTags run for months on a single CR2450.

    I also have some experience with Zigbee and Z-wave, and they just don’t measure up.

    *(except edge gateways of course, which provide Internet uplink)

  6. Smart meters are great. I love that I can use a simply cheap SDR to monitor my entire homes energy consumption. Also makes it easy to know if/when the power company over bills your usage. It’s also nice that we don’t have to make sure a meter reader can access the meter every month to take a reading. And there’s no need to report power outages anymore, as the power companies knows instantly when a meter goes offline.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.