Smart Meters are Vulnerable to this Attack
Vložit
- čas přidán 7. 03. 2022
- BECOME A PATREON!
/ recessim
Voltage glitching attacks have been documented for quite some time, now I am going to apply these well known techniques to extract the smart meters firmware for analysis.
Next video in the series: • What do Smart Meters a...
recessim.com/
/ bitbangingbytes
/ bitbangbytes
/ discord
github.com/BitBangingBytes
wiki.recessim.com/view/Advanc...
ChipWhisperer manual glitching python script used in this video:
github.com/BitBangingBytes/Gl... - Věda a technologie
I love how far this is going! I can't wait to see the final steps one day!
There is literally so much to hack and so much to learn! By the time I get close to done, they will install a new system and I get to attack all over again!
You need at Btc wallet address on your page....
Just subscribed.
I'm an old electronics engineer (in my 60's) and I find what you are doing, fascinating.
Back in the early days, all the microchips only had 8 legs, and I could see them all without a magnifying glass. 😁
Yea, I remember that… they also mostly had a single function and you could look at the board and figure out what it’s purpose was! Now I need a damn scanning electron microscope to figure anything out :)
That made me smile Larry, thanks. I found a CZcams, (I think), clip at one point where someone asked how big would a modern day computer be if it was built using valve technology. Whoever made the calculation used as a base model the last computer ever to be built by IBM, again I think, which used valve technology. He then used the tech data for that computer, how powerful it was and how large it was and then multiplied it up to fit the tech data of a modern super computer and the estimate finally came out at around 340 acres, fantastically unbelievable.
@@richardchurch9709 Imagine the power draw on something that size! I wonder if he factored in the massive power generation plants that would be required
@@AndrewAHayes The mind boggles Andy.
@@richardchurch9709 And, besides the physical size and electrical power requirements, the thing would never be stable (or even work at all) due to the sheer distances of all the wiring, which would induce signal delay, be susceptible to noise, etc.
I work alongside energy providers. A UK industry approved electric smart meter has 3 anti tamper switches built in. It sends a signal if any tamper is detected. It also flags if the meter doesn't pole within a given time frame. When it flags up we get the job to attend and investigate.
I have friends working on smart meter head-end APIs here in New Zealand who are quite interested in your vids funnily enough ;) Thanks for sharing!
We’ll ALL be looking at firmware soon… 😀
Awesome explanation! Thanks for sharing your learnings with us!
Thanks! Glad you enjoyed it. Working on the next one now to show how we control the glitch in time to go from random effects to controlled disruptions with repeatable results.
This is way above my head how you work it out but interesting what you are doing, and yeah i really do think we should know what kind of data is being shared with these companies 👍🏾
Great progress on this. Can't wait to see what happens next :)
Me too! :)
The local power company swapped out my meter to a smart meter a few months ago. For over 20 years I have always consumed between 205-270 kwh per month. First bill with the smart meter was 280 kwh, second 285. Two highest months I've ever had in 22 years here! Instead of electronically attacking the meter, I just pieced together everything I need to go off grid. I'm curious what the meter will read in a few months with my main breaker turned off!
Because 2nd ver of smart allows meters to "Factor". . .they easily know load on any branch, Factor function is adjustable, causing meter to indicate anything. Instead of 1, meter may indicate 1.001, or any value. You pay for a factored reading, not actual. The excuses for doing this vary from company . . .or state.
@@jsunit5354 Clearly I've been factored and fu@ked!
I built free energy devices I'm telling you you just take a toll and they still charge you taxes like probably $43 a month it's ridiculous they are on top of things and a lot of times just keep charging the same amount 140 or $259.61 it was one month and it'll be almost the same the next month which is completely impossible and ridiculous the thing is look at the killer watch and you can see it's half is less that month because of the device that I have hooked up and it'll say oh well the computer didn't get it will be sending you a check
You got to look at the kilowatts on the bottom part of the bill otherwise I'll just keep charging the same amount every month which is I know they're lying they just take a toll and if you call them on it you see the kilowatts is different and it still charging the same amount here's what they say oh the computer didn't get it yet so we'll be sending you a check for all those months
Electronic meters and electromechanical meters react differently on distorted currents, for example from a SMPS.
Great success! I've noticed my Aussie ones have an IR IO for the meter reader, but commonly now they have a 3G or 4G modem in them. Happy to solder up something myself for you to test.
Look forward to buying some meters used in other countries as well
@@RECESSIM I'm an electrician and can get access to plenty of them, noticed too on those modems they're just serial rx tx from the meter so that might be another non destructive way in!
They might be entirely relying on the cellular network for any encryption and just sending raw unencrypted data via serial port. Or perhaps no encryption and just hoping no one can see... :)
@@RECESSIM Modern meters do the encryption on the application level. You cannot trust the mobile network operator to do it.
@@WimTon The question is what’s deployed in the field, modern anything always fix the sins of the past.
your process reveals a ton of info, thank you
You mean the built in back door they engineered into all our chips. Gotcha...
I remember glitching from the days when I glitched DTV cards! very cool.
I remember hearing about that technique back then but never knew how it worked in-depth. Look forward to sharing exactly how it works over the next few videos!
Those were the Good Ole Days, the cat & mouse game was epic..
@@mrreddog agree!
I remember as well. They were called Unloopers. When your card was looped, it meant the death of it in the old smart card readers. The one way to fix it was to glitch it in an unlooper. They were expensive at first, but eventually cheap and necessary. Everyone had their favorite glitch settings, it was fun.
@@x1xBryanx1x exactly! they got good at that
My man! Excellent clip from Sneakers!
Love that movie!
No idea where this is gonna take you but I had to subscribe. Too damn cool!
First video of yours I've clicked on. Very intriguing subject. I definitely dig both the technical challenge and the phreaking. But, I'm 98% certain the current reading of the laws could put using this type of device to tamper with the truthful readings of an electric meter firmly in the illegal category... That said... Good stuff. Subscribed! 👍
98%? Ummmm 100 percent certain it’s illegal to do this to the meter one is using on their house! Anything used to defraud a utility….. well anyone really is illegal.
do these run an interface on a handset that accepts commands like an ip camera?(does it have a webserver for meter readers to use the handset?) sometimes those commands are passed as system and you can make it do interesting things like keep cycling a reboot until it goes to a debug mode where you can pull the entire file directory all firmware and drivers
Very cool. Having read Colin O'Flynn's new book, I'm looking forward to seeing you put some of those techniques to work. Good luck!
I really enjoyed that book as well, definitely worth the money to see state of the art attacks documented well.
Very interesting. My city currently does not have smart meters. The one on my place is digital but not connected to anything else and quite a few around town are the old analog ones. They are wanting to change that so they can do prepay, monthly average billing, and a few other things. I have heard that the way the digital ones figure a KWH is different than the old analog ones but have no clue. I have my own meter based off of an ESP32 running ESPHome hooked up to the main panel feeding data into HomeAssistant so it will be interesting if there is a difference from the old meter to the new ones if they are put in.
A bit of addition to "38911bytefree": there is no real requirement to keep the meter's firmware secret (mainly IP protection). As part of the security certification, the certifier may even get access to the source code to search for vulnerabilities. And in many cases, even the commented source code is pretty incomprehensible for the uninitiated.
The main protection is that every meter has individual cryptographic keys.
As smart meters are a very cost-sensitive product, all unnecessary functions are omitted (memory costs money). Often not more than an RTE such as a stripped-down ThreadX or embos. The attack surface is small, the devices use only one protocol (ANSI in the USA, DLMS in pretty much the rest of the world).
There is a guy who did a similar technique to break into a bit coin wallet, did you see that video?
Joe Grand? Yea, great video!
Yeah crypto is not as safe as it is supposed.
Now this has me pondering if there would be any useable benefits to employing such a method as this to automotive applications? Fascinating video sir and though, in the words of Sgt. Schultz, "I know nothing", I'll definitely be tagging along for this one. Thank you for the video!
Hacking our cars to unlock features we didn't pay for but are in it anyways is 100% the future
@@saxtonhine4843 No doubt about it I agree! To some degree though we've been doing a form of it for years, it just been called "modifying". At least from an analog standpoint haha! Where I am at with it is having the ability to flash a PCM/ECU for updates instead of taking a vehicle to a stealership. Honda already offers them for free for most of their's as far as I am aware. One just needs a VAG OBD cable I reckon and a laptop and they can perform drivetrain updates on them.
@@betterthannotgoodmtb Same with toyota ;)
You can catch up to see if they're skimming and they usually are because how could the power bill be the same amount 25169 and 251 60 next month completely impossible
but can you glitch automated fuel station to trigger plc to activate fuel pump relay
Nice work fella. Keep on a working with 0's and 1's for total control.
Appreciate that! Only 10 type of people in this world, those who understand binary and those who don’t get this joke! 😀
@@RECESSIM Right on binary brother. That is what control's literally the world right now. v
Wow. You are providing a great service. Love the movie clip
Great work, You have invested many hours! Do You have any idea on how people inject a frecuency thru a capacitor yo isiste from the 220 volts backwards tord the meter, I meen from inside a house and it confuses the meters sensor? Cheers from SOUTH AMÉRICA
Any idea how I can use a flipper zero on my meter ?
Since we are in real danger of an EMP attack, how would that effect these smart meters verses the older mechanical one?
Really like your videos, thanks for uploading them. Is their any chance that I could get a copy of your C code and python script that you used just for my own interest. Also the chip whisperer you used. Is that the CW 1173 lite version or some other ?
Correct, it’s the CW-lite. Happy to share any code, find me in discord or send me an email. The Glitchy app I have on GitHub might also be what you can use now.
github.com/BitBangingBytes/Glitchy
Amazing video, so detailed! Just curious, how do you get so much time to do such deep work on this? Are you a full-time cybersecurity analyst for smart meters or is this a personal interest/hobby?
I’ve just loved electronics, programming and reverse engineering since I was a kid. I keep trying to learn something new every day and over time it adds up.
I don’t have a particular draw to smart meters other than they are a fun target with RF, microcontrollers, lack of documentation and they’re deployed everywhere for long periods of time. A fun way to do black-box attacks… Like playing Chess ♟️
is this for energy? I would love to know how to rig electricity it is so expensive
really diggin' this.
Glad you like it! Thanks for commenting.
Reading the transmitted data would be interesting. There is a cell and a repeater network signal output. That's what an employee divulged.
This is so interesting!
Glad you enjoyed it
Good Ole HP48G ! Loved that thing. Now I need a backlight, so went with that HP.
last week another seeminly routine automatic windows10 update crashed my hard drive. to save updates it shut down came back on but this time error codes popping up nonstop. stop code system service exception, unexpected store exception, unexpected kernal mode, kernal data inpage error, error 87 & cleanup image is unknown. i googled the repair was directed to defaults in command software and had to set moduals installed to manual. somehow the update set it to auto. i got pc back to 70% working but anytime i try to google anything hardrive crashes again & again. its pooched
No wonder people don’t want to install updates 😳
Sounds like the problem is with windows and old hardware.
You might try putting some Linux on it
Even though I don't use these systems unless I flip on a switch in someone's establishment.
I have to say. This is the very thing that everyone should get involved in.
I have several ideas in this reversed engineering concept which we could all use today.
However there are not but a hand full of electrical engineers that have the honor and integrety to take on these tasks.
I wish I could work with this man on projects like this.
Even though my cousin is the inventor of the FIRST IC. I was never afforded training in electrical engineering, so I'm only an inventor.
But.....EVERYTHING STARTS IN THE MINDS UNDERSTANDING.
keep up the great work 👍
I'll be watching. Peace ,✌
Wow, you are related to Jack Kilby?
@@dakrontu
Yes sir. He was my cousin.
Peace ,✌
@@CKILBY-zu7fq I never met Jack Kilby. I did shake hands with J Fred and Mark Shepard while they were passing thru on goodwill tours, and I got a tour of the CIC computer system in Dallas (as I recall, 127 mag tape drives, tape numbers up in the 5 digits, 4 mainframe back-to-back redundant pairs each with about 4 MB of RAM (or maybe more, not sure, but RAM was small 4 decades ago), and a truck-size hole in the centre of the floor where they had to extend down to the floor below when they ran out of space, with hundreds of big black cables running down thru the hole). I never got to see the ASC. I was in Austin the weekend the gold was stolen (wasn't me!!!) and watched cars pass by with gold badgers going to investigate. I remember the deer in the grounds wore company badges, as did the automated mail delivery robot. Due to delays, our rental car was late being returned, so National Car Rental had informed the police to watch out for it, which may have tied in with suspicions about the gold heist.
@@dakrontu
wow brother. Thats awesome, so. How long did you work there.?
These are the stories.
So I have never been to the KILBY MUSEUM, have you been?
I would like to go one day.
Its so cool to chat with you.
You know?????
The gold went missing at the TRADE TOWER event.
They claimed it was evaporated.
But it impossible, otherwise the city would be covered in gold just like they coat glass.
SO.... I BELIEVE WE SEE THE USE OF THAT GOLD EACH DAY THIS TYPE OF PEOPLE IN OFFICE FIND WAY MORE MONEY THEN ANYONE ELSE.
So, it makes me wonder, who where why and how.
PEACE BRO.✌
@@CKILBY-zu7fq 8 years. As a software developer. Us softies were always treated as leftie 5th-columnists by the hardies. It was my time in the fast lane, travelling a lot. TI, the hire'em fire'em company, was boot camp for many new engineers. If you worked there and thrived, you were sought after. One of my colleagues was the guy who got company policy changed so he could wear Bermuda shorts to work. Engineering was a seat-of-the-pants activity back then. Today it is much more formalised.
Their lawyers are working full time.
My interest in your pursuit is mundane but has benefits to all of us who use the services of the electric companies.
While living in my mountain home in Costa Rica paying about $75.00 monthly one month it skyrocketed to $350. Thinking the decimal was erroneously positioned , I went to the GOVERNMENT electricity company( ICE) and waited to see an ICE rep. While in line two other people had a similar issue and we all allow could hear the ICEagent tell (accuse)both customers separately that THE CUSTOMER was responsible for the excessive monthly usage charge , claiming that the customer was having many lights on, cooking up excessive pork rinds, Ticos love making Chicharones, or that their was a short in their home electrical system and a few other made up contrivance!! Sadly the poor customer paid the bill. The EXACT accusations were leveled against me !! And under duress I paid my electric bill.
In the few days following on a local FB page I noticed a lawyer named Mauricio , who spoke perfect English and was a Fan and could recite passages verbatim of the Classic Movie
The Princess Bride,,, from San Jose, who has a rental property near the village of Ojochal was asking about anyone else incurring excessive electricity service charges!! Hmmmmmm. A random pattern was becoming Obvious! I'll cut to the chase ! I confronted the ICE agent with photos of my meter reading and asked for their recording of my meter reading and their reading was blatantly five times higher and apparently ICE was sporadically and without remorse continuing their fraud ! While THE Particular month's charge was adjusted they wouldn't lower or refund the previous months!!
I began demonstrating through local community media how to combat this fraud and then ICE started intermittently cutting my power and also threatening for me to move my meter from my house to a half mile away ! The resulting cost of that possibility had me bite my tongue and coupled with their border customs immigration service agent threatening to not allow me back into ( PURA VIDA) Costa Rica I decided to sell and return to the US.
Fast forward my to my new residence here in the Eastern Appachian foothills of Kentucky where I have a main cabin and an empty horse barn with one light in use and with a spot electric heater for a tool room I was being charged almost as much electricity for the barn as the main cabin which has all the normal appliances and then some.
So I performed a simple test. I deliberately ran the spot heater ,1500 watts , in my barn for an hour observed the usage showing on the Smart Meter display and then ran the heater in the main cabin for an hour and the meter reading was 3 times higher that the main cabin meter reading!!
So call my provider and alarmingly I notice similar condemnation of my usage as in Costa Rica. The agent said that the meter CANNOT be Manipulated or Hacked and I'm still waiting for a replacement meter and as of March 10th 2022 no replacement .
The claims of replacement of the previous Analogue meters with the present Smart meters is to have customers be charged more equitably for usage during peak hours of The Day and less at night when usage is less ,, well that is BS . Are we to NOW supposed to cook clean bathe perform work tasks from 7pm till 5 am ??
I think your quest may be more beneficial than you think!!
What do you think??
Thanks a lot for a very interesting comment! I've heard a number of stories like this, so I don't think you are alone. There are a lot of factors that could go into something like this, but regardless as a consumer I think it's hard to prove your case and have the power company care. They don't make money lowering people's bills or discovering issues that lead to less revenue!
@@RECESSIM Bypass the meter, "They steal from you , So you steal from them"
Some electricians would have no problem helping you.
Had a similar "glitch" with my power last winter, try deep-throating an $800 power bill...
Here in Aus, most of our meters are being replaced, so no real choice in that matter, and my issues were on a 'normal' power plan. Switched to the "smart" plan for testing on my new place - at least they can give me some data! (The fact that there is a time chart can allow me to precisely quantify this shit)
If you thought paying too much for power is crook, try getting a solar installation; after you generate more power than you consume, the utility stops counting the power (they USED to rack up a negative bill if you generated heaps, and managed to offset your usage + connection fee)
And recently, they dropped the value of generated power - such that you continue to pay top dollar, maybe 40% less...
It's funny seeing houses with all the kit necessary to run self-sufficiently, but doing the exact opposite!
Same thing happened to me. Notice that the News Consumer advocates will never cover this story about thieving utility companies and smart meters. They are too busy chasing Mexicans who cross the border illegally. They like coming after the poor and helpless who have no voice. But come after the big boys who steal a lot more. Nope. They stay away from that.
Consumer advocates are worthless.
I build free energy devices that pull from the environment to work well they save about 60% they have no moving parts it just goes to show that the AC current wire is leaked current sideways here's the thing I have people that obtain these devices and it shows the kilowatts being half as much and they're still charging the same amount for the month and you they called them and ask them why it's still the same and kilowatts is different and they said oh the computer didn't get it yet so we're going to go ahead and send you a check for every month that was off on a map the kilowatts changed on the bill but they still were charging them the same amount every month
I've got an old meter, if I install it what happens?
0:29 - Anybody remember how to defeat an electronic keypad from the 90s ?
- Don't even joke about that Martin, those things are impossible...
X'D
What app are you using to get the data sheets? Is it free, or what is the cost?
This is very interesting. Thank you
Lol...video brought back memories. I remember "glitching" HU satellite cards back in the early 2000s.
I am now hooked!
Thank you for showing the vulnerability of UK smartmeters.
Why not an ICD and brute force the bit flip?
I got questions
Can I hook my smart meter to a inverter .to block any data it's collecting .
Not really power usage data, it’s going to get that either way
@@RECESSIM
Is the new meter numbers calibrated to the old calculations of units of electricity??
How is flow of electricity measured?
Eagerly waiting for the next update 😬
Thanks, will try to post sooner if only to share progress so you aren't waiting forever!
Loving this
Hi how to get the same Model without Steel them? Its an Landisgyr E450 G3. And I guess the use a Custom FW.
You find them occasionally on auction sites such as eBay. The FW is totally custom. It is basically a hard-coded database with a process that writes the measurements and events to it, and a process that transmits the content at regular intervals to the power company. The processor is the somewhat exotic Renesas RX.
@@WimTon Well I dont know. Here the use Powerline ~50khz I see them transmitting via my SDR.
@@nowaymuller6643 The lower protocol layer is G3 PLC, ODFM modulated (G.9903). The data is encrypted with a key common to the physical network. The next layer is DLMS green book, an ASN.1 dialect. Encrypted with a meter-specific key, a network-specific key, or plaintext, depending on the use case. The data model is DLMS blue book.
you are a national asset.
You're amazing dude.
It would seem that anything digital can be hacked …… in time.
Precisely, if you are planning to let something live in the wild for a long time, you better also have a plan on how you address the inevitable vulnerabilities.
This is great!
I have been refusing smart meters for years now. Never was I going to let something like this even near my home.
Until now. Now I wanna explore these evil things. 😂
Haha!
can someone twell me what prducts he used to hack the smart meters?
I have been able to receive and decode the transmissions of these smart meters using a device that is readily available. It's based on a SDR. Do you have specific frequencies that they use because looking at some of the data sheets of these meters they can be interrogated over radio frequencies. They may be programmable over radio too.
The smart meter that was installed by the electric company in my house was done by some stupid woman that just killed the power to my house without even a warning. The next thing I hear is a banging noise as she is hammering on the old meter to get it free. I'm annoyed that the electric company can just come onto my property and install a radio transmitter without notification of any kind.
These meters by Landis+Gyr don’t work with the existing SDR tools to read meters. Working on some tools of my own though on GitHub. They operate in the 915MHz ISM band. 73
@@RECESSIM Great thanks for that info. I'm looking forward to trying out any new software in the near future. Thanks again. 73.
@@RECESSIM Don't hold your breath. For privacy reasons, there is the regulatory requirement that all consumption data must be encrypted. And for security reasons, commands to the meter are signed or MACed.
I think my smart meter is picking up multiphase, var freq motors pulses and running my bill up 30+% .
Who's the manufacturer of the meter and what power company uses it?
Landis+Gyr and a LOT of utilities use them, in Dallas Oncor and CoServ. You can search for BitBangingBytes on GitHub and see the gr-smart_meters code which lists a few utilities people have confirmed.
WHAT IF a neighbor has weaponized your smart meter and the EC WONT listen and it is being used against you with MUCH pain? it was changed in Feb with NO knowledge of the EC...PLS HELP???
What khz do they transmit on?
Usually on the mobile or ISM UHF frequencies, 820 to 950 MHz. PLC between 10 kHz and 500 kHz.
in my country there is no smarmeter network. they just dump prepaid meters. you enter code and enables more eletricty units
Here's a question with a problem this video would address... My water meter is wireless and 'read' by the water company from a truck that parks across the street. Ironically, or not so much, my water minimimal water draw is usually almost exactly the same every month... but 2-4 months for the past few years the meter 'reads' almost twice or more water randomly some months... there's NOTHING that draws an extra 1000-2000 gallons a month possible around here.. not even a dishwasher or clothes washer. My theory is the guy is occasionally reading the house across the street with a family of 5 that easily uses the spiked amounts I randomly see. They say nope, that's your water bill but it's not possible to randomly change like that over the past few years. They already made a $500 error misreading 1 first number a few years ago i had to fight to reconcile, them always telling me i'm wrong... but they found my old meter and a pic of it, and I was right about a 1,000 gallon over charge. So... I bet here is where we can figure out if they guy is getting 'mixed signals' from the wireless meters, or it's the mixed signals in their head I have to straighten out once and for all. You have your mission. What say you all?
I have a couple water meters I took apart, but crossed signals doesn’t seem likely. They probably transmit a serial number followed by your reading. The ones I have show the reeding with an analog odometer looking display. I would check to see if that matches your bill. If so, perhaps you have a problem pipe or something else causing water loss. If not, then perhaps it’s the meter, but I wouldn’t jump to that as the first thing.
Hash, good stuff. Distributech International is in your back yard May 23-25 with every smart meter manufacturer attending - in case you're interested. 🔌
Thanks for the tip! Probably a great event to check out what will eventually replace what I’m playing with now.
Oh thank heavens. You stil need physical access for attacks like this, so I'm fine with those. It's the potential for remote attacks that concern me most.
This is all just laying the ground work for a remote attack. First is physical to gather intelligence to construct a remote attack.
Glanced past your channel and it seems like you're more interested in the meter boards when all the juicy attack surface is on the multiple AMI chip vendors. FYI, what you're examining is simply the board that provides basic volt/amp/angle/phase info to the meter. Every single manufacturer has multiple RF/PLC chips that go into their meters. But I would hope you know that. For instance, that Landis & Gyr meter you show has no less than 20 companies making AMI chips for it. If you want to attack one, start with it's modulation interface which is always handled by the AMI vendor. You wanna reset your meter? Change the read? Disconnect/reconnect? Change the MAC address? Date/time? Intercept interval usage? Set outage notification? Voltage notifiers? Temperature? Tamper indication? All handled by the vendor chip.
Are you referring to the Teridian chip in the case of these meters?
Love it, go for it.
💪🏽
ive installed a bunch of mod chips and this is so cool.
Look forward to EVERYONE dumping firmware!
You need to be careful It is possible for a brownout to find reflash code and completely erase the flash in that Atmel processor.
Luckily I have a few meters to test on, but if one happens to wipe unexpectedly some protection or accidental activation of code could be the case like you mention.
Please tell me that the culmination of this work results in being able to pipe smart meter data into Home Assistant.
That’s a possible outcome of reverse engineering the smart meters and decoding the protocols, able to feed that data into other systems!
Ive been curious about these smart meters and wondering if there was even a way to read my usage and compare it to my IOTaWATT. This is really cool and takes that idea to the next level.
Subbed!
Thanks, seems a lot of people are curious like I am. We’re gonna keep digging until there’s no where left to go!
I like to find a way to make my light bill cheaper 😋
first time watcher.. you just showed up in my list of things to watch. Love this.. Ive used voltage glitching before, I have actually seen it done purposely by a manufacturer to prevent someone from using a generic version of a device in place of their proprietary.. send a voltage "glitch" and if the processor didnt behave as they expected they assumed it was a virgin device.. ive never messed with smart meters.. my area mostly is in messing with the chinese Air conditioners (mini splits).. to make them do what i want .. they also use Atmel micros.. so ill be interested in watching more vids to see how you spring these devices open
Thanks! That's interesting they used glitching as a way to check for an authentic device. What sort of device was this? High dollar specialized equipment or consumer grade? Playing with glitching tools has always been interesting to me, nice to make some videos to focus the learning a bit. Glad you enjoyed it.
@@RECESSIM High dollar.. it was a Voicemail system back in the late 90s.. the Voice processing cards were sold by the manufsacturer in generic form that anyone could buy.. the particuar voicemail company wanted you to buy their OEM named card which was 3X the price.. since the interwebs were new and everyone pirated everything.. the Special firmware was easy to get and field load.. so they turned to hardware.. they actually separated 2 of the Power supply pins.. or should I say they "burnt one out" and the chip would still work except for a certain function.. so the voicemail system called on that function.. if that function succeeded they new the board was generic even if the proprietary firmware was loaded.. most people gave up when the board didnt work out of the box.. a few more tried the firmware.. but only a few went further to dig.. wow if we only had today's debugging tools back then!!
@@eldoradoboy Wow! Yea, very interesting. Equipment like Smart Meters and other stuff with a long life in the field is very interesting to me for that exact reason. The tools to attack are progressing at a rapid pace, but the equipment in the field is still using yesterdays technology that becomes more vulnerable every day.
@@RECESSIM a lot of devices are built with a probable impact of breach engineering.. exploiting a smart meter and cracking the hashes related to turning on or off the power to the building has a High impact.. but hacking the meter with the intention of reduced cost electricity has a low impact.. the power company profiling is designed and getting better at detecting pattern changes in usage.. if they come to your house and determine the meter is "bad" ie recording 10% less than actual usage, then they replace it.. and expect to see an increase of 10% over prior profiles.. smart meters are pretty well protected against physical access since you get heavily fined by the power company if you cut the tag-lock and pull the meter.. in that case as a manufacturer you would design for highly secure comms but not necessarily so much against physical breach.. so if it can be hacked and firmware replaced OTA thats a HUGE vulnerability.. but if you have to open it up and JTAG it.. thats a non issue in the real world..
@@eldoradoboy Agree completely, getting the firmware is just to enable debug mode on a meter I control and to search for OTA vulnerabilities as you mention.
Awesome 🏴😁
Here from. Tik tok! Love the content.. Hardwear cracking was a interest of mine!
Thanks for following me! If I can clarify anything or answer any questions hit me up on TikTok/Twitter.
It is very annoying that smart meters report logging data back to base but not locally (although they do send data to the local display, so maybe one ca get useful local logging that way?) I just want logging data from my own meters. Doesn't seem unreasonable, but so far as I know is not provided.
This depends on your country and power supplier. For example, in the Netherlands, smart meters have a serial port (called "P1") that spits out the measurements every second. The UK has the option for a Zigbee-connected in-home display.
You can share the ' spec sheet ' of the firmware. Do some research of the BIOS wars and how cloned BIOS was done legally. They had 2 teams, first dug in the code and created a list of data points, pointers ( with different names than the original ) and basically a ' spec sheet ' of what it did, the second team took the data, a motherboard with no ROM and made their own. The ' team two ' aspect would be the rest of the world. It's still considered Case Law in the USA, just ask AMI Bios.
Thanks for reminding me of this, I remember reading about that.
Copyright law in the USA allows reverse engineering of software for the purpose of learning how it functions/behaves and to interface some new software with with the old software. So basically only the original code cannot be duplicated, but the API is fair game, and you can distribute a bit of foss (written from scratch) to access that api.
Yes that is what is known as cleanrooming, typically you would also have the companies patent lawyers looking over everything sent from the analysis team to the design team too. That is to say checking to make sure nothing slips though that would contaminate the new product, you don't want things slipping though that read like a paraphrasing of the competitors patent claims on one of the parts for example. So they are usually involved to make sure nobody opens the whole thing up to liability by being a little too on the nose with their documentation.
@@seraphina985 Thanks for the additional information, that’s very interesting!
It would be good to know how the smart meters work. But how will the help anyone?
I feel it’s one of those “I wonder if” situations. We could all just keep “wondering if” or we could take a look and see what’s actually there. But we can’t know what’s at the destination without going on the journey.
This is awesome
Google tracking is using proximity as well..targeting visitors to your home.
Sharing software in this case is not copyright related but it can still get you into trouble. Just doing it can get you into trouble.
The RGH hack for Xbox 360 lives on with this man haha!
So other than curiosity, what is the point ?
They're also always vulnerable to being simply removed from the circuit altogether.
@Recessim Why don;t use quarz lighter trick? Should be working like to other electronic device? Remove quarz from a lighter, then engage electric arc from quartz near lcd side. You must find in which side. Electronics must enter to a glitch and freeze. Try that for a new video.
That's a cool idea, I have seen that method and also EMP using some other tools NewAE make. As for the first one, to trigger a glitch at a very specific time like I will need to do in order to dump the firmware I think the lighter method would be hard.
I would need a way to reliably generate that spark at a specific microsecond after booting which isn't possible I think. But for general glitching I think it could work.
@@RECESSIM Just discharge. Thats all. In first minute of this video, you see the ideea. czcams.com/video/N31kQzxk7BQ/video.html
@@ciobanurivelino3844 You missed his point, how do you time the discharge exactly at the required time after a processor reset?
If that works, the designer did a bad job ...
Too less energy! One of the tricks I heard off, was to put a coil of a few turns in series with the flashbulb of a single-use camera.
thanks
very good .
I wrote software for two of these types of meters. They have two basic functions, to meter the power being used and to send it upstream to the power company. The former you can easily do without messing with the meter simply by hooking an ammeter arrangement up to (say) a Raspberry PI. You can even do that without breaking the circuit (non-contact ammeter). If you are interested in verifying your power bill is correct, that is the way to go.
The other purpose would be breaking into the billing part to scam the power company. It would be a lot of work to do, and the power company can do things like tally the individual meters against the power consumption for the whole neighborhood to trace down who has broken into their meter, resulting in anything from having your power cut off to jail time.
I agree with Scott just use an amp meter and record everything that the power is being used in the dally up to see if it lines up with the bill if they're charging you
Here's something I build free energy devices that work in the first state of matter and the thing is that these devices condition the house and save electricity about probably up to 60% sometimes the deal is they're not illegal or anything and they work well and sometimes I have to call him and tell him look the kilowatts is different but why you charge me the same amount and then they say well the computer didn't catch it yet and will be sending you a check
I agree with Scott. I would just comment that most smart meters also allow the provider to Factor the meter. Pick any value you wish, ie 1.10, which would have your meter read 1100 instead of 1000. The excuses are many, from fuel adjustment to peak-vs- non-peak periods. The factor can be changed at any time, easily handled by an algorithm in the program. It can be set to gradually increase the factor as a user consumes various levels; the first 1000KWh can be at a base-rate, then factor-up for usage beyond that level.
The first line of defense is "Our meters are very accurate. We constantly test to assure customer confidence in our product and service "
You can feel free to change the boiler-plate verbage as you wish.
How do we message you?
You can find links to Discord at www.RECESSIM.com or email me, hash at RECESSIM dot com
nice scope man
Thanks, recently upgraded and it’s nice to have some newer features like connecting to it via computer
Going to have to find a script to disable apps for incoming visitors!
I think I've been watching ur tiktoks for awhile
Thanks for checking out the CZcams channel
It is great how bad ass I feel, just by drinking half a bottle of sweet white wine and watching one reverse engineering hacking video on youtube...
Save the other half of the bottle for the next video I should have up in a day or two! Badass^2
What if firmware is updated
Wash, Rinse, Repeat
Reminds me of the old Directv HU card days.
What was the movie called 🤣
Which one, Sneakers of American Hustle! 😂
Will an EMP attack affect a smart meter ?
?
Same as any other electronic device, probably cause it to fail
A smart meter might be the last device to die. The normal electric mains is a quite hostile environment already, and meters must be able to withstand peaks of several kV.
This meters have really complex SW models regarding SW separation to protect the legally relevant sections that are sensitive since they are related to billing. On the other side, you cant hide (to their systems) that the meter has been tampered with, and even when you are able to do that, you will trigger alarms on their systems, as they keep analizing and comparing anything with your historic. I suggest you read the current regulations for this kind of devices and how Utilities work. This is, nice as project, never attemp that on a real billing device. They can submit the meter to its manufacturer for audit when in doubt. And yes, THIS IS THING. It is way more recilient than you think.
Thanks for your detailed comment, I’m interested in the overall design and security as it relates to devices like this living in the wild for 10+ years. Not really interested in stealing energy, but any vulnerabilities in the design are definitely of interest.
@@RECESSIM I know it is not you point of interest but probably some viewer could find this "useful" LOL. Sure they have vulnerabilities ... But even if you get the code, you wont find nothing interesting on it ... believe me. The metering part could be derived from some app note (or not), but ussually full of intricate stuff, with parts in ASM, digital filters etc. The application section ... you need to understand how a multi rate meter works, rate scheduling, profiles for Energy, RMS, billing, tons of logs, alarma controls, demand control ... and when you get into the protocol part, you will fell asleep if the meter is intended to be sell in Europe ... its implementation is probably as complex as a TCP / IP stack but useless outside this industry. This protocol models a generic device with n generic objects, implementes a number of logical servers ..... BORING AS HELL. It goal was to be "interoperable" ... LOL. If meters is intended to US market, probably still dealing with old ANSI legacy stuff ... but still pretty criptic since is table based mostly works under base addr + length read and writes. If you dont have the dictonary ... good luck.
@@38911bytefree that's what i was thinking - it would be an awful lot of work to go to to get caught stealing energy anyway!
@@billynomates920 Across the years analitics have been taken an important place. The solution that manage the Smart meter on field, is actually a suite of services, with different modules you can pay extra for. And one of their modules is Non Technical losses (basically .... fraud detection). 20 years ago, the meter was the money keeper ... a little "safe". Today they keep polling the meters so the dont need to rely on the meter as a "safe" anymore. More like and audit / telemtry device IMHO. Metering part can be very complex (avawy from calculations) but security, networking, data transport, protocols are probably more bigger and complex thant metering part itself. It is like a GPRS / PLC / ETH with Metering LOL. Some meter act as gateways or repeaters, helping to build up the network. It is a network device.
If he can gather the software for the specific meter he has… then he can always delete any tamper triggers. Shit… he can even change the Ratio at which he is charged to like… .10:1 for every dial increment rather than 10:1 😂 but… idk.
"Smart Meters are Vulnerable to this Attack..."
"What is a claw hammer?"
DING DING DING!
Hell yeah. Thats what I'm saying, but we will never see this type of Independence because we are out numbered by the other part of society that are the very reason why this garbage still exists.
Peace ,✌
@@CKILBY-zu7fq I don't know what you are talking about. I am not being sarcastic or rude, I just have no idea what your point is.
@@theephemeralglade1935
Another 💩🤡?
I'm in the acquiring hw fase. and reading the phabulous manuals fase. this will b fun. thx
Very cool, I've yet to meet a piece of hardware I didn't want to buy!
@@RECESSIM I'm jealous of your faraday cage with gloves and viewing window. Tots cool. I think I'd like to eventually test a whole multinode mesh with a gateway which will need a little more space. ya know... get the full experience.
@@awesomedee5421 Absolutely! If you put some connectors on the side you can run large devices externally and just cable their antenna's into the box. Then run smaller devices inside the cage. Adding attenuators on the devices with antenna connections help to drop power too.
Sounds like fun maybe when I was much younger . Have fun and screw with the system as much as possible. They need to know we can mess with then.
I agree completely, systems of power must be checked
In Australia Smart Meters are forced on all new home builders and any whom upgrade to solar. Including those who have battery backups. That said I'd like to ask you... Do you Consider the Smart meter to be a certifiable metering device?