Presenter: Rob Miller Ishtiaq Rouf, Hossen Mustafa, Miao Xu, - - PowerPoint PPT Presentation

presenter rob miller
SMART_READER_LITE
LIVE PREVIEW

Presenter: Rob Miller Ishtiaq Rouf, Hossen Mustafa, Miao Xu, - - PowerPoint PPT Presentation

Sep 07, 2023 587 likes •807 views

Neighborhood Watch: Security and Privacy Analysis of Automatic Meter Reading Systems Presenter: Rob Miller Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu, Dept. of CSE, University of South Carolina Rob Miller, Applied Communication

slide-1
SLIDE 1

Neighborhood Watch: Security and Privacy Analysis of Automatic Meter Reading Systems

Presenter: Rob Miller

Ishtiaq Rouf, Hossen Mustafa, Miao Xu, Wenyuan Xu,

  • Dept. of CSE, University of South Carolina

Rob Miller, Applied Communication Sciences Marco Gruteser, WINLAB, Rutgers University

slide-2
SLIDE 2

Electric Meters

  • Smart meters

– Demand-response – Time of day use

  • Automatic meter reading (AMR)

– Gas, water, electricity – 47 million installed (2010)

slide-3
SLIDE 3

AMR — Overview

  • Communication protocols

– Telephone line – Power line – Wireless communication

  • Our focus

– Wireless communication with drive-by trucks

  • Transmission methods

– Electric meters: Bubble-up once every 30s

  • Meter IDs are linked with accounts

3

Acquisition Processing Billing Transmission

slide-4
SLIDE 4

Misuse 1: Privacy

4

Eavesdropper monitors consumption Empty House? Time to visit.

slide-5
SLIDE 5

“I want to pay less…”

Bad neighbor Selfish

Misuse 2: Spoofing

Sending spoofed packets

“I don’t like my neighbor…”

slide-6
SLIDE 6

AMR — To Be Discovered

  • Reverse engineer the communication protocol?

– Messages encrypted? Authenticated?

  • How easy to spoof AMR communication?

– Drive-by trucks reject suspicious packets?

  • Privacy risks?

– How much information can be inferred?

  • How to protect AMR communication?

6

slide-7
SLIDE 7

Q1: Reverse-Engineering Wireless Communication

  • Proprietary protocols – Patent

– Manchester encoding – Multiple Channels – Message formats

  • Equipment
  • To be discovered

– Modulation schemes? – Baud rate, channel information? – Message encrypted?

7 A gas meter Sentry 900 Universal Software Radio Peripheral (USRP) An electric meter

slide-8
SLIDE 8

Q1: Reverse-Engineering Walk-Through

8 Determine Modulation OOK An AMR meter transmits at 902~928 Mhz

0.5 1 1.5 2 2.5 3 3.5 x 10 5 0.2 0.4 0.6 0.8 1 samples R S S

Scan at 902~928 Mhz for activity Encoding Scheme Manchester Determine Baud rate 16kBd Verify Message Format

slide-9
SLIDE 9

Q1: Reverse-Engineering Results

9

  • Observations

– Reverse engineering possible – No encryption – Meter ID transmitted in plaintext – Simple frequency hopping  pre-determined channels

slide-10
SLIDE 10

Q2: Packet Spoofing

  • How likely to spoof AMR communication?

– Security mechanisms in receiver? – Override real meter transmission?

  • Spoofing System

– Developed a packet generator

  • Include a proper checksum
  • Contain arbitrary ID, usage data, etc.
  • Tested on a few instruments:

– Sentry 900 validates packet structure – Drive-by truck validates….

10

Select meter ID, tamper field and reading Modulate (ASK) Encode (Manchester) Transmit at 916Mhz

slide-11
SLIDE 11

Q2: Spoofing Validation

11

Meter ID: 31415926 Reading: 1233

slide-12
SLIDE 12

Q3: Privacy Risks via Eavesdropping

12

  • Eavesdropping System

– Gas meters and electric meters – Developed a live eavesdropper

  • How likely to eavesdrop?

– How far away? – How many observable meters? – How much information?

0.5 1 1.5 2 2.5 3 3.5 x 10 5 0.2 0.4 0.6 0.8 1 samples R S S

Electric Meters Antenna

Eavesdropping experiment setup

slide-13
SLIDE 13

Q2: How to link a meter ID with a house?

13

slide-14
SLIDE 14

Q3: Privacy Risks – Neighborhood Watch

14

Eavesdropping range can be significantly boosted by a low-noise amplifier

300m 70m

slide-15
SLIDE 15

Privacy Risks from Traditional Methods

15

Infrared LED, flash once per watt-hour usage Digitized display

IR flash detection circuit

Dot on-off display

ERT (Encoder, Receiver, Transmitter) module

  • Privacy Risks from
  • IR flash
  • LCD display
  • Which one is the worst?
slide-16
SLIDE 16

Privacy Breach Comparison

16 12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm Water heater IR/Image RF (120pph) RF (25pph) RF (6pph) Power (kW) 12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm 12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm 12pm 3pm 6pm 5pm 12am 3am 6am 5am 12pm pph  packets per hour

# of step changes Time of day use

50 17 15 11

Washing machine

slide-17
SLIDE 17

Neighborhood Watch Via Eavesdropping

17

slide-18
SLIDE 18

Defense - Legacy meters

  • Cryptographic mechanisms

– Transmit on-demand – Reinstall new meter or upgrade firmware?

  • Spoofing

– Radio Fingerprint – Anomaly detection at data center – In-person visual inspect

18

  • Eavesdropping Jammer Add-on
  • A jamming signal to mask data packets
  • Work with drive-by
  • Narrowband jammer 1 AMR meter
  • Wideband jammer  multiple AMR

meters

slide-19
SLIDE 19

Conclusions

  • Privacy risks

– AMR messages are transmitted in plaintext Anyone can eavesdrop – Able to eavesdrop on 500 electric meters using USRP with cheap antennas – Eavesdropping range of about 300 meters

  • Spoofing risks

– Spoofing attacks are possible

  • Raise awareness before more serious security and privacy vulnerabilities emerge
  • Jamming-based protection
  • I. Rouf, H. Mustafa, M. Xu, W. Xu, R. Miller, and M. Gruteser, “Neighborhood Watch: Security and

Privacy Analysis of Automatic Meter Reading Systems”, ACM Conference on Computer and Communication Security (CCS), October, 2012.

19

slide-20
SLIDE 20

Thank you & Questions?

  • University of South Carolina

– Ishtiaq Rouf (Itron) – Hossen Mustafa – Miao Xu – Wenyuan Xu (wyxu@cse.sc.edu)

  • Applied Communication Sciences

– Rob Miller (rmiller@appcomsci.com)

  • Rutgers University

– Marco Gruteser (gruteser@winlab.rutgers.edu)

20