Smart Meters have been an increasingly important topic in the security industry. Their association with critical infrastructure causes them to affect many different industries.
There have been multiple vulnerabilities released for SCADA-related services in 2011 (CVE-2011-0517, CVE-2011-3322) and it's likely that the trend will continue through 2012, despite the growing attention to the insecurities.
Lately our company has begun the initial development of their own testing methodology around smart meter communication protocols.
As a part of this, we have begun development of a custom library that implements a C12.18 stack in Python. C12.18 is an ANSI defined protocol for two-way communication with electrical meters over an ANSI Type 2 Optical Probe.
Figure 1: Communication between the smart meter and the computer.
While reviewing the communication being used by a couple of smart meters, it was found that the user did not have to properly authenticate himself to read certain pieces of data. Despite sending invalid data in the security request to the smart meter, certain data tables could still be read.
More importantly, it was also found that some data could be written to the device without the use of a proper C12.18 Security Request. The password used to securely identify the user that is connected to the smart meter is exchanged in a C12.18 Security Request.
It was determined that even when an invalid value was provided, certain data could still be altered such as the device's ID.
The management software designed and distributed for the smart meters that implemented the C12.18 protocol is not freely available from the manufacturer. This software also lacked the robust protocol control necessary to perform much of the technical analysis.
During the review it was found that there was a startling lack of open source tools for C12.18 communication. As the need to secure smart meters continues to grow, there will be an influx of tools available to perform these sorts of audits. We will be releasing one of these tools in the near future.
Cross-posted from SecureState