Electricity meters in Spain can be hacked quite easily, and it seems that they do not care at all that any user can leave an entire block without electricity, and even alter consumption or change the electrical power of the meter. telemanagement. The well-known cybersecurity firm Tarlogic has been working for some years to verify the security of this type of remote management meters that are used in the vast majority of our homes, and taking into account that according to the electricity companies there is nothing to fix, they have launched in RootedCON 2022 is a hardware tool and all the necessary software to exploit the different security holes. Do you want to know how an electricity meter can be hacked in Spain?
What does the smart electricity meter do?
The vast majority of electricity customers in Spain have a remote management meter, regardless of the distributor in your area, surely this remote management meter is exactly the same. This electricity meter is not only responsible for measuring the electricity consumption that is being made in the home, in fact, if this meter can be hacked, these consumptions that the meters have registered could be altered.
One of the configurations of these electricity meters is to limit the power contracted through the marketer, imagine that we have contracted a power of 3KW in our home, if we exceed this value for a certain time, the meter will automatically take care to cut off the electricity and we will have to reset it again in the electrical panel of our home. If an attacker is able to modify this contracted power and configure it, for example, at 1KW, surely that affected person is having their electricity cut off continuously because the consumption is greater than 1KW.
Another characteristic of these meters is that they can also receive an order to cut off the supply from the distributor, however, an attacker could decide to cut off the electricity of an entire neighborhood, sending several data packets specially designed for this purpose.
Vulnerabilities discovered by Tarlogic
The well-known Galician cybersecurity company Tarlogic has been investigating how electricity meters work for about two years, and they have discovered different vulnerabilities that could allow total control of them. The company has contacted the main electricity distributors in Spain on many occasions, but the only answers they have had is that the system is safe and there is no vulnerability. The company offered to the electricity companies to solve these vulnerabilities, but the electricity companies have not responded, in addition, they went to the PRIME Alliance, which is the remote management network for all the meters, and they have also been informed that their network is completely secure.
Now this company at RootedCON 2022 has published all the research in full, in addition, they have provided the source code of the developed tool and have also communicated the hardware that we must use to carry out all the tests. Right now, anyone who wants to check the security of their remote management meter will be able to do it from the plug in their kitchen.
The first vulnerability discovered is that the exchange of messages is not encrypted, so they can be read without any problem and also modified on the fly. Another vulnerability is that it does not allow secure authentication. Although part of the traffic does travel encrypted using the DLMS protocol, most of it does not and uses unencrypted keys, so it can be hacked really easily.
With these vulnerabilities, a possible attacker could take control of a network of meters and issue orders to cut off supply, alter registered consumption and much more. In addition, these meters communicate directly with the distributors through a network of “hubs”, and Tarlogic has shown that these hubs can also be controlled remotely from any socket in the house.
What do I need to hack the counter?
The first thing that is needed to be able to communicate with the electricity meter at home, or with a neighbor, is a Microchip ATPL360-EK board with which all the tests have been carried out. This board includes the PRIME and G3 libraries, in addition, it also has a series of test applications including a PLC sniffer compatible with PRIME, to be able to capture all the packets that you want from the different communications, in addition, it is compatible with Windows operating systems.
The way it works is quite simple, after compiling the corresponding firmware that is also provided by Microchip, it is integrated into the development board and it is enough to connect the board to the electrical network and via USB to a computer with the software provided to start capturing and analyze all data frames. The price of this plate It is around 650 euros approximately with everything necessary for its start-up.
In order to be able to send commands and perform a more in-depth audit, Tarlogic has published its PLC Tool which you can find on the official GitHub. This tool remained private until a few days ago when it was made public, as there was no positive response from the electricity companies in Spain or from the PRIME Alliance.
Well, since you’re asking us a lot, here’s the answer… Over the next week we’re going to upload @github research on smart meters and the PLCTool tool to comply with what we announced in the @rootedcon https://t.co/r4AvSqKoPn
— TarlogicES (@TarlogicES) March 12, 2022
Once the electrical network has been accessed, users will be able to identify network elements such as meters and concentrators, save the traffic captures of the meters, send commands to turn off the electricity meter, capture passwords used by the distributor or modify the power limit of the meter. The company has stated that they will continue working on this tool, adding modular attacks to only attack certain aspects of the meter, and may even carry out offensive actions such as updating the meter’s firmware.
At tarlogic official blog You can find the entire process that they have followed to check the security of the meters, there you will have more information about it. The company did a controlled demo (without using actual electricity meters) at RootedCON 2022.
