Re: OT-How to hack smart meters

On Jun 28, 7:13 pm, rangerssuck <rangerss...@xxxxxxxxx> wrote:
On Jun 28, 6:11 pm, "Azotic" <oldn...@xxxxxxxxx> wrote:

The article says that David Baker, director of services for security firm
IOActive, warns that hackers can get into the meter via its wireless
networking device for communicating with the network:

  An attacker can use a software radio, which can be programmed to emulate a
variety of communications devices, to listen in on wireless communications
with the network and deduce over time how to communicate with the meters.

Only if they can generate the correct code, which can be different
each time. As a simple example it could be entries in a table of
trigonometric functions, so recording one doesn't tell you the next
unless you know which table they used and the pattern from one to the
next, like skip down the Julian date MOD 13 etc. This is a more
complex implementation of a password and the same defenses work, such
as 3 successive failures and you are blocked and reported. Keyless car
locks and garage door openers still offer good security. Their low
power and short range makes covert interception risky.

The security system can be made as safe as cost and operator training
allow. Look at the security record of ATM cards.

Without addressing any of the rest of this (I really must confess an
embarassing lack of knowledge of the subject), it's hilarious that the
author thinks that reverse engineering a meter "does require a good
knowledge of integrated circuits" while it's perfectly plausible to
him that "a hacker can use syringes to insert a needle into each side
of the device's memory chip."

Not that it's impossible to probe the guts of a chip, but I'm gonna
guess that the writer of this article doesn't know much about

I've done my time on these probe stations, poking around inside
prototype ICs at Unitrode:
The silicon wafer goes on the mushroom pedestal, which is a vacuum
chuck, The blocks with micrometer knobs on the back scattered around
the rim each position one tungsten probe needle, normally used to
contact the bonding wire pads, but you can blast through the SiN
passivation with a laser and touch the top layer of metallization if -
really- necessary.

The bonding wire pads correspond to package pins or leads, which the
hacker might contact with the wire in the syringe needle I suppose,
using the rubber plunger as a spring. The hardest part is holding the
needle in place at an awkward angle and making contact without gouging
the board from excess pressure or shorting to the adjacent leads. It's
easier (relatively speaking) to solder a piece of fine magnet wire
onto the pin's pad or a nearby via (hole).

Then the hacker could record the data pattern passing between that
lead and the circuit board. Potting the board in epoxy makes this
approach extremely difficult.

Poking around INSIDE the IC to reverse engineer it is possible but
orders of magnitude more difficult, takes different equipment, and I'm
not saying more. I needed a whole year to completely understand the

Programmable devices may have an access code or even a physical fuse
you can blow which blocks external access to the memory after you have
loaded the code.


Relevant Pages

  • Re: SuS "trojan" in XP -- Changes OS and creates "virtual" remote
    ... Network Configuration Operators are added to the DHCP service as well as the DNS client service. ... If I shut my computers off for a few days I get strange calls from foreign people asking for the wrong people that do not live here. ... They bond asynchronous RAS adapter to my local network card or use 6to4, teredo or another way thru VPN like Terminal Services, Imapi or Windows Messaging. ... I think the hacker uses some type of Bluetooth or Infrared hack that can link into my iPhone and somehow use my iPhone to manipulate my laptop. ...
  • Serious Offshore Probes Detected & Defeated
    ... An IP address that sent communications, then stopped communications and restarted the communications, continuously within a 12 hour period. ... There are seven active sites in China: ... - CNCGROUP Heilongjiang province network -Mudanjiang ... Longitude: 129°60'00" East ...
  • Re: CB saves the day during Wilma
    ... you don't know and thats what is ... Sure,,,again,,,you claimed you haven't been on 11 meter in over ten ... Well, gee Eric, if you weren't on eleven meter, you damn sure weren't ... It's good communications to do so but not good ...
  • ANCS 2005 Call for Participation
    ... Architectures for Networking and Communications Systems ... Intel Corporation (Gold Sponsor) ... network processors, content addressable memories, configurable logic ...
  • Re: Looking for Opinions: NSA Reading Your Emails/Accessing Your Data
    ... The hacker might not be old enough to remember vulnerabilities ... Local network encryption probably doesn't help ... inside the house (the NSA would), but just attacks over the Internet. ... Many ISPs set up connections so that NAT gateways don't ...