Re: OT-How to hack smart meters



On Jun 28, 7:13 pm, rangerssuck <rangerss...@xxxxxxxxx> wrote:
On Jun 28, 6:11 pm, "Azotic" <oldn...@xxxxxxxxx> wrote:
...

The article says that David Baker, director of services for security firm
IOActive, warns that hackers can get into the meter via its wireless
networking device for communicating with the network:

  An attacker can use a software radio, which can be programmed to emulate a
variety of communications devices, to listen in on wireless communications
with the network and deduce over time how to communicate with the meters.
...

Only if they can generate the correct code, which can be different
each time. As a simple example it could be entries in a table of
trigonometric functions, so recording one doesn't tell you the next
unless you know which table they used and the pattern from one to the
next, like skip down the Julian date MOD 13 etc. This is a more
complex implementation of a password and the same defenses work, such
as 3 successive failures and you are blocked and reported. Keyless car
locks and garage door openers still offer good security. Their low
power and short range makes covert interception risky.

The security system can be made as safe as cost and operator training
allow. Look at the security record of ATM cards.

Without addressing any of the rest of this (I really must confess an
embarassing lack of knowledge of the subject), it's hilarious that the
author thinks that reverse engineering a meter "does require a good
knowledge of integrated circuits" while it's perfectly plausible to
him that "a hacker can use syringes to insert a needle into each side
of the device's memory chip."

Not that it's impossible to probe the guts of a chip, but I'm gonna
guess that the writer of this article doesn't know much about
electronics.

I've done my time on these probe stations, poking around inside
prototype ICs at Unitrode:
http://www.lerner.ccf.org/bme/biomems/images/KarlSuss1.jpg
The silicon wafer goes on the mushroom pedestal, which is a vacuum
chuck, The blocks with micrometer knobs on the back scattered around
the rim each position one tungsten probe needle, normally used to
contact the bonding wire pads, but you can blast through the SiN
passivation with a laser and touch the top layer of metallization if -
really- necessary.
http://www.remingtontest.com/images/image_uploads/micromanipulator-6200-Micromanipulator-manual_probe_station-74-2_large.jpg
http://www.a3pics.com/data/measurement_prober.jpg

The bonding wire pads correspond to package pins or leads, which the
hacker might contact with the wire in the syringe needle I suppose,
using the rubber plunger as a spring. The hardest part is holding the
needle in place at an awkward angle and making contact without gouging
the board from excess pressure or shorting to the adjacent leads. It's
easier (relatively speaking) to solder a piece of fine magnet wire
onto the pin's pad or a nearby via (hole).

Then the hacker could record the data pattern passing between that
lead and the circuit board. Potting the board in epoxy makes this
approach extremely difficult.

Poking around INSIDE the IC to reverse engineer it is possible but
orders of magnitude more difficult, takes different equipment, and I'm
not saying more. I needed a whole year to completely understand the
device.

Programmable devices may have an access code or even a physical fuse
you can blow which blocks external access to the memory after you have
loaded the code.

jsw
.