smart meters form mesh networks among themselves and transmit your usage data all around. some of them even allow the power company to turn off your power remotely, through the mesh. You might want to know if any of this information is sensitive, or if the power shutdown system has got glaring safety and security defects and random people could just turn your house off. Hash Salehi has set out to get inside these meters, and fortunately for the rest of us, he was kind enough to share his findings during Remoticon 2021. It’s a journey filled with fantastic tidbits about GNU Radio, embedded devices, and running your own power company inside a Faraday cage.
The smart meter in question is deployed by a power company known as Oncor in the Dallas, Texas, area. These particular meters form an comprehensive mesh network using a ZigBee module onboard that allows them to to pass messages amongst themselves that eventually make their way to a collector or aggregator to be uploaded to a much more central location. Hash obtained his parts through everyone’s favorite online auction house and was amazed to see how numerous parts were available. Then, with parts in hand, he began all the typical reverse engineering tricks: SDR, Faraday cages, flash chip readers, and recreating the schematic.
To continue even more down the rabbit hole, Hash took a two-pronged method and started pouring over the firmware (over 300 kB) and attempting to capture traffic in his area. starting with just listening on one channel, he expanded to listen on all 240-260 channels but found that listening on each channel separately was eating all the compute power he threw at it. A talk from GNU Radio con gave him the inspiration needed to employ a frequency hopping method that allowed him to decode all the packets. A drive down a freeway with an antenna in his automobile allowed him to capture fascinating graphs showing the area’s meters and how long they’ve had uptime.
The true test of understanding the protocol isn’t just receiving, however. He would also like to send some packets. But, of course, the power companies wouldn’t be too thrilled with rogue actors on their network, regardless of intentions. So Hash needed his own network, efficiently starting a power company that doesn’t offer any power.
He had previously purchased a collector and found a whole Intel processor inside running Windows 7 Embedded. The main program was .Net, so that makes it trivial to tweak. now that he had a receiver, it was time to make a transmitter he could control. He’s still working on that, but it’s all out in the open on GitHub and other places. The coolest trick here is his workaround on the frequency hopping schedule that the receivers expect: he simply broadcasts all 240 channels at once! Gotta love SDRs.
This is clearly not a weekend project, and we have had a Hack chat with Hash about smart meters before if you’re interested. We’re looking forward to what else he discovers.