LoRa Water Meter Security Analysis
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39761 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 26218 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
Information securityWater vaporMathematical analysisMathematical analysisPresentation of a groupWater vaporInformation security
00:32
Sign (mathematics)Information securityCellular automatonComputer networkWireless LANPhysical systemSatelliteTelecommunicationSystem programmingElement (mathematics)Computer hardwareProduct (business)AreaInclusion mapTerm (mathematics)Information securityHacker (term)VideoconferencingExecution unitMetropolitan area network
01:28
AreaInformation securityComputer networkWireless LANPhysical systemCellular automatonSatelliteTelecommunicationSystem programmingComputer hardwareProduct (business)Focus (optics)Information securityComputer hardwareWireless LANTelecommunicationMetrePlastikkarteModule (mathematics)Water vaporData transmissionProcess (computing)Server (computing)Covering spaceRight angleGateway (telecommunications)CircleNormal (geometry)Communications protocolElectronic signatureInformation and communications technologySlide ruleTheory of relativityProduct (business)Video game
03:07
MetreComputer hardwareWater vaporInformation securityConfiguration spaceWater vaporPower (physics)Module (mathematics)Parameter (computer programming)TelecommunicationData structureSphereEndliche ModelltheorieGateway (telecommunications)Data transmissionUniform resource locatorMetreRotationMultiplication signComputer animation
04:27
RectangleGateway (telecommunications)Internet der DingeComputer architectureModule (mathematics)Water vaporMetreTexture mappingModulo (jargon)Buffer solutionComputer animation
05:00
Water vaporMetreGateway (telecommunications)Computer animation
05:23
Covering spaceWater vaporMetreMathematicsFormal languageSigma-algebraField (computer science)Point (geometry)AngleRotationComputer animation
06:56
Regulator geneSound effectFrequency
07:19
FrequencyOrder (biology)FrequencyFile formatBeat (acoustics)Process (computing)Different (Kate Ryan album)
07:51
Symbol tableSet (mathematics)Parameter (computer programming)Complex (psychology)File formatConfiguration spacePhysical systemInformation securityObject (grammar)
08:30
Error messageInterleavingComputer wormConfiguration spaceTraffic reportingParameter (computer programming)
08:50
Parameter (computer programming)CodeModule (mathematics)Message passingCodierung <Programmierung>Serial communicationMultiplication signFrequencySpectrum (functional analysis)LogikanalysatorMotion capture
09:56
Order (biology)Configuration spaceInterface (computing)Module (mathematics)LogikanalysatorSerial communicationComputer animation
10:28
TelecommunicationArithmetic meanSource code
10:47
Reverse engineeringFrequencyPoint (geometry)FrequencySlide rule
11:12
Reverse engineeringConfiguration spaceMathematicsUniqueness quantificationWater vaporReverse engineeringTelecommunicationModule (mathematics)Communications protocolMetreTransmitterComputer animation
12:15
Information privacyWater vaporInformation privacyCoroutineComputer filePlanningMetre
13:00
Gateway (telecommunications)Water vaporLogic gateGateway (telecommunications)MetreForcing (mathematics)Server (computing)Game controllerShared memoryConnected spaceSpherical capBuildingVideo gameObject (grammar)TelecommunicationNegative number
14:11
Link (knot theory)TelecommunicationGraphical user interfaceTelecommunicationServer (computing)HoaxLink (knot theory)MetreWater vaporGateway (telecommunications)
14:56
Shared memoryOpen setHoaxWorkstation <Musikinstrument>QuicksortBuildingMathematical optimizationComputer animation
15:45
HoaxLogic gateWorkstation <Musikinstrument>
16:04
CodeRevision controlImage registrationService (economics)Communications protocolEmailGateway (telecommunications)Self-organizationGateway (telecommunications)Communications protocolINTEGRALInformation
16:42
Schmelze <Betrieb>Gateway (telecommunications)EmailCommunications protocolReverse engineeringLink (knot theory)Process (computing)Water vaporServer (computing)Configuration spaceModule (mathematics)TelecommunicationLogicDuality (mathematics)Integrated development environmentGateway (telecommunications)Communications protocolLink (knot theory)MetreReverse engineeringSoftware testingHoaxTransmitter
18:24
Server (computing)Information privacyGateway (telecommunications)Water vaporLevel (video gaming)CASE <Informatik>MetreComputer programmingTelecommunicationProgram flowchart
19:04
Multiplication signMessage passingState of matterPower (physics)Order (biology)Cartesian coordinate systemEncryptionInformation securityKey (cryptography)Communications protocolWater vaporVirtual machineINTEGRALData integrityForm (programming)Value-added networkComputer programmingProgram flowchart
20:55
Standard deviationInformation securityMeasurementProgram flowchart
21:14
Process (computing)Covering spaceWater vaporInformation securityCodeMetreMechanism designComplete metric spaceCanonical ensembleTelecommunicationSinc functionProof theory
Transcript: English(auto-generated)
00:00
Hey everybody, welcome to DEFCON. Alright, we got Laura, Water Meter Security Analysis. This is your presenter, Jimmy. Give him a, give him a warm welcome. Thank you everyone. Uh, first,
00:22
uh, I'd like to clarify that this work is not only done by myself, it was done by, mainly done by my, my, my team, my team members. And one of the members, uh, because the U.S. Consulate rejected his, of his visa, so he not, cannot be here. So, yeah, uh, every
00:42
year we got speakers rejected, uh, of the visa. I think, uh, this young man might be, uh, a big national security threat for the U.S. Consulate. Okay, I'm going to record a short video for him to, to get him, uh, what he feels to a person in front of
01:01
such a huge bunch of, uh, hackers. So, everybody, sorry, sorry, sorry. Okay, let's shout out for Itzen in town. His name is in town. Okay, okay, thank you. Yeah,
01:25
every year I got many friends rejected. So, let me quickly introduce my company and our team. Uh, my, my team is called UnionCon team. We are doing wireless security, hardware security, and so on. And, uh, we are from, uh, the largest security
01:41
company called 360 Security Technology in China. And, uh, today I'm going to, uh, present how the, the process we took to analyze this, this, uh, so-called smart, smart water meter. So, this how it looks like in real life. So, you know, on the
02:03
net, you can see there, it's like, just look like the normal water meter, but there is a dial, the red circle. So, that's just like a magnet. So, when, when the water meter runs, the magnet will rotate and there will be a, uh, magnet sensor, uh, another cover on the next slide, I will show you. And
02:25
on the right is a, uh, solar panel, solar panel powered, uh, gateway, which, uh, just like relay the, uh, water meter data, uh, to the server via the GPRS. But, the communication between this water meter and the gateway is using, uh,
02:45
LoRa, which is kind of a priority, priority, um, priority, uh, protocol. And this is a, uh, camera of the water meter when it is employed. There is a antenna and also there, this is the gateway, which you can see there is, uh, uh,
03:07
these, uh, uh, GPRS module and the LoRa transmission module. So, this is, uh, actually the parameter and the models of the chips. So, you can see there is a, uh, MCU, which is used to configure the, uh, LoRa chip every time it pops up,
03:25
because, uh, this might be, so, we will later introduce how we can, uh, attack the communication between the MCU and the LoRa module. And we have the antenna parameter and the battery. So, this, uh, the way, why they are going to use
03:41
this LoRa communication because it's low power. So, this, uh, little battery can power it up to 10 years. So, that's why they are using this. And there is a hole, uh, sensor to, like, to detect the rotation of the magnet, as I said here. So, there is, I don't know if you can see it. There is a pointer or
04:04
something. No. So, uh, there, there is a magnet sensor called TMR301 that can detect the water meter, uh, when it's running. And, and there is a MCU to
04:20
configure, uh, MCU is here to configure this, uh, LoRa, uh, chip. And this is a gateway, so there is a, uh, GPRS module here, uh, the white, white rectangle. And there is a LoRa module. So, it's just, like, very typical
04:42
architecture for an IoT device. And, uh, there is a, uh, EP room to store the data, uh, maybe to, when it's the GPRS, uh, to, to maybe buffer the, the, the water meter data. And, uh, actually, the, the gateway usually, usually,
05:05
usually in the gateway using a different, uh, chip, but they are using the same chip as the, as the water meter. So, uh, they have to use, because this is cheaper than to use another, like, chip dedicated to, for the, for the water meter. Uh, for the gateway. Now, let's talk about how we can, like, fix the, uh,
05:29
water meter data. So, you can, as we said, that they're just, you're detecting the rotation of the magnet, so we can use a strong magnet to put it near the, the sensor TMR301 sensor to, just to interfere the, the, the signal.
05:46
So, you can see, when the magnet rotate, the voltage, uh, produced on the, the water meter, the sensor, will, will change. So, uh, we can use, uh, you can see, if the, there's no, no point. Okay. So, you, you can see
06:06
that this, when the magnet is in, in this angle, there is a, uh, 400 millivolt voltage, and when the angle change, the, the voltage change accordingly. So, uh, this is how they can detect the water meter when it's
06:24
running. So, we use a strong magnet to interfere with this, uh, magnetic, magnetic field. So, because the, the cover is a plastic, so it's, it's still working, so you can, um, um, suppose the sensor data to say that we're, we're not using any, uh, water, but this can be, uh, caught if
06:45
the, go to your, come, come to your house and actually take the, uh, look at the, the, the, the water meter. So, that's one way to, to
07:00
prove the sensor data, and another way is just to, just to disassemble it, and use a, like, voltage regulator to prove the, the sensor voltage. It's the same, same effect. So, the lower frequency,
07:23
uh, is different, uh, in each country. So, this is, uh, for, for example, in the U.S., it's 915 mega, megahertz. So, in, in the, uh, other countries, uh, it's different. So, when you're trying to, like, re-, do research on this kind of mid-Nora-based device, you have to,
07:43
uh, straighten and maybe tune your, your HDR device to that frequency in order to catch the signal. So, this is the, uh, format of the packets. So, you have this preamble, which notifies the receiver that there's a packet coming, and you have this, uh,
08:03
up-chip, down-chip that are encoding data. So, and the, the, the, actually, there is a very, pretty complex set of parameters that you, you need to configure. So, uh, when we do, uh, SDR, so we have to configure the parameters for, for the, for the,
08:23
for the receiver, or for the decoder. So, there are many sets, sets of configurations. So, uh, actually, uh, researchers from the U.S. company, they are, uh, doing, uh, so they did some thing to, like, uh, to decode the moral traffic. But, uh,
08:45
the way we tried their, their code, but it's not working, I guess it's, uh, because the configuration of the parameters are different. So, we have to wrote our own, uh, decoding code for, for this, uh, traffic. So, actually, we, uh, one of
09:02
them, our team member wrote, uh, the, the code to, uh, you, using MacLan to decode the traffic, and we uploaded it, this module to the, our GitHub. So, if you are interested in doing some more research, research in the future, you can go to look at the code. But this is still not very easy to use, so, uh, we, we switched to
09:25
another method. So, actually, uh, because I said, as I said, there is a Mac MCU used to configure the, a LoRa module every time it's, uh, it's powered on. So, what it does is, uh, using SBI
09:41
serial communication to, uh, configure the, the, the LoRa module, the, the, all the parameters with frequency, and the, the, the different, uh, like spectrum factors, something like that. So, we used the, the, this logic analyzer to, uh, capture the
10:00
traffic on the serial, uh, communication, uh, interface, and we got the, we, we can figure out how this, uh, uh, uh, LoRa front and LoRa transceiver is configured. So, and then we just go and buy another, uh, LoRa module and use the same configuration in order to receive the, to
10:22
decode the traffic. So, it's, it's pretty, uh, smart, this kind of. So, you have to, once you get all the traffic, uh, on the serial communication, you have to figure out what those traffic means. So, we got this, uh, we
10:41
figure out it by looking at the documentation where this is what kind of instruction means what. So, for example, there, this, when you see this, uh, traffic, it means that it sets the frequency to the, uh, 492.25 MHz. That's the frequency we mentioned
11:02
in, in the previous slides where we see that, we see that different countries are using different frequencies, so you can see this is, uh, the Chinese frequency. Okay, we, now we got the configuration, so we use another module to configure it
11:21
in the same way, and we can see the traffic. Okay, so, now we got the traffic, we have to reverse engineer the communication protocol and see, to see what, how the, like, transmits the data. Um, yeah, surprisingly, we find it not encoded, it's just in plaintext. Perhaps
11:42
the thing that Snora, uh, communication is by itself is very hard to decode. So, this, they are using kind of, like, um, there is a proprietary, uh, protocol. So, there is a unique ID of each, uh,
12:00
voltmeter, and, uh, actually we can screw all the traffic here, and they are transmitting the, the, the water usage data and also the temperature. So, so, let's, uh, see if, uh, the
12:20
privacy, privacy risks, for example, if I see that, uh, there is no water usage, because the, the water usage data is sent in, is transmitted in plaintext, so we can actually save the data to save somebody that, at home, using their, uh, water meter, and, uh,
12:40
or, so we can actually profile the habits of this, uh, user, uh, so to save, uh, his working routine when he comes home and when he leave, uh, for work, something like that. And, uh, we can also, like, like, spoof the data to make somebody, like,
13:02
we can see, we can see that there is a lot of water and the gates are overcharged, and, uh, we can also force the, uh, force the, uh, gateway to issue instructions, for example, you, uh, because, uh, this
13:21
is, like, the faulty objects, uh, this, like, two-way communication, so not only the water meter have to, uh, but also the, the, the server might issue some command to the, to the water meter, so, uh, we, and, uh,
13:41
and also, the NORAD is not only used in, uh, water meter, so you, you are using those to control gas valves or other, like, just like you can think of, like, like, similar, similar, like, GPRS or ZB, they can be used anywhere to, to build, like, connect the device, so we, if we can,
14:03
uh, like, get traffic or show the traffic, we can cause, uh, other chaotic, uh, consequences, so this is their, uh, whole, like, how the, the, the, the communication links works,
14:21
so the water meter, uh, actually, uh, send the data to the gateway, and the NORAD gateway, uh, to transmit and send the data to the server using GPRS and GPRS, everybody knows that the traffic is, that, that, that, that communication link is not safe,
14:40
everybody maybe can sleep or spoof the traffic, so we can use, like, fake base station to, uh, to spoof, to, to, to attack the, to do the main meter or to just spoof the, the gateway, and the, so this is, uh, my colleague trying
15:00
to, uh, like, uh, sleep the GPRS traffic, so we set up this, uh, base station, open, using BT, uh, open BTS, and, uh, we managed to get this, uh, non-gateway to communicate to our fake base station, and actually this is very
15:22
common kind of attack in, especially in China, so people are using maybe, like, like, uh, uh, this GPRS to unlock shared bikes, so people are trying to spoof the unlock command to make the bike
15:40
open itself. Yeah, so we are doing, this is kind of very common, common techniques. So, when we got the, uh, when we, when we got the base, fake base station set up and the, the gate we connect to our fake base station, we can see what data it's, it's sending to the, uh,
16:03
to the server, and when you, we analyze this using Wireshark, and to, and to reverse engineer the, the, the protocol used to, between the gateway and the server, so this is, uh, uh, how the, the, the
16:21
traffic looks like, so you can see there's a gateway ID, there's a header, and also payload, so all kinds of information. Again, it's not, it's not encrypted, it's just using, uh, CRC to, to, to check the integrity of this packet. So, so
16:54
we can actually, uh, as I said, we can, like, spoof the gateway to transmit fake water metadata, uh, water
17:01
used data to the server. So, nice take a look at the overall, uh, communication link, the water meter to the gateway, gateway to the server, and, uh, so we have, uh, reverse engineered the, uh, two communication link, and they're
17:21
using all, all kind of prep, two, two prep, proprietary, uh, communication protocol, so the one is over LoRa protocol, over LoRa, another one is using, uh, over TPRS. So, let's, once again, to see this whole, like, testing
17:40
environment. We have this magnet to interfere with the magnet sensor. We have this, uh, a, a module used to, uh, configure the, uh, module, LoRa module we used to sleeve the traffic, because we have, like, reverse engineered the com, com, configuration process of the, uh, MCU to the, to the,
18:05
to the LoRa module, so we can use a, a, a module to sleeve the traffic, and, uh, the next step is to, to, like, open BTS to reverse, to analyze the, the communication between the
18:21
server and the, uh, gateway. So, com, so in conclusion, that, uh, we can see that, uh, so there are, once again,
18:41
we can, like, sleeve in your privacy data to profile its user, and, and we can, uh, actually, uh, to, um, forge the, the data in each stage, the LoRa stage, where the, the, the water meter, uh, is communicating with the gateway. We can store traffic
19:01
between the gateway and the server. So, actually, we, we, uh, we, we have to, like, every time we wait, we break something, we have to figure out, out a way to actually remediate or just to, to, to remediate.
19:20
So, this, uh, he is using LoRa, LoRa, um, LoRa, um, wire, uh, then protocol. This protocol is brought up by LoRa Alliance, and, uh,
19:41
so we can use, for example, to prevent the data from being, uh, spoofed or forged, we can, using message integrity, like, maybe, like, hash next, use, like, based on some kind of encrypting, encryption key to check the integrity of the packets. We can also use some, like, encryption.
20:01
Uh, I think that the, why, why, why didn't we use encryption in the first place is because this is, like, quite, uh, no power application. Uh, the encryption may take, may consume, has consumed a lot of power. So, that's why they didn't, like, encrypt the order in the first place, or they just, like, think, uh,
20:22
like, obscurity, like, security, something like that. They think that LoRa is hard to decode. It's, it's not like the GPRS that you can easily, like, like, to, to speed the traffic. So, so, we can, we proved that this is not possible. We can still, like, get to traffic,
20:40
so they have to improve the, the security by encrypting, uh, this traffic in each state. So, we, we have this, uh, this is actually the LoRa, uh, uh, expanded
21:02
by LoRa Alliance, and everybody can look at it. They, they are, they are, like, the security measures, but it seems that they are not following it. So, we, so, anybody have, have any questions? We, this, this is a reference, the, the past year's
21:21
research, they have done a great job by, like, pro-, providing people with, uh, the code to decode the LoRa traffic, and we have this, uh, uh, all kind of resource, resources. So, anybody has questions? Oh, okay. You, you
21:45
answer your question, yeah. Should a company protect their
22:07
infrastructure? You, you already deployed infrastructure, how can they protect that? Yeah, I don't
22:21
think they can, they can actually do that, because usually, when you use this kind of communication, you don't implement some kind of over-the-air update mechanism, so you have to, like, maybe replace the infrastructure. So, you have to think of security as, uh, in the first place. Or you just,
22:42
like, for example, the magnet stuff, you, you can change the plastic cover into, uh, like metal, metal cover, and so that's what we, uh, prevents, uh, somebody use to interfere with the magnet sensor using a strong magnet. So if, if somebody don't want to
23:01
pay water fees, just put, put this magnet on the water meter so it's not running, so, yeah. So, anybody, anybody else has questions? Okay, thank you.