LoRa Water Meter Security Analysis

Video thumbnail (Frame 0) Video thumbnail (Frame 797) Video thumbnail (Frame 2206) Video thumbnail (Frame 4668) Video thumbnail (Frame 6680) Video thumbnail (Frame 7490) Video thumbnail (Frame 8077) Video thumbnail (Frame 10392) Video thumbnail (Frame 10977) Video thumbnail (Frame 11777) Video thumbnail (Frame 12762) Video thumbnail (Frame 13249) Video thumbnail (Frame 14910) Video thumbnail (Frame 15695) Video thumbnail (Frame 16172) Video thumbnail (Frame 16792) Video thumbnail (Frame 18367) Video thumbnail (Frame 19492) Video thumbnail (Frame 21282) Video thumbnail (Frame 22407) Video thumbnail (Frame 23622) Video thumbnail (Frame 24107) Video thumbnail (Frame 25042) Video thumbnail (Frame 27597) Video thumbnail (Frame 28604) Video thumbnail (Frame 31382) Video thumbnail (Frame 31842)
Video in TIB AV-Portal: LoRa Water Meter Security Analysis

Formal Metadata

Title
LoRa Water Meter Security Analysis
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
To avoid the tedious task of collecting water usage data by go user's home water meters that are equipped with wireless communication modules are now being put into use, in this talk we will take a water meter which is using Lora wireless protocol as an example to analyze the security and privacy risks of this kind of meters we will explain how to reverse engineer and analyze both the firmware and the hardware of a water meter system, we will be talking about its security risks from multiple perspectives , physical, data link, and sensors. Do notice that LORA is not only used in water meter ,it is being used in a lot of IoT scenarios so the methods we employed to analyze LORA in this talk are also useful when you do tests of other LORA based systems .
Presentation of a group Mathematical analysis Water vapor Mathematical analysis Information security
Satellite Execution unit Cellular automaton Computer network Term (mathematics) Focus (optics) Element (mathematics) Product (business) Area Sign (mathematics) Inclusion map Telecommunication Hacker (term) Computer hardware System programming Videoconferencing Information security Information security Physical system Wireless LAN
Gateway (telecommunications) Metre Slide rule Server (computing) Information and communications technology Water vapor Parameter (computer programming) Data transmission Product (business) Power (physics) Circle Endliche Modelltheorie Data structure Information security Covering space Module (mathematics) Metre Theory of relativity Water vapor Plastikkarte Sphere Electronic signature Uniform resource locator Computer hardware Telecommunication Normal (geometry) Video game Configuration space Right angle Communications protocol
Module (mathematics) Metre Gateway (telecommunications) Texture mapping Buffer solution Water vapor Rectangle Modulo (jargon)
Metre Covering space Frequency Mathematics Sigma-algebra Regulator gene Sound effect Water vapor Formal language
Complex (psychology) Beat (acoustics) File format Set (mathematics) Parameter (computer programming) Symbol table Frequency Process (computing) Frequency Different (Kate Ryan album) String (computer science) Order (biology) Configuration space Object (grammar) Information security Physical system
Error message Interleaving Configuration space Computer worm Parameter (computer programming) Traffic reporting
Module (mathematics) Logikanalysator Frequency Message passing Code Multiplication sign Interface (computing) Order (biology) Serial communication Configuration space Parameter (computer programming) Codierung <Programmierung>
Point (geometry) Slide rule Frequency Telecommunication Reverse engineering
Module (mathematics) Metre Frequency Mathematics Frequency Telecommunication Configuration space Water vapor Reverse engineering Communications protocol Transmitter Reverse engineering
Metre Gateway (telecommunications) Computer file Coroutine Planning Water vapor Information privacy Information privacy
Metre Gateway (telecommunications) Server (computing) Building Gateway (telecommunications) Link (knot theory) Link (knot theory) Shared memory Water vapor Connected space Graphical user interface Spherical cap Telecommunication Telecommunication Negative number Video game Object (grammar)
Building Workstation <Musikinstrument> Open set Quicksort Mathematical optimization
Gateway (telecommunications) Email Service (economics) Gateway (telecommunications) Revision control Code Schmelze <Betrieb> Self-organization Image registration Communications protocol Reverse engineering Communications protocol
Gateway (telecommunications) Module (mathematics) Metre Server (computing) Link (knot theory) Link (knot theory) Water vapor Computer programming Process (computing) Integrated development environment Logic Personal digital assistant Telecommunication Duality (mathematics) Configuration space Communications protocol Reverse engineering
Standard deviation Key (cryptography) INTEGRAL State of matter Virtual machine Water vapor Cartesian coordinate system Measurement Computer programming Value-added network Power (physics) Encryption Information security Communications protocol Data integrity Form (programming)
Metre Covering space Proof theory Mechanism design Process (computing) Telecommunication Water vapor Canonical ensemble Complete metric space Information security Sinc function
everybody welcome to Def Con all right we got Laura what a medium-security analysis this is your presenter Jimmy you ever met give him a warm welcome thank you everyone first I would like to clarify that this work is not only done by myself it was done by mainly done by my team mandhaakini members and a lot of the
members because the unit comes back to reject it and they start visa so he not I cannot be here so yeah every year we got speakers rejected it for this I think this gentleman Merapi big national security threat for the US consulate okay I'm going to recall the short video for him to get him what he feels to present in front of such a huge bunch of hackers so everybody [Applause] okay that's horrible it's a haven in Nepal okay okay thank you yeah every year I got many friends rejected so let
me quickly introduce my company and our team my team is called UN continue are doing wireless security how our security and so on and we are from the Rockies to security company cos 360 security technology in China and today I'm going to present how to
analyze this this so-called smart smart water meter so this how it looks like in your life so in death you can see there is like just look like the normal water meter product there is a doubt the greatest circle so that's just like a magnet so when when the water meter runs the magnet abroad rotate and there the magnetic signature another cover on the next slide about you and on the right is a solar power solar powered gateway which just like relays the motor meter data to the server via GPRS but the communications between this water meter and the Gateway is using and all relatives kind of a priority primary protocol and this is a camera of water meter which is employed there is a circuit board and Hannah and also their this is a gateway which you consider is a these
GPRS module and then oral transmission module so this is actually the parameter structure and the models of the cheese so you can see there's a NEC U which is used to configure lorax if everyone had popped up because this might be mmm so we were little introduced how we can attack the communication between MCU and and Laura now what you do and we have the parameter and of the battery so this the way why the argument is Laura mm-hmm communication security low power so this little battery can power up to ten years so that's why I'm using this there is a whore to like to the location of the magnet as I said here so there is it I don't know if you can see no no so the magnetic sensors quality and in our 301 that can detect the water meter is running and there's a MCU so comfy or Emma sphere is here to configure this Nora no chip and this is a gateway piece
of an assembly so there is a GPS module here the white watch a rectangle Nora modulo so it's like like very typical active texture for IOT device and there is room for too tall maybe to the GRC to do maybe a buffer that the water may be of data and actually the
the katywade usually indicates reusing a people but they are using the water meter so they have to use because the to use another like cheesy dedicated to for the of the gateway now let's talk about
how I connect face the water meter data so you can detecting an imitation so we can do the strong magnet to put it in here are three all want to interfere the this Sigma so you can see when the magnetic we rotate the voltage produced the sensor well well change so we can use you can see you there's no okay so you can see that this when the magnet is in this example there is a 400 milli volts voltage and but the language changed the what is change accordingly so this is how they kind of detect the water meter is running so we use a strong magnet to interfere with this I need to manage any fear so because the the cover is that a plastic so it's still working so you can essentially that's to say that we're we're not using any water but this can be caught if the cultural come come to your house and the actually takes a look at the the the the water meter so that's one way to to
prove the sensor data and another way is just to just disassemble and the user and a quality regulator to prove the sensor voltage it's a sudden same effect so the lower frequency is different in
each country so this is for example in u.s. is 915 megahertz so in the our countries difference so when you're trying to like to research this kind of beat Nora based device you have to Street maybe you in your job HDR device to that frequency in order to catch a signal so this is the format of the
packets so you have this preamble which you will notify the receiver packets coming and you have this object on tariffs not after encoding data so actually there's a very pretty complex set of parameter you need to configure so when we do - research security research you will you often use like STR so we have to configure the parameters for for the for the for the receiver or for the decoder so there are many system setup configuration so actually
researchers from the US company impactive they are required to critically it is something to like two people the Laura traffic pastor the way we tried there the report but it's not working I guess is because of the configuration of the
parameters are different so we have to
wrote our own decoding code for for this traffic so accident way one martini member of the the code to you using Malian to be called the traffic and we although the this module to the heart github so if you are interesting to eat some more abuse researching the future you can go to local Colossus is sure not very easy to use so we will switch to an another message so actually because I said as I said there is a NFC here we've used to configure the noron module every time it's powered on so I wanna be that it's using SPI serial communication to configure the Donora module the all the parameters which frequency the different the experiment or something next so we used the
this logic analyzer to capture the traffic and the serial communication interface and we get we can figure out how this more up front and lower transceiver is configured so and then we just go and buy another Laura module and use the same configuration in order to receive the tropical traffic so this is pretty smart this kind of so you have
once you get all the traffic unless your communication you have to figure out what those traffic means so we've got this we figured you'd by looking at the documentation where this is what kind of instruction means that so for example
there are this you will see this traffic it means the city that the frequency to the four hundred ninety ninety two point and twenty five megahertz that's the frequency we mentioned in the previous slides were basically that ever say that
it's deep for the country are using different frequencies so you can see this is the Chinese 450 okay we now we
got the configuration change so we use
another module to configure it the same way and we can see the traffic okay so now we got a static we have to reverse engineer the communication protocol and say to see what how they connect transmits the data yes surprisingly we find it not encoded it just innocently in Planet X perhaps the thing is that the Soraa communication is by itself it's very hard to decode so this they're using kind of like mmm there's a prime oratory protocol so there's a unique idea of each water meter and actually we can throw fall traffic here and they are transmitting the the water usage data and also the temperature so so next see
if the privacy privacy risks for example if I see that there is no water usage because the water usage data isn't in news transmit the plan text so we can actually they have to say it's somebody that at home using their water meter and orange so we can actually pull files that habits of this user so to see if his working routine when I come home and when I leave for work something like that and we can also like let's move the data to make somebody like seeing where
we can see that they are using a lot of water and the character over chest and we can also for the for the Gateway to
issue instructions for example year because this is like 40 objects coming as this is like a two-way communication so not only the water meter have to upload water usage data but also the server life issue some command to the to the water meter so we handle and also the Dora is not only used in water meter so you are using use to control caps to us or other like just like you can think of it like likes of cinnamon sharing of negativity RS or GB they can be used anywhere to build connectivity bias so we if we can make negative traffic or proves the traffic we can cause other chaotic consequences so this is their
whole like how the the communication links works so the water meter actually send the data to the Gateway and the ignorin gateway to transfer in send the data to the server using GPRS and GPRS and the traffic is not singing is not city's anybody maybe can sleep or stroke the traffic so we can use a base station to attack them to do the media or through the Gateway another so this is my
colleague trying to sleep the GTI strategic so we set up this base station optimum building ability open VDS and the way many typically access to communicated for a station is very common kind of a jockey it's in China so people are using magnetic like this GTRs shared bags so people are used in trying to sort of the commands to make this like open itself yeah so we are doing this is another very common technique so
when we got the setup and the KT we connect to our station we can see what an inocent in it'll to the server and
when you analyze this using wireshark and reverse engineered the the protocol used to indicate waken etcetera so this is how the traffic back so you can see there's like a gateway ID there's a hammer and I also paid a look so all conformist again it's not it's not encrypted it just using a CRC to fool to check this organ take everybody else's packet it so
so we can actually as I said we can explore the community water use data to the server so nice take a look as overall communication link the water meter to the gateway gateway to the server and so we have reverse-engineered the to communication name and the religion or kind of private to private private or a communications protocol so the why is over Laura protocol or Nora another one is go to oversee GPS so this once again is a whole like the environment we have this magnetic three in the center we have this Abdullah module used to configure the module Nora logic we used to sleazy traffic because we have like reverse engineering a common common configuration process of the MCU to the to the Laura module so we can use a dual opportunity module to see each other and the next step is to McEwing open VDS to reverse to analyze the communication between the server the so coming so in conclusion that we
can see that it so there are once again we kind of like sleeping you know revival TV at a programs user and the week actually who fought the technical each stage the nor artist where the water meter communication with case we can subtract fifteen is a gateway server so actually
we we we have to bring something we have to figure out a way to actually remediate or just to come every day so this is the is using Nora Nora my van protocol this protocol is brought up on your Alliance another so we can use for example two programs that is a form of being spoof or forged weekend using message integrity has been like based on encryption key to check the integrity of the packets we can also use some of the key machine I think that what why they didn't begin in the first place because this is not quite double our application the encryption made may consume in consuming power so that's why the Dylan Magnum credits the water me or they just like singing I like obscurity like security something like that this is in the Laura is hard to decoder it's not like the TV is that you can easily make tonight to see the traffic so so we can still like traffic so you have security increasing this state so
we have this this is actually the Laura a standard by Laura Elias I mean everybody can look at it their attics security measures but it seems as they are not following it so we so anybody
have any questions we this is a reference the Bastille research they have done great job by like proof providing people with the quality of the Laura traffic and we have this all kind of resource to three doses so anybody has questions oh no okay [Applause] how can a complete protector infrastructure already deployed infrastructure house canonical text that yeah I don't think they come they can actually do that because usually when you use this kind of communication you don't implement some kind of over-the-air update mechanism so you have like maybe you replace heavy infrastructure so you have to sing our security in the first place Orion is just like for example the magnets that we you can change the plastic camera into like metal metal cover didn't so that will be a problem somebody used to interfere with the magnets since you're using a strong magnet so you if somebody don't want to pay water fees just for process magnet and the water meter so it's not running it so yeah so any anybody else has question okay thank you [Applause]
Feedback