Wednesday, March 24, 2010

Smartgrid Skunkworks

Dearest engineers and hackers, and also their management,

Recent vulnerabilities found in smart meters and HAN devices have shown a number of weaknesses in the engineering practices used to build these devices and their constituent components. A vulnerability in a chip or library is fixed slowly, and it is a very rare event that the meter and thermostat vendors affected by the vulnerability are notified by their suppliers. Because of this, vulnerabilities are spreading downward through the supply chain, and the engineers of smart grid devices are left uninformed.

While those utilities that actively investigate security have a considerable amount of bargaining power with their immediate suppliers, the rest of the supply chain has no similar leverage to compel security notifications. Chip and library vendors are failing to notify the meter vendors that depend upon their components. Even when the meter vendors are notified directly of vulnerabilities, thermostat and other HAN vendors can have no realistic expectation of such a privilege.

Despite having found many vulnerabilities in microcontrollers and LPAN radio chips, I have never seen one single security issue mentioned in the errata sheets of these devices. It has been a year since I first reported to Texas Instruments that the RAM of their Chipcon 8051 core is exposed to an attacker, but there's not one scrap of documentation from the firm to its customers suggesting that they make the simple patch of moving the key variables to Flash memory. The example ZigBee stack for the chip is still vulnerable to this attack, even after recent patches! A year later, exactly two debugger commands are all that are required to extract keys from nearly every ZigBee SEP device with a Chipcon radio, and no one knows to patch their code! (Do not be smug if you are an Ember customer. The EM2xx chips are unpatchably vulnerable to debugger key extraction, and there is no mention of this in the chip's errata sheet either.)

As chip and library vendors have failed to document the publicly known vulnerabilities in their products, and as they have often been unable or unwilling to repair them, the most expedient remedy to this problem is a separate line of communication. At least one point of reference must exist for the engineers trying to build these products.

For these reasons, I have created a skunkworks mailing list for the announcement and discussion of smart grid vulnerabilities, particularly but not exclusively those in AMI equipment. This is to be a list for engineering discussion, by engineers and security researchers. Anonymous posts and lurking are welcome, but politics and committee items are not.

For this reason, I especially request that those firms which care about security ask--or perhaps even require--their engineering staff to subscribe. This list is the appropriate place to post questions concerning the secure use of a particular radio chip, fragment of code, or anything else which is too low level or vendor-specific to be mentioned in standards.

If your firm is unwilling to allow its engineers to post, please at least compel them to follow the posts of others. In saying nothing, they will still learn how to make more secure products along with all sorts of fascinating gossip about your competitors. Your firm has every right to keep its mouth shut, but keeping its ears shut is a betrayal of each and every one of your customers.

To kickstart this mailing list, I will make it my first site of public disclosure for smart grid vulnerabilities over the coming months. The subscription link is below, and I invite you to join me in preventing smart grid vulnerabilities before they are created.

http://groups.google.com/group/smartgrid-skunkworks

Thank you kindly,
--Travis Goodspeed
Belt Buckle Engineer
Security Hobbyist

43 comments:

伯臻采男 said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Matthew Farley said...

Would it not be a simple matter to disable the debug interface as part of manufacturing? Such as shown on pg 54 of the CC2530 User's Guide (SWRU191A).

Matt Farley

Travis Goodspeed said...

Matt,

The DBGLOCK bit of the Chipcon 8051 devices, including the CC2530, can be cleared by erasing the device. Such an erasure clears the Flash regions of memory, but RAM (XDATA), allowing keys and similar things to be recovered. There is no way to permanently disable debugging on a Chipcon 8051 device other than to physically break the pins.

--Travis

Matthew Farley said...

I don't see a good place to hook in a patch on the TI-MAC, but in the ZStack, AesLoadKey() and AESLoadIV() look like good functions to patch.

Matt

IT.Luddite said...

Followed the rabbit hole and and ended up over here. Amazing posts, absolutely got my mind going crazy considering the possible avenues of playing. I started going through your older posts and came across this one (Smartgrid Skunkworks). Much to my dismay, I find myself as an intended target of the post and went to join the Google Groups you linked to and found that Google has killed it off due to TOS crap.

Have you had the opportunity to resurrect the group elsewhere? I would welcome the opportunity to learn and apply the lessons to the AMI and DA networks I have responsibility for.

Burkjard said...

Recent vulnerabilities found in smart meters and HAN devices have ... ismartthermostat.blogspot.com

Roman reigns said...

Just wanted to let you know and say very great job on your blog. I for one agree with what you are saying and hope to see more of your posts in the near future.

CoBie adaptation in USA
COBie adaptation in UK

reginald surict said...

It is much easier to track phone number these days as there exist numerous phone locator and phone tracker apps as well as methods.

Unknown said...
This comment has been removed by the author.
The Doy said...
This comment has been removed by the author.
Alpha said...
This comment has been removed by the author.
Anonymous said...

Today, you can track a mobile phone from anywhere in the world. This is made possible by specialized free phone number tracker tools.

Maverick said...
This comment has been removed by the author.
Maverick said...
This comment has been removed by the author.
Maverick said...
This comment has been removed by the author.
The Doy said...
This comment has been removed by the author.
The Doy said...
This comment has been removed by the author.
The Doy said...
This comment has been removed by the author.
Minspy said...

I'm thinking of using a cell phone tracker right now. Because I would like to know my girlfriend's movement what she is doing and going. I have heard about minspy which can be used to track phone number visit website here. Do you have any other suggestions? I'm open to trying anything you suggest.

rahma said...

As I have thought, there will be no better article that explain on how to track a phone number, what to do next is just you will need to visit the website and follow the lead. As I have done it myself so do not worry so much. Everything you need is in this website.

Shane Mario said...

I would like to let you know about Spyine hack. Because I recetly tried this hack and worked well for me. For the first time, I thought it will not work. But my idea proved wrong. You can also try Spyine. This will help you how to track a phone number www.spyine.com/phone-track/how-to-track-a-phone-number/ I hope that help!

Paolo Gassip said...

Interesting idea... I think it would also help to try out some monitoring software, don't you think? I'm currently interested in mspy.com tracking app, they have many relevant options and, as I think, would be really useful for boosting workers' efficiency.

Minspy said...

People are always curious to get something new. And I also want to use new tactic as well. I recently started tracking my girlfriend phone number. Though I got an easy way as well like Minspy. This simple app helps me how to track a phone number started visiting Minspy Offical Website. What do you think?

Rosi said...
This comment has been removed by the author.
Mithun Prakash said...

Nice Blog,
Thanks for sharing.
Maid Services in Toronto
Cart Delivery

Ronald said...
This comment has been removed by the author.
Alpha said...

I have certainly learned to be discreet and try to implement these tips when tracking other phones. To start with this journey, you can just read this article mentioning 10 best GPS tracker apps to track phone without them knowing, what to do about it from this guide.

The Doy said...
This comment has been removed by the author.
Anonymous said...

Guidelines on how you can hire a professional service online to fix your grades online

Unknown said...

spy phone with ultimate phone spy on any cell phone
How to track cell phone loaction

carlos freddie said...

You want to know what up! if you're being lied to, want to see all the messages, phone calls and places they've been. Click and let's get to it, Get a professional service

numbers for support said...

Could the HP printer support team help to clean printer memory?

Hello, you can undoubtedly clean HP printer memory, when you follow the outfitted tips. Thus, for this, you should hit the Job Cancel catch to clean the work from your HP printer. When you clear it, at that point you ought to decrease the print goal in the printer driver. In the case of fronting any issues, at that point arrive at HP printer support

shaki said...

Singapore Citizenship Application good work

swiftart said...

The Sims 4 Seasons Crackis one of the popular games when it comes to the virtual world experience. If someone wants to access this game on the device, they have to pay a good amount of money. Not everyone interested has enough money for all of these things. These types of people also want The Sims 4 to download and enjoy

Jamesen said...

Your blogs are really good and interesting. It is very great and informative. A vulnerability in a chip or library is fixed slowly, and it is a very rare event that the meter and thermostat vendors affected by the vulnerability are notified by their suppliers separation agreement in virginia. Because of this, vulnerabilities are spreading downward through the supply chain, and the engineers of smart grid devices are left uninformed. I got a lots of useful information in your blog. Keeps sharing more useful blogs..

Unkonwn said...

تلعب شركات تصنيع العبوات المعدنية دورًا حيويًا في تلبية احتياجات السوق والمستهلكين. فهذه الشركات تقدم حلولًا مبتكرة ومتنوعة لتعبئة وتغليف المنتجات المختلفة، مثل المواد الغذائية والمشروبات والمستحضرات الصيدلانية والكيماويات. توفر العبوات المعدنية حماية فعالة للمنتجات من التلوث والتعرض للأضرار الخارجية، مما يحافظ على جودتها وسلامتها.

CV Writing Services said...

In the job hunt, your CV is your first impression. Make it count with CV Writing Services in Ireland. Our skilled writers will transform your CV into a powerful marketing tool, increasing your chances of landing your desired job. Stand out from the competition and take a step closer to your career goals.

Anu said...

If you are in search of the best solar panel dealers in Kannur go for Geps Energy

Anu said...

If you want the best skin care products for newborn checkout Me and mom store

Anu said...

Are you in search of the best ecommerce web design company in India? Progbiz is the best option.

Shalamar Hospital said...

Shalamar Hospital, your trusted Pakistan hospital, delivers high-quality healthcare services, prioritizing the health and recovery of every patient it serves.