Dearest engineers and hackers, and also their management,
Recent vulnerabilities found in smart meters and HAN devices have shown a number of weaknesses in the engineering practices used to build these devices and their constituent components. A vulnerability in a chip or library is fixed slowly, and it is a very rare event that the meter and thermostat vendors affected by the vulnerability are notified by their suppliers. Because of this, vulnerabilities are spreading downward through the supply chain, and the engineers of smart grid devices are left uninformed.
While those utilities that actively investigate security have a considerable amount of bargaining power with their immediate suppliers, the rest of the supply chain has no similar leverage to compel security notifications. Chip and library vendors are failing to notify the meter vendors that depend upon their components. Even when the meter vendors are notified directly of vulnerabilities, thermostat and other HAN vendors can have no realistic expectation of such a privilege.
Despite having found many vulnerabilities in microcontrollers and LPAN radio chips, I have never seen one single security issue mentioned in the errata sheets of these devices. It has been a year since I first reported to Texas Instruments that the RAM of their Chipcon 8051 core is exposed to an attacker, but there's not one scrap of documentation from the firm to its customers suggesting that they make the simple patch of moving the key variables to Flash memory. The example ZigBee stack for the chip is still vulnerable to this attack, even after recent patches! A year later, exactly two debugger commands are all that are required to extract keys from nearly every ZigBee SEP device with a Chipcon radio, and no one knows to patch their code! (Do not be smug if you are an Ember customer. The EM2xx chips are unpatchably vulnerable to debugger key extraction, and there is no mention of this in the chip's errata sheet either.)
As chip and library vendors have failed to document the publicly known vulnerabilities in their products, and as they have often been unable or unwilling to repair them, the most expedient remedy to this problem is a separate line of communication. At least one point of reference must exist for the engineers trying to build these products.
For these reasons, I have created a skunkworks mailing list for the announcement and discussion of smart grid vulnerabilities, particularly but not exclusively those in AMI equipment. This is to be a list for engineering discussion, by engineers and security researchers. Anonymous posts and lurking are welcome, but politics and committee items are not.
For this reason, I especially request that those firms which care about security ask--or perhaps even require--their engineering staff to subscribe. This list is the appropriate place to post questions concerning the secure use of a particular radio chip, fragment of code, or anything else which is too low level or vendor-specific to be mentioned in standards.
If your firm is unwilling to allow its engineers to post, please at least compel them to follow the posts of others. In saying nothing, they will still learn how to make more secure products along with all sorts of fascinating gossip about your competitors. Your firm has every right to keep its mouth shut, but keeping its ears shut is a betrayal of each and every one of your customers.
To kickstart this mailing list, I will make it my first site of public disclosure for smart grid vulnerabilities over the coming months. The subscription link is below, and I invite you to join me in preventing smart grid vulnerabilities before they are created.
http://groups.google.com/group/smartgrid-skunkworks
Thank you kindly,
--Travis Goodspeed
Belt Buckle Engineer
Security Hobbyist
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteWould it not be a simple matter to disable the debug interface as part of manufacturing? Such as shown on pg 54 of the CC2530 User's Guide (SWRU191A).
ReplyDeleteMatt Farley
Matt,
ReplyDeleteThe DBGLOCK bit of the Chipcon 8051 devices, including the CC2530, can be cleared by erasing the device. Such an erasure clears the Flash regions of memory, but RAM (XDATA), allowing keys and similar things to be recovered. There is no way to permanently disable debugging on a Chipcon 8051 device other than to physically break the pins.
--Travis
I don't see a good place to hook in a patch on the TI-MAC, but in the ZStack, AesLoadKey() and AESLoadIV() look like good functions to patch.
ReplyDeleteMatt
Followed the rabbit hole and and ended up over here. Amazing posts, absolutely got my mind going crazy considering the possible avenues of playing. I started going through your older posts and came across this one (Smartgrid Skunkworks). Much to my dismay, I find myself as an intended target of the post and went to join the Google Groups you linked to and found that Google has killed it off due to TOS crap.
ReplyDeleteHave you had the opportunity to resurrect the group elsewhere? I would welcome the opportunity to learn and apply the lessons to the AMI and DA networks I have responsibility for.
Recent vulnerabilities found in smart meters and HAN devices have ... ismartthermostat.blogspot.com
ReplyDeleteJust wanted to let you know and say very great job on your blog. I for one agree with what you are saying and hope to see more of your posts in the near future.
ReplyDeleteCoBie adaptation in USA
COBie adaptation in UK
It is much easier to track phone number these days as there exist numerous phone locator and phone tracker apps as well as methods.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteToday, you can track a mobile phone from anywhere in the world. This is made possible by specialized free phone number tracker tools.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI'm thinking of using a cell phone tracker right now. Because I would like to know my girlfriend's movement what she is doing and going. I have heard about minspy which can be used to track phone number visit website here. Do you have any other suggestions? I'm open to trying anything you suggest.
ReplyDeleteAs I have thought, there will be no better article that explain on how to track a phone number, what to do next is just you will need to visit the website and follow the lead. As I have done it myself so do not worry so much. Everything you need is in this website.
ReplyDeleteI would like to let you know about Spyine hack. Because I recetly tried this hack and worked well for me. For the first time, I thought it will not work. But my idea proved wrong. You can also try Spyine. This will help you how to track a phone number www.spyine.com/phone-track/how-to-track-a-phone-number/ I hope that help!
ReplyDeleteInteresting idea... I think it would also help to try out some monitoring software, don't you think? I'm currently interested in mspy.com tracking app, they have many relevant options and, as I think, would be really useful for boosting workers' efficiency.
ReplyDeletePeople are always curious to get something new. And I also want to use new tactic as well. I recently started tracking my girlfriend phone number. Though I got an easy way as well like Minspy. This simple app helps me how to track a phone number started visiting Minspy Offical Website. What do you think?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteNice Blog,
ReplyDeleteThanks for sharing.
Maid Services in Toronto
Cart Delivery
This comment has been removed by the author.
ReplyDeleteI have certainly learned to be discreet and try to implement these tips when tracking other phones. To start with this journey, you can just read this article mentioning 10 best GPS tracker apps to track phone without them knowing, what to do about it from this guide.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteGuidelines on how you can hire a professional service online to fix your grades online
ReplyDeletespy phone with ultimate phone spy on any cell phone
ReplyDeleteHow to track cell phone loaction
You want to know what up! if you're being lied to, want to see all the messages, phone calls and places they've been. Click and let's get to it, Get a professional service
ReplyDeleteCould the HP printer support team help to clean printer memory?
ReplyDeleteHello, you can undoubtedly clean HP printer memory, when you follow the outfitted tips. Thus, for this, you should hit the Job Cancel catch to clean the work from your HP printer. When you clear it, at that point you ought to decrease the print goal in the printer driver. In the case of fronting any issues, at that point arrive at HP printer support
Singapore Citizenship Application good work
ReplyDeleteThe Sims 4 Seasons Crackis one of the popular games when it comes to the virtual world experience. If someone wants to access this game on the device, they have to pay a good amount of money. Not everyone interested has enough money for all of these things. These types of people also want The Sims 4 to download and enjoy
ReplyDeleteYour blogs are really good and interesting. It is very great and informative. A vulnerability in a chip or library is fixed slowly, and it is a very rare event that the meter and thermostat vendors affected by the vulnerability are notified by their suppliers separation agreement in virginia. Because of this, vulnerabilities are spreading downward through the supply chain, and the engineers of smart grid devices are left uninformed. I got a lots of useful information in your blog. Keeps sharing more useful blogs..
ReplyDeleteتلعب شركات تصنيع العبوات المعدنية دورًا حيويًا في تلبية احتياجات السوق والمستهلكين. فهذه الشركات تقدم حلولًا مبتكرة ومتنوعة لتعبئة وتغليف المنتجات المختلفة، مثل المواد الغذائية والمشروبات والمستحضرات الصيدلانية والكيماويات. توفر العبوات المعدنية حماية فعالة للمنتجات من التلوث والتعرض للأضرار الخارجية، مما يحافظ على جودتها وسلامتها.
ReplyDeleteIn the job hunt, your CV is your first impression. Make it count with CV Writing Services in Ireland. Our skilled writers will transform your CV into a powerful marketing tool, increasing your chances of landing your desired job. Stand out from the competition and take a step closer to your career goals.
ReplyDeleteIf you are in search of the best solar panel dealers in Kannur go for Geps Energy
ReplyDeleteIf you want the best skin care products for newborn checkout Me and mom store
ReplyDeleteAre you in search of the best ecommerce web design company in India? Progbiz is the best option.
ReplyDeleteShalamar Hospital, your trusted Pakistan hospital, delivers high-quality healthcare services, prioritizing the health and recovery of every patient it serves.
ReplyDeletegetting body to body spa near me is unique idea you can save time by getting our services under your roof
ReplyDelete