> In the video it appears that Peter was using the Flipper Zero to wireless turn the power meter on and off, which also controlled the power to a large AC unit. Eventually switching the meter on and off while under a heavy load resulted in the meter self destructing and releasing the magic smoke.
Calling out Flipper Zero for someone (ab)using the meter's remote control features cuts me the wrong way: you could've done the same with any other SDR, not just the Flipper Zero.
It's not even a surprise this happened, the cut-off is not meant to be operated constantly to cut heavy loads. Similarly you should not use a breaker to turn off heavy (or any, in that matter) loads as you're needlessly wearing down the protective device, instead of a separate cut-off switch that's designed to be replaceable. Especially since it can be positioned downstream from the protective device.
It all boils down to which part of the circuit you can easily repair in case of a fault, in this case the meter is by far the least accessible.
Why would a power meter allow an unauthenticated client to turn the thing on and off wireless?!? Sure, if you flip a switch handling a large current often enough, something will break (and I am impressed it's not the AC in this case).
But why does the power meter accept commands from something 'outside', something untrusted?
I mean why are power lines not locked up and buried underground secured locked steel cages?
Because some things work better with trust vs convoluted security.
I think this is something a lot of computer nerds don't get (myself included at one point). It's almost like if something can be accessed we are allowed to access it and it's the fault of the person securing it. But a lot of our society works on trust and I think we'd live in a much more difficult world if everything had to be secure enough to resist any attack.
If this thing was connected to the internet I get it, but you already need physical access to the meter why add another layer of security on top of that? If someone has wants to mess up your power and they have physical access there's plenty of ways they can do it without wireless communication.
Because security is not a priority for the industry. Most have no security, default authentication in the rare case that they have it, and they use protocols with no support for it. The field is decades behind in security practices (it's pretty much IoT) and won't improve unless forced to.
It's also difficult to update such devices in the field so even if they do fix such issues it's only for new units or a new product line which most customers won't bother with until forced to by regulations / incidents as it's expensive to replace them (you have to send someone out on the field as there are pretty much no OTA updates).
> Why would a power meter allow an unauthenticated client to turn the thing on and off wireless?!? Sure, if you flip a switch handling a large current often enough, something will break (and I am impressed it's not the AC in this case).
I would guess until recently power meters just had no reason to be secured. We live in a multi unit building (I would guess around 120 of them). There is a shared key that goes to the central electricity room where the meters for all units are. I could turn off anyone's electricity by either unscrewing the main fuses there or by switching the breaker. People are a lot more trustworthy in practice than you would think.
The security of billions and billions of devices (e.g. industrial control systems, PLCs,[0] SCADA,[1] ERTs,[2] etc.) that are responsible for controlling and monitoring virtually every aspect of modern life (e.g. power grid, water purification, natural gas transmission, oil and gas extraction, vehicle traffic control, rail signalling, pharmaceutical manufacturing, etc.) is appalling.
The manufactures and integrators of these devices are just now beginning to realize that the internet exists and that their devices aren't always connected to perfectly isolated RS-485[2] networks or connected to a network at all. They commonly contain hard coded passwords, passwords with staggeringly limited length and complexity, plain text authentication, default passwords, and other backdoors. Working with such devices is like taking a Delorean back to the early 90s, the eighties, or even earlier... it's the wild west.
It pleases me beyond words that hacking contests like Pwn2Own[4] have begun to include these systems in their competitions. This is a massively important area of security research that has historically been ignored.
We don't know whether the meter accepts every command, or the device has a fixed security protocol reverse engineered and known by researchers.
These protocols exist to get current readings from meters for data retrieval ease, and generally have a combination of security through obscurity and simple authentication to enable mass readings (by authorized people) easier. IIRC, these things can talk P2P in densely populated areas, and you can get all meters' readings in mere minutes, tops.
In any way, after and initial PoC, the rest of the video gets into territory of equipment abuse, and I got angry and sad while watching it. You can do it, OK, then why damage things which are not yours? Document your findings and leave.
An untrusted finger can just switch the main breaker or an untrusted hammer can just smash the meter. There’s far easier ways to be destructive if you have physical access to the meter, which by default everyone is going to have because meters are required to be accessible by the public per electrical/fire/building codes.
> you could've done the same with any other SDR, not just the Flipper Zero.
The specialness of the flipper zero is not that it can do more than any other SDR. The specialness is how easy it is to use. The question is what you can do in that 'easy mode'.
That, in the easy mode, you can do this kind of realistic and meaningful damage is noteworthy. Because this potential is brought to the masses. It probably won't be the start of widespread SDR-based cyber-crime, but that brings it one step closer. That is why I consider this noteworthy news about the flipper zero specifically.
Since the advent of cheap SDRs and TI CC1100 devkits it's been a case of "grab code off Github and go do shenanigans". The only specialness here is that it's battery powered, but even previously you could have been running a laptop and HackRF in your backpack.
That said, it’s also important to demand device makers build better protections into their software (like rate limiting) in the same way they do for the hardware. Otherwise it leaves the door open for legislature trying to ban screwdrivers (tools)
For any remotely-controllable power meter, its contactor switch should have been designed to sync with the zero crossings of the AC waveform. That would have completely prevented this damage.
I know it would have made the meter more expensive, but it was absolutely forseeable that a wild RF signal could have induced repeated contactor reclosings. They should have built it properly.
I got the vibe they were treating it as a cool hacker tool not calling out the Flipper Zero. But I don't know what any of this is really. I'm just some guy!
At the same time, I'm in awe and in horror of seeing those high current, high voltage disconnects being opened only to end up with a few meter high arc of current jumping through the air between contacts.
I was taught the procedure of disconnecting a 10/20kV disconnect for an on-site transformer (alas, only an old one that had been decommissioned) and that thing scared the crap out of me when I first heard the spring loaded high voltage disconnect actuate.
Having a 3 meter fibreglass pole to actuate the thing, just incase, tells you there is a real risk of the thing blow up in your face, on a good day.
This has nothing to do with the flipper zero or any other device using the CC1101 chip. It is the responsibility of the manufacturer of such smart meters to make them safe and if they are incapable of preventing a sub $10 chip found in thousands of devices from causing catastrophic failure then who is guaranteeing me that the meter is actually counting correctly!
This is a failure of regulators and manufacturer, the media will spin it and next thing you know flipper zeros will be banned and smart meters will be as shitty as this one.
No device is built for abuse like this. You could flip a switch manually multiple times and cause failure
Do you even know how much regulation exists behind meters and electrical equipment?
What's next, complaining that the meter can't handle a sledgehammer?
You call weakness I call vandalism
Same as the brats who go and do a "tiktok challenge" of robbing an easily accessible car than finding out they're not immune to handcuffs and jail cells
Edit: and while a self-protection/rate limiting would be good, this could as well as easily be turned into a denial-of-service attack by causing the switch to be off. Better than failure, sure, but still an issue.
I agree that for a single meter (which for some reason is bolted to the outside of the house), the risk of vandalism is the same, whether it is remote controlled or not. However, a vulnerable wireless (or even internet-connected) meter would allow massively scaling up the attack. Taking an entire city (or even country) off the grid by flipping all the breakers would cause some serious damage.
Oh no, it definitely can and should. There’s absolutely no excuse for not adding a sensor or even a dumb counter to implement a simple action limiter and constrain operation with a safe envelope. It’s basic engineering
I think the law is a good second line of defense. Humans are wired to think "if I gave into that Intrusive Thought, I would suffer consequences." So that mostly keeps us in line. But, a good password and some input validation also get you pretty far; nothing is better than a computer at telling you "No!" No judge, jury, or building with bars over the windows required. Just some text in your text editor, and then if someone wants to be evil, they can't be. Pretty good.
The denial-of-service scenario does not render the issue moot; on the contrary, it is another example of what can go wrong when these devices are not secured properly.
In general you have a point, but making these devices accessible to remote tampering is an avoidable escalation of risk with no counterbalancing upside.
The more media attention and crappy unauthenticated infrastructure broken, the better.
Requiring proper security in public infra creates market requirement for companies to release better, more secure, products to the public infra market. Not just whatever open radio based MVP thing they can whip up.
And that creates jobs for not just EE engineers, but as security requirements increase then it creates jobs for SW engineers also (and if the existing players are too slow, opens the market for agile startups that can do it better).
What's more, it makes our infrastructure more resilient to random RF and electronic warfare.
My bet is that they are leading with the Flipper Zero for a reason.
This shit has been broken since the beginning and enacting laws to fix this shit will be slow and expensive and many companies will be lobbying against it. Much easier to outlaw the Flipper Zero - as if that was the problem.
Unfortunately even though the unprotected meter is at fault here, this is more likely to result in an SDR ban rather than getting all crappy meters fixed.
Interesting... I used to work on testing these old elster meters. Looking at the style number of this meter, it doesn't look like it's equipped with a disconnect relay, so at least he's not messing with that (even if a meter was equipped with a disconnect relay, the meter display should still be on during a disconnect event). I suspect he's cutting power to something other than the meter itself.
I also see it's equipped with an energy axis (elster proprietary wireless network) so at the very least he'll be getting a fun visit from his power company wondering why he tripped various tamper detect flags in the meter (assuming his power company is actually ameren, a utility company in Missouri and Illinois and not canada like his yt profile says...). Since it also has that radio, I know it should also be encrypted. Unless that specific power company disabled LAN/WAN encryption... which we generally don't recommend and Canadian power infrastructure is pretty strict anyway when it comes to meter security.
I'd be interested to see what exactly the flipper was communicating with (I'm sure my upper management would be even more interested as well).
edit: I also just noticed the meter is stuck in test mode and the backup battery is missing. You can actually buy these meters on ebay, which is what I'm suspecting this guy did.
The smart meter should have had better security. But the device isn't designed to switch heavy loads repeatedly, this is only meant to be used sporadically as an emergency cut-off (for instance, in case of a fire or if the customer is permanently disconnected for some reason). In case of a fire nobody cares about whether or not the smart meter survives. In case of a disconnect for administrative reasons the disconnect usually happens at night to minimize the risk of arcing.
Keep in mind that your typical electrical service is 10's of KW and that switching that kind of power repeatedly under load requires a device that is essentially sacrificial in nature. Now let's see what they charge you for that meter replacement, it's not going to be cheap.
Note that the meter isn't yours to mess with, it is in your house and on your property but from an administrative perspective your stuff starts after the mains cutoff which is downstream from the smart meter. Anything before that including the mains cutoff is the property of whoever manages the local network, either a specialized grid operator or the utility company that sells you the power. You can see which way it works by looking at your electricity bill and by whether or not you call your utility when there is a problem with the local grid or the network operator. Where I live these are separate legal entities, but in some places it is just the one.
Finally: don't mess with the grid, it's a shared resource. It is trivial to cause damage by for instance injecting power at higher voltage levels than the appliances in the houses around you can deal with, blowing up a meter before your ability to cut off can have very unpredictable effects. In theory it is all safe and it should be able to withstand some abuse but in practice older networks still exist and not all of them are equally robust. So just don't.
Companies are remotely turning off meters for billing reasons when that isn't completely safe? They're just hoping and assuming if they do it at night there won't be much load? That doesn't sound very reassuring.
The apartment buildings in my area all have wireless gas leak detectors, this video makes me want to take out my HackRF and start experimenting with mine.
Flipper Zero isn't what's causing this, the bad "smart" devices are, and the culprits themselves, of course. Just because you can hack a system, doesn't make it legal. Know your local laws. Mine says "accessing any IT system without authorisation is punishable with imprisonment from 3m to 3y; accessing the aforementioned system with the purpose of obtaining data is punishable with imprisonment from 6m to 5y.", vague enough for all of these things.
And reporting to the vendor is suicidal. At least assuming the stories I hear about vulnerability disclosures are representative, which I think they are.
In their place, if I were to inform the company, I'd do it anonymously. If it was an actually important issue - as this very much looks like - I'd consider informing the building manager, HOA, the gas installation company they use, and every local journalist, all together so they know about each other - and then CC that to the vendor.
I thought the same. I think they probably meant "causes meter to self-destruct". Whether that's true or not depends on whether the functionality was used correctly. It's definitely possible to destroy a device by abusing "permitted" inputs. For example, revving a cold petrol engine will eventually ruin it. In that case the title should really be "guy destroys meter (using a Flipper Zero)".
In The Netherlands, functionality to remotely disable smart meters is forbidden by law to protect from (large scale) cyber attacks. Seeing how poor the security on this specific meter is, it only confirms that this was a great decision.
Readit News
Calling out Flipper Zero for someone (ab)using the meter's remote control features cuts me the wrong way: you could've done the same with any other SDR, not just the Flipper Zero.
It's not even a surprise this happened, the cut-off is not meant to be operated constantly to cut heavy loads. Similarly you should not use a breaker to turn off heavy (or any, in that matter) loads as you're needlessly wearing down the protective device, instead of a separate cut-off switch that's designed to be replaceable. Especially since it can be positioned downstream from the protective device.
It all boils down to which part of the circuit you can easily repair in case of a fault, in this case the meter is by far the least accessible.
But why does the power meter accept commands from something 'outside', something untrusted?
Because some things work better with trust vs convoluted security.
I think this is something a lot of computer nerds don't get (myself included at one point). It's almost like if something can be accessed we are allowed to access it and it's the fault of the person securing it. But a lot of our society works on trust and I think we'd live in a much more difficult world if everything had to be secure enough to resist any attack.
If this thing was connected to the internet I get it, but you already need physical access to the meter why add another layer of security on top of that? If someone has wants to mess up your power and they have physical access there's plenty of ways they can do it without wireless communication.
It's also difficult to update such devices in the field so even if they do fix such issues it's only for new units or a new product line which most customers won't bother with until forced to by regulations / incidents as it's expensive to replace them (you have to send someone out on the field as there are pretty much no OTA updates).
I would guess until recently power meters just had no reason to be secured. We live in a multi unit building (I would guess around 120 of them). There is a shared key that goes to the central electricity room where the meters for all units are. I could turn off anyone's electricity by either unscrewing the main fuses there or by switching the breaker. People are a lot more trustworthy in practice than you would think.
The manufactures and integrators of these devices are just now beginning to realize that the internet exists and that their devices aren't always connected to perfectly isolated RS-485[2] networks or connected to a network at all. They commonly contain hard coded passwords, passwords with staggeringly limited length and complexity, plain text authentication, default passwords, and other backdoors. Working with such devices is like taking a Delorean back to the early 90s, the eighties, or even earlier... it's the wild west.
It pleases me beyond words that hacking contests like Pwn2Own[4] have begun to include these systems in their competitions. This is a massively important area of security research that has historically been ignored.
[0] https://en.wikipedia.org/wiki/Programmable_logic_controller
[1] https://en.wikipedia.org/wiki/SCADA
[2] https://en.wikipedia.org/wiki/Encoder_receiver_transmitter
[3] https://en.wikipedia.org/wiki/RS-485
[4] https://en.wikipedia.org/wiki/Pwn2Own
These protocols exist to get current readings from meters for data retrieval ease, and generally have a combination of security through obscurity and simple authentication to enable mass readings (by authorized people) easier. IIRC, these things can talk P2P in densely populated areas, and you can get all meters' readings in mere minutes, tops.
In any way, after and initial PoC, the rest of the video gets into territory of equipment abuse, and I got angry and sad while watching it. You can do it, OK, then why damage things which are not yours? Document your findings and leave.
But security is rarely found in products where it only might prevent the loss of profit.
The presence or absence of security in a product always reflects the incentive structure of the business that produces the product.
Itron's OpenWay system, for example, has used ECC encryption for quite a while:
https://www.itron.com/pl/company/newsroom/2016/06/09/itron-r...
Deleted Comment
Dead Comment
The specialness of the flipper zero is not that it can do more than any other SDR. The specialness is how easy it is to use. The question is what you can do in that 'easy mode'.
That, in the easy mode, you can do this kind of realistic and meaningful damage is noteworthy. Because this potential is brought to the masses. It probably won't be the start of widespread SDR-based cyber-crime, but that brings it one step closer. That is why I consider this noteworthy news about the flipper zero specifically.
Citation needed.
Since the advent of cheap SDRs and TI CC1100 devkits it's been a case of "grab code off Github and go do shenanigans". The only specialness here is that it's battery powered, but even previously you could have been running a laptop and HackRF in your backpack.
I don't want to live in a world of max pessimum.
I know it would have made the meter more expensive, but it was absolutely forseeable that a wild RF signal could have induced repeated contactor reclosings. They should have built it properly.
I think most folks don't understand electric components don't like being manipulated under a load.
I was taught the procedure of disconnecting a 10/20kV disconnect for an on-site transformer (alas, only an old one that had been decommissioned) and that thing scared the crap out of me when I first heard the spring loaded high voltage disconnect actuate.
Having a 3 meter fibreglass pole to actuate the thing, just incase, tells you there is a real risk of the thing blow up in your face, on a good day.
Deleted Comment
Deleted Comment
This is a failure of regulators and manufacturer, the media will spin it and next thing you know flipper zeros will be banned and smart meters will be as shitty as this one.
To rate limit switching would be a no brainer here.
Do you even know how much regulation exists behind meters and electrical equipment?
What's next, complaining that the meter can't handle a sledgehammer?
You call weakness I call vandalism
Same as the brats who go and do a "tiktok challenge" of robbing an easily accessible car than finding out they're not immune to handcuffs and jail cells
Edit: and while a self-protection/rate limiting would be good, this could as well as easily be turned into a denial-of-service attack by causing the switch to be off. Better than failure, sure, but still an issue.
My freaking standing desk has protection if I go up and down too much within a certain period of time.
Like I said, I have zero trust this meter is accurate when it doesn't even have simple protective circuitry.
Sure, this is targeted abuse, but your device should not accept unauthenticated radio input that allows destruction.
This is ridiculous. Manufacturers are responsible for the safety and security of their products. It's a perfectly legitimate expectation.
The meter should not accept unauthenticated commands and should have temperature protection.
What if the electric operator’s software malfunctions and causes rapid power cycles to customers’ meters?
The end result would be the same, and it certainly wouldn’t be considered “abuse” then.
In general you have a point, but making these devices accessible to remote tampering is an avoidable escalation of risk with no counterbalancing upside.
Requiring proper security in public infra creates market requirement for companies to release better, more secure, products to the public infra market. Not just whatever open radio based MVP thing they can whip up.
And that creates jobs for not just EE engineers, but as security requirements increase then it creates jobs for SW engineers also (and if the existing players are too slow, opens the market for agile startups that can do it better).
What's more, it makes our infrastructure more resilient to random RF and electronic warfare.
This shit has been broken since the beginning and enacting laws to fix this shit will be slow and expensive and many companies will be lobbying against it. Much easier to outlaw the Flipper Zero - as if that was the problem.
The SDR-related blog is also unlikely to have an agenda that includes getting certain types of SDRs banned.
edit: I also just noticed the meter is stuck in test mode and the backup battery is missing. You can actually buy these meters on ebay, which is what I'm suspecting this guy did.
Keep in mind that your typical electrical service is 10's of KW and that switching that kind of power repeatedly under load requires a device that is essentially sacrificial in nature. Now let's see what they charge you for that meter replacement, it's not going to be cheap.
Note that the meter isn't yours to mess with, it is in your house and on your property but from an administrative perspective your stuff starts after the mains cutoff which is downstream from the smart meter. Anything before that including the mains cutoff is the property of whoever manages the local network, either a specialized grid operator or the utility company that sells you the power. You can see which way it works by looking at your electricity bill and by whether or not you call your utility when there is a problem with the local grid or the network operator. Where I live these are separate legal entities, but in some places it is just the one.
Finally: don't mess with the grid, it's a shared resource. It is trivial to cause damage by for instance injecting power at higher voltage levels than the appliances in the houses around you can deal with, blowing up a meter before your ability to cut off can have very unpredictable effects. In theory it is all safe and it should be able to withstand some abuse but in practice older networks still exist and not all of them are equally robust. So just don't.
Utilities are - if anything - usually quite responsible and if they mess up they are liable for any damage they cause.
Flipper Zero isn't what's causing this, the bad "smart" devices are, and the culprits themselves, of course. Just because you can hack a system, doesn't make it legal. Know your local laws. Mine says "accessing any IT system without authorisation is punishable with imprisonment from 3m to 3y; accessing the aforementioned system with the purpose of obtaining data is punishable with imprisonment from 6m to 5y.", vague enough for all of these things.
As soon as I would discover I could do that, I would inform the company not some scritkiddies on the internet.
This is just irresponsible
And reporting to the vendor is suicidal. At least assuming the stories I hear about vulnerability disclosures are representative, which I think they are.
In their place, if I were to inform the company, I'd do it anonymously. If it was an actually important issue - as this very much looks like - I'd consider informing the building manager, HOA, the gas installation company they use, and every local journalist, all together so they know about each other - and then CC that to the vendor.
You can't self destruct something else. You can only self destruct yourself.