 My name's John McNabb presenting on vulnerabilities of wireless water meter networks. I won't read all this but the quick summary is I come from this from a water-centric position. I ran a local water department outside Boston for 13 years and one of the last things we did when I was there was look at wireless water meters and to be honest when we were looking at them and I was pushing adopting wireless water meters I never thought of security. So after I left I was thinking gee maybe I should look into these things a little more. Last year I gave a talk here on cyber terrorism and the security of the National Drinking Water Infrastructure which is a basic overview of physical and cyber vulnerabilities of the entire drinking water infrastructure of the country. Short story is any individual water plant is is vulnerable for a number of reasons but the entire infrastructure isn't because it's fragmented they're not connected like the electric grid is. But one potential area of entry is of course any wireless networks that they may have and this will focus on the wireless water meter networks. I presented this at Black Hat a few days ago and my white paper part of my white paper is going to be published in a book Weapons of Mass Destruction and Terrorism second edition when it comes out next year. The book is a collection of papers on that topic. And interestingly enough Hacker Japan was very interested in my talk last year interviewed me for three hours after my presentation and I was the cover story in their March 2011 edition. So I'm very popular in Japan apparently. I tried to read the article but I don't know what it says about me so presumably it's positive. So what this talk is about water meters obviously what they're used for it's not going to be as much as a deep dive as I said in the abstract I'll get to that later but it's but I'm looking at what they are what they're used for what they could be used for what the potential avenues of attack are potentially what the concerns are the issues involved and the need for this is that while they're not a major part of water water departments across the country right now they're they're they're increasing the use of them is increasing and I'll get into that as well. I give a very detailed analysis of the overall drinking water infrastructure in my Black Hat white paper which you can email me my address is in the first slide it's also the last slide it's on in the PDF in your in your CD and I'll send you a copy of the white paper. Okay the water meters the cash register to oversimplify it's money to the water department so it's for you as the homeowner it's it's how they determine your water bill from the previous reading you know the difference between the previous reading and the current reading is the mountain gallons or cubic feet and then it's applied to the water rates and that's how they determine the usage part of your water bill overall annually it's about 40 billion dollars a year that water utilities take in mostly from the results from water meters not all systems are metered but in the U.S. most systems are strangely enough in the other parts of the world water meters are not a common occurrence but in the U.S. almost every water department has water meters to determine the usage the alternative be a flat rate or fix your fee which is a flat rate applied to how many faucets and toilets and so on you have in your house the disadvantage of that is it doesn't properly account for the usage and so that it's harder for the water department to recover the cost of producing the water which is what the water rate is really all about and I can get into further analysis which is very interesting when your water commissioner trying to figure out how to set the rate you have to set it to not just cover your day to day expenses but also for your capital maintenance on an ongoing basis and that's a big problem nationally as well average monthly water baits water bills range greatly and there's this it depends upon local practices what the local governmental authority decides to adopt and there's really no consistency in what rates are across the country so what could go wrong outside of the fact that meters sometimes just break they get clogged over years with what we politely call sediment which could be any solid matter in the water pipes and and for certain types of meters that that can lower the readings that can slow down the process of accounting for the water but it's also theft the electric utilities assume about 10% theft or loss from theft or bypassing meters and there's no similar statistic for the water industry and again it would depend upon jurisdiction is jurisdiction so it's theft of services in general which whatever utility deals with is is a serious issue because any doll they don't collect to help recover the cost of operations and capital maintenance they have to get from somewhere so it increases the rates for everyone else and and also bad practices of meters can cause a problem Brockton Massachusetts for example just conducted the city council had an audit of their water department after the water department realized that over the last 15 years they hadn't been reading the meters properly and that they've been undercharging people and so they unwisely decided to give people retroactive bills going back 10-15 years which I went through that inadvertently in my town and it's not fun people do not like retroactive bills and I think the legality of it's questionable wherever you are and they were handing out bills like $90,000 $97,000 so as you imagine the citizenry got up on arms and got the city council to look into it and the audit revealed that for 15 years most of the meters hadn't even been read you could read them you could send the meter read around and read them but they weren't reading them they giving estimated bills that had no relation to how much water was going in and gee that's why they had fiscal problems and they weren't using the billing process properly so there's a lot the water department can get wrong without you know a malicious third parties getting involved clearly clearly that's not just the hackers of the malicious third parties but we'll look at all those issues actually in terms of water meters very briefly water meter I want to do some technical stuff here I guess but I won't go through all this in detail the most common type of meter there's displacement velocity ultrasonic electromagnetic which are my favorite we were trying to adopt those in my town because the water just flows through the meter it's not stopped by a disc that turns around or something that that detects the velocity of the water so that the electromagnetic flow meters using Faraday's print law of induction are less susceptible to being clogged as you might imagine but the most common type use in the United States is a positive displacement meter that uses a new mutating disc which is just a disc that spins around and so they know how much is in the vet in that area of the water meter that the disc turns around and every time it turns around it registers a certain amount which appears on a dial and there's many different kinds of registers we call them this is one common time that they type that basically is an odometer type readout and then a dial and after the dial goes around one turn then it clicks on the on the far right part of the of the odometer that's the old this is the old-fashioned historical one that's still out there in millions of homes across the United States that uses a mechanical process for both detecting the amount of water and reporting it this is you know generation one perhaps but now there are you know we're up to generation three that I'll get to later and some improvements so data collection methods I could go into great detail but we don't need all the detail here but to make a long story short eyeball there's an eyeball right there so you send a meter reader in they knock on the door they go in the house they go down the basement they find the water meter of course they've been there before hopefully so they know where it is they get through the stuff on the in the basement and they and they put a flashlight on it and they read the register and again that's still what's being used in millions of homes across the United States so the so the the meter reader has to write that usually it's handwritten they have a sheet and they hand write it down and then when they get back after they do all everything in the route they go back to the plant and then someone types it in or hands writes it down and then the type it again so you get lots of opportunity for human error you can also have computer error but this is mostly a human human error type of problem then to get more to computerization you've got to walk by so you attach even on these older meters there are like two or three wires you can attach a reader to it that then drill a hole and goes to the outside of the building and we call it a gun it's a handheld computer that's only purposes to read the meter so you put the gun on the the device at the at the outside of the house and it electronically downloads the information and so after the meter readers done his entire route so we still have to walk to the house but he doesn't have to get in so that reduces the problem of having estimated readings when you can't get into the house which still occurs some people don't want to have the meters read for some reason then they get so what we did in my town is we gave them estimated readings of like five thousand dollars and that got them to come to the water plant to say hey what are you doing and we said well we just need a reader meter and then they say okay fine otherwise we keep them we can't charge them five thousand dollars but that's a way of getting their attention so the town council might have got involved in that but we didn't have that many and it worked so we didn't so we abated the five thousand and then we you know give them the proper bill then there's drive-by which is getting closer to what we're really talking about so instead of having the meter reader go to the put the gun it sends a signal out that can be reached from the street or there are varying ranges for these things and it's just automatically downloaded as they go by so that's that's getting as closer to the ideal of a smart meter or meter network which is our next slide is a fixed network and this is what you hear about on the smart grid the water like the water smart grid if you can call such a thing or the water smart meter is the little sister or brother of the electric smart grid which is moving faster and being developed more frequently across the country and across the world so actually to research this there wasn't much out there on the water smart grid so I'm adapting a lot of things from the electric smart grid and fixed network architecture which is basically being model being copied for the for the water and for gas and anything else that has you know is a utility provision so instead of having a drive-by the signal of course goes out everywhere and depending upon the topology and the size of the community if you're lucky they can all be received at the Senate at the at the administrative headquarters or where the billing center is located and all be collected there in most cases even in small towns you get geography problems it's tough to depend on the signal getting there all the time you can set up repeaters you can do a mesh network in the long run or you basically set of aggregators so that it Washington DC does this they have aggregators so the water the water meter sends the signal out using RF radio frequency transmission and then it goes to an aggregator in the neighborhood or that area of the town of the city of Washington DC and then it's sent by cell phone to the water plant to the billing system there's a lot of different means for for sending the signal automatically RF is the most frequent but it's also cell phones power lines are used by electric utilities obviously but for some reason are not used in water in the US is a means of sending the signal that's another possibility cable is another one so without getting into the technicalities of the different means I'm going to be focusing a little later on in the most common one which is radio frequency which is also one hopefully we can we can do something with the other key thing about the fixed network is that it can allow two way communication now with electric systems smart grids that gets very interesting when you also add to it a home area network which might have been talked about in the talk previous to this that I wasn't able to see because I was getting ready for this but home area networks are very interesting because every it's the internet of things everything and every electric appliance in the house has an IP address there's connected to a central controller that the homeowner can can presumably control but also the utility can control to turn things on and off to you know to deal with power surges or reduce reduce the use of things that aren't actually being used when when they're when they've got a heavy load things like that no no one's really talking about that for water for obvious reasons because basically it's mechanical issues you can't really do the same thing but it it gets into interesting questions that I'll get to a little later so the topology isn't very interesting it's probably conceptually a star and but the key thing is two way communication so suddenly your water bill can be read almost any time instead of every quarter with the drive but with the walk but the eyeball of the walk by or even the drive by it can be monthly it can be daily it can be hourly every five minutes you can you can put any household any any anybody on your network on any schedule you want basically the trick is you know how much information you want to get and you really know what you're going to want to do with it so so that gives us a lot of advantages in terms of information collection the benefits of the a okay these terms AMR automatic meter reading AMI advanced metering infrastructure and smart grid are sort of fluffy they they go it's you could be talking about one when someone else thinks you're talking about the other automatic meter reading is mostly could be could be the drive the walk by that's not really advanced metering infrastructure but we're going to focus from now on on the fixed network system which is smart grid or AMI for water so it lows them low as the meter reading cost it theoretically owes better accuracy even though that's what they say in many cases you'll see if you do some research like I did that a lot of people have higher bills or the bills don't make any sense with the electric with the wireless readings it's better for the water utility in terms of helps resolve bill disputes because the computer never lies you can just see if that's what the computer said and better customer service in terms of if someone comes back from vacation and they think they had a leak the someone at the plant can actually look at here's what the readings where you're why you're away or whether home it's more information that can be used to help the help the consumer better understand what they're using for water maybe you know help them do better water conservation it helps the water utility keep better track these these two charts on the right are very interesting in terms of showing examples of how the water utility can use the information even on a daily basis on the top graph so the water the water utility has an outdoor watering restriction and see that black line that's when someone evaded it by turning you know by by putting your automatic sprinklers on in violation of the restriction so right before you have the automatic meters you'd have you could find that out if you drove around and you know saw that that that was on and you could do something about it but that's you can't catch them all that way this is an easier way of doing it you could presumably set up the software to give you an alert for that and then leak detection is the main reason why I was pushing for it in my water department years ago was that if you set up for daily or hourly or you know pick an interval at some point if there's no leak is going to be it's going to go to zero at some point because there are many times when no one's flushing a toilet no one's turning a faucet you're not running the washing machine or the dishwasher so if it never goes to zero you suspect there's a leak and you can go further from that so it's got a lot of uses to the water utility and the growth right now going to the to the second to last bullet only about 7% of water utilities in the United States have what we would call smart meters the AMI the wireless water meters that we're talking about but looking at the studies that have come out looking at the entire smart grid for water gas electric it's it's it's projected to explode to make major increases in the next 10 years and and that's mainly because California is ahead of the curve because they have a state mandate to reduce a water consumption 20% by the year 2020 which is quite a chore actually I mean after you eliminate water you know unnecessary water uses like watering lawns it gets tough to fine tune the water use and so some of the so this this is a useful tool for the water utility and for the homeowner in California to to keep track the water use and you know reduce it as much as they can so looking at the information that we're talking about you know what what are the benefits digging deeper for the information that the water utility can get so obviously it's part of the billing record that's what it's for that's the major reason it's for leak loss analysis but also allows them to look at the the usage so when's the peak usage what part of town uses the peak does a peak usage come from maybe there's an issue there they can look at maybe it helps them plan the running of the plant in the in the withdrawal of water from the source if they know better with the peaks in the valleys are our our minute to minute throughout the water district conservation I mentioned a few times feedback directly to the consumer so there's a potential benefit with the consumer and this is from a report from California and it's it's almost essential in California for the utilities to tell the state what they're doing or not doing to meet the mandate so something at all up the wireless water meter is an embedded device it's a node in a sensor network I'll get to it's a data information collection device that's why I'm talking about it at an IT security conference it's not just a mechanical device that talks about that deals with water it's it's an information collection device it's an electronic cash register now instead of the old metallic one that I showed an earlier slide and it allows allows for better conservation and of course could it be big brother so it's hard getting a handle on you know looking at a water meter because there's so many different kinds there's about 20 over 2 dozen manufacturers that pie chart is from a study looking at some estimates of market share itron and Neptune are the biggest ones there's also census Badger hexagram those are ones that I've done some research on but it's a big field to try to get a handle on because there there's at least as many manufacturers they have different models they would different types of meters some of them are the transceivers that can go on an existing meter some are ones that were the transceivers built in already to the meter so there's a lot of variety here because there's no standards really they they they all the standard they need to meet the American Water Works Association standards for proper operation of a water meter but as far as I know that doesn't address the wireless portion or a lot of the issues that I'm talking about and as I mentioned earlier they they can deal with a lot of different transmission method methods phone lines cable power lines radio frequency or a combination of the two and again the most prominent one prominent one is power lines checking my time so looking into you know how how are they put together what's the tech technology and the engineering use and again I won't read all this but patent information is very very useful so I bought a couple of water meters on eBay and transceivers and one of the ones I got was a census MXU model 550 and they're very helpful in actually printing the patent number on the outside of the of the casing so I took the thing apart and I'm afraid to say I didn't get very far but I took it apart identified you know as much as I could what the different parts were and here they're described we've got an Intel 8050 family integrated circuit we've got a one kilobit e-prom it gives the description and third bullet for what the interrogation mode is what information is sent out and received so I'm still going through this patent and and some other ones and trying to pick a number of water meters to really dig into but you can see it's mostly off the shelf components no one not many people are designing specifics hardware software for the water meter they're using off the shelf chips processors e-prom and transceivers as it turns out so looking generally part of my research I realized that a water AMR AMI smart meter smart grid is a type of wireless sensor network which is a large network of resource constrained sensor nodes with multiple preset function such as sensing and processing so the sensor node of course is the water meter and the major characteristics of a water meter and a sensor node in a wireless sensor network is low prop power processing processor and that's true in our case low energy they have batteries that are usually good from five to 20 years there are some models coming out now that actually you know plug in and use AC power but for the most part they use batteries because you never really know where it's going to be placed when you produce it and even if it's someone's basement you can't guarantee there's going to be an AC power power near it so they depend on battery power so it's low energy and small memory one kilobit you know sometimes you get a four kilobits of e-prom so not much you can do here with software perhaps so looking at wireless sensor networks in general there's a lot of literature on this you can get off the web a lot of computer scientists looking at what are wireless sensor networks what are the potential attacks what are the potential defenses and it's really a taxonomy of all the you know everything that we're used to looking at for networks active versus passive outside of versus inside mo class versus mo classes attacking from an actually sensor node or water meter so I think a laptop class is probably more useful where you're using a laptop with the right receiver and software and you're getting into the network so the things of bad things you could do or interrupting the signal in again this is in general for water sensor networks interception modification replay and the countermeasures again in general but applies here as well basically boils down to authentication encryption which you don't see in a lot of low power low memory low processing ability wireless nodes and again that's the case we see in water meters as well so why would anybody want to hack a water meter I mean you know that's really what started my questioning you know looking into this is you know what what how could you abuse this it's maybe not as interesting as an electric meter or some of the other things many of the other things that people at this conference talk about but there are things that need to be looked into could you reduce your water bill could you increase someone else's water bill could you steal water the theft of service which right now is being done so well in many utilities by just mechanical means I mean the good old fashioned method you put the meter in backwards we see that occasionally you bypass the meter so you get someone who knows how to do plumbing and you just go around the meter you find that a lot out there but this is more sophisticated way if it can be done to actually you know do a man in the middle potentially and and and give the wrong information to the water department evade water restrictions very important thing in my community when you had water restrictions people get very hot under the collar that they can't water their lawn and they some of them think they've they've a God given right to water their lawn and use the water and the water department usually doesn't mind because they're paying for the water and they can afford to pay for the water but again if you have a water restriction because you've a low you have a problem with the supply you don't really everyone's got to obey it so so if you want to evade the water restrictions and you want to gamble that someone's not from the water department's not going to drive by and see that you're doing that with the outside sprinkler you just you know if you can do it you you you change with the readings that they get from your wireless water meter and they're none the wiser could it be used for surveillance of human activity in the home and I deal with with the top ones in some some degree a little later in here the unanswered questions are could you use it to get into the SCADA system the control system that runs the plant that's a very interesting question since we know from talks at black hat and other talks here and stuff in the news and and and viruses like Stuxnet that that the control the control systems and that's what that the second that's what that picture is that's a control system at my plant which was running on an XP SP two machine I believe unpatched and that's usually what you find because they they they think they're off the internet so they don't have to apply you know patches and virus protection and so on that would just get in the way so it'd be interesting if so the so the wireless water meter network only goes into the building system right and the building in the office system is never connected to the SCADA system right well actually about half of them are in polling it's been down the last couple years or not so it's but it's I don't I don't know the answer to the question that it's a further further research into whether that's a potential entry into that that screen right there and changing the operation the plant could you use it to get into other smart grid networks there's a move to integrating water and gas smart grids into electric and you could get a lot more bang for your buck if you're hacking into the water system if you could also hack into the electric of the gas and and do something nefarious there so again that's another question that is further down the line so what could the evil consumer do theft of services so we all know about the legal cable the scramblers which bypass the the the legal system that you're supposed to pay for also there have been news reports that in China people are getting arrested for creating a device and I can't get much information on this if anybody knows how to get one I'd like to see one but it's presumably a box of some point that that either goes on your electric meter in China or there's a man in the middle they're not they're not describing it very much and lowers your water lowers your electric rates so she could somebody you know attack the wireless water meter system and and you know presumably with a box that someone like us would build and and lower their water rates or change or give you control over everything that's being told to the water utility so you could evade the water restrictions or you know you know again low you know steal money steal money from the water department and steal water it's both so the effects of the water utilities is bad of course they especially if they don't notice it that suddenly the revenues are going down their their their master meter at the plant shows they're still sending out the same amount of water more or less but they're getting less revenue for the same amount of water going out she may be there's a lot of leaks out there maybe there's a lot of legal connections so it's it's a possibility of course it can be detected because even the wireless water meters have a register that you can usually it's an LCD at this point for the more modern ones where you can go down and actually physically read it and then presumably you could and some of the models you can go to it and download directly from the meter what the readings were and get better idea so there's a way around it for the water utility but if a lot of people are doing this it's it's hard to hard to find out and control could it be used for terrorists or adversaries trying to do damage so I'm just speculating here could it be used to collect information to help them build a hydraulic map save the water system because of my talk last year and on my white paper the current state of analysis of potential physical security problems for water utilities are that the most vulnerable part of a water utilities is the distribution system where it's not monitored really you got hundreds of miles of pipes you get hundreds if not thousands of fire hydrants in a big city you got hundreds of thousands of connections and valves and blow off areas where someone can get into the system and it's relatively easy if you know the hydraulics of the system you know you know so you know what's going to happen that you can inject poison into the water system a sufficient pressure to overcome the pressure of the system and then spread poison throughout the city now so that's a question that's still a question more information is always useful if you're going to do an attack obviously so that's just a question disruption is more likely in a lot of places like California that are serious about water conservation but but also in other places that want it want an easy way to turn water on and off remotely say when apartment water comes and goes or seasonal somebody has a seasonal rental and they and you need to turn the water on on when they someone comes and turn it off when they leave there's something called water cop is one brand name it attaches near the meter and it can be remotely turn the water on and off so that may or may not be on the back hall in the same signal as the water meter but there you go there's a whole other area of of attack so for example you know what if you could shut off the water that's not poisoning the water but it's definitely a serious disruption now the major threat that conceptually that water utilities are facing from terrorists are poisoning the water supply al-Qaeda has threatened many times to do so people question why they have the capability to do that and whether it's high on their list but it's definitely something they've they've threatened water meters don't really help them in that regard unless there's a recon component to it but the smart grid for electricity is very warmable as somebody said I don't know if that's a word but the NASA's Gia net so I gave a talk at black hat Spain last year where he developed a wireless sensor attack tool called senses for again for electric grid primarily and it's for 2.5 gigahertz of transmissions and very sophisticated tool that that he demonstrated to spread a worm through an electric grid I are active did something similar they presented a black hat USA 2009 and this is a picture at the bottom from that you can go to YouTube and you can see their demonstration so all the green dots or nodes are the unowned nodes on the electric grid and the red ones are the ones that are owned and it's great you can run the thing and it starts all green and then it turns all red it was simulated he didn't do it they didn't do it in a real environment obviously so no one's done that for for the water grid yet but it's a lot of the same off the shelves hardware and software it's a lot of the same techniques so it could be just as warm a bowl but the biggest concern that I've seen out there that we need to consider is big brother the evil water utility so even if there's no adverse third parties out there no one's trying to poison the water shut it off some people are concerned that now the water department is going to know more about what you do I know is formally running a water department I don't really care what you do I want to know how much water you using so I can charge you the right amount but this these quotes are from the Kerry North Carolina Watchman the newspaper that's online and so they're concerned that information about our private lives will be known to the water department staff you know when you take a shower when you water the plants wash the dishes honestly when I started this research I didn't think this was a big thing but when you look into it there are a lot of people perhaps legitimately concerned that private information is going to leak out now the water utilities going to know it obviously I don't know you know why they'd use it except the course to enforce conservation so if they see hey Joe you're you're flushing the toilet five six times a day I don't want to know why but you know can you cut that down maybe they do know why so so it's it's it's a concern that people have however legitimate it is but it may be legitimate so this chart is developed from a chart in a report on privacy with the electric smart grid so I just changed any any work anytime I said the word electric to water and again this is speculation I haven't looked into each of these things in detail but so what what is the water meter data used could it could it be used for so here's the hacker thought we know it's you know we know it's supposed before to you know the primary purpose is to determine the bill to raise revenue to be the cash register that's the first line here water conservation so what if a company that sells water conservation devices gets the data and they find out that this area the city just isn't doing it for water conservation whatever reason they're just using too much water the city is getting down on them they're finding them and the city just isn't doing it but they get the data and they get all the names and addresses of everyone who's violating the regulation it just isn't listening which is just using too much water so that's your marketing that's your mailing list or your email list you send it out and say hey I got this device that'll let you comply with the city's regulations insurance companies marketers I just mentioned law enforcers I was discussing with somebody black hat about you know could it be used for like a search warrant like if you're making meth in the house that uses a lot of electricity and water I can't find any examples that where that's been done but he said he heard about something in the Bay Area of San Francisco where that or California where that may have been used it did okay okay yeah so it's it's happened there's cases where electric use has been used by by enforcers and and also thermal imaging is a big case that's talked about a lot landlords private investigators so what if you're in a custody battle you've got your daughter you know you've kidnapped your daughter and you're I'm not condoning any of this you know you're you know you've got her in the house and you're telling everyone no she's not here and they look at the water use and they realize he's just too much water for one guy you know and they use that as evidence I'm just speculating here but the thing is that the wireless water meters are about 7% of the utilities of something California so a lot of this hasn't happened yet but in but it will especially if this information is created and is out there and is stealable like almost other like credit card information creditors criminals so again I think I think in most cases that the electricity information is much more useful but what if you don't have that but you got the water information so you look at so you're you're casing out this house this this rich house and you and all you can get is the water information you're stealing it off the wireless water meter and you see okay shower you know you're seeing 100 gallons per person a day then it goes down to zero of course you there's other ways to find out if someone's not there but you never know for sure so if you see the water use go down to zero or near zero then you have a clue so I don't think we're being paranoid I mean a lot of us here are concerned about security and and and privacy and this is clearly a potential privacy issue where it's implemented but it gets better there's a device called HydroSense that researchers in Seattle area University of Washington have come up with which is a simple cheap low power device you just attach it not necessarily not on the water meter but on any pipe in the house and it's wireless so it could go over this back all over the same signal the water meter uses or not and it can detect it can find out after like a you know after sinking it and checking it over a couple days it can tell what fixture was turned on and on and on and off and how long fascinating there's a whole body of stuff out there I could give a whole talk next time about remote sensing of human activity in the home there's all these researchers who just dying to find out how can we find out what you're doing in your house without actually entering it and as far as I can tell they're being funded by the government it doesn't appear to be the CIA at the NSA but who knows so this so since these guys came up with hydro sense a few years ago other enterprising researchers have been improving it so there's one called water which is self-powered by the water going through the pipe I guess or the vibration of the pipe then there's one that I probably don't have in the slide that that actually attack that is you uses the water meter because the to plus I can't pronounce that that law the equation they use it parts you know it uses the amount of water being going through the system the flow to identify it can go either backwards or forwards with the flow to the pressure hammer to the change in pressure from turning something on or off so they take so that so this new generation of hydro sense takes information from the meter and a vibration sensor on the pipe nearby and then can do find out the same information so all these people worried about privacy from the water department just knowing how much water the whole house was using well guys they can find out what you're using and when and that could be potentially very interesting so there's a lot a lot of rich research in this area they're looking at it for gas which is obviously a more limited amount of appliances you know stove and you know water heater you know dryer perhaps other things but also electricity which you don't really need if you get the home area network because that's already doing all that but what if you don't have a home area network and there are things there are devices you can attach in Europe for your electric grid in the house they do something similar so it's just fascinating how much development there is and trying to find out what we're doing in our houses without us knowing it so that really blew my mind when I said oh well people are worried about privacy from just knowing how much water they use well now they should really be worried if these things are attached these things can be attached surreptitiously to I mean they're not they're not you can just if you get into the house you can attach this set it up power it on and it'll be working so in general though other vulnerabilities looking at wireless water meters in general one one vendor tells us what frequencies they transmit on and tells us that there's no frequency hopping sped spectrum which is their their usual method of encryption or security which breaks up the signal so it you know one one some packets will go on one for one frequency than another one and there are different spectrum schedules that they go out on that are pseudo random that only the the sender and the receiver are supposed to know badger gives out its default network username and password in its wireless key so I might go after them first transceivers can be purchased on eBay I've got five or six at home I'm working on so you can I'm trying to actually find the same one that I have at my house so I can take one apart and then you know apply the information to actually the sniffing but most of them don't have encryption so most of them don't have frequency hopping sped spectrum which I briefly described or DSSS which is a similar technique to obscure the message which again was both of these would develop in World War two as a encryption quote-unquote type method but the but the good news is well most of the manufacturers don't have encryption or good security there are now more and more that are coming out with it for example one manufacturer refers to this third generation and here's a diagram of them here where they don't need a battery they reduce the amount of electricity to the minimum to only when they not when they read the signal read the amount of water but when they transmit it to the register which then goes out over wireless and they get it from the AC current in the house and it's all built in it's all one unit a lot of water departments now are adding on the transceivers and it's always a trick you know what model you know getting the models to match up and so on and instead of having a new skating disc that mechanically you know goes around and around and then you know goes to the register they have a purely electronic system and there's at least one manufacturer I found that actually says they have AES 128 bit and 256 bit encryption that's not common at this point but it's we're seeing them now for like the first time there's still a lot of the out there to say frequency hopping spread spectrum is for security and I'll get to that in a minute most of them are 900 megahertz the 902 to 928 ISM scientific band which makes it hard I was hoping I'll get to this in the second to last slide to show to sniff a wireless water meter and I haven't been able to do it because it's kind of hard to find off the shelf or even things I can put together easily to sniff 900 megahertz mainly because that cell phones and I don't want to do you know wiretapping so I'm working on it but most use 900 megahertz and frequency hopping sped spectrum okay so there are two researchers who have done proof of concepts or better for sniffing frequency hopping sped spectrum transceivers alo was atlas cut away in queue I believe they're from in guardians at Schmuck on 2011 talked about this in great detail and showed how using a CC 1111 you know 900 megahertz model kit they were able to crack the frequency hopping sped spectrum and and read the signal and Rob Havalt who's speaking tomorrow morning I guess on spiders taking over the earth is what the title is black cat Europe cracked it as well using a universal usrp software radio peripheral use the peripheral to that he told me he said to the listen in all frequencies at the same time and because in this in the signals he was listening to they use the same management frames that you see in 80 to 11 he was able to wait to find the management frame that told him the schedule for the frequency hopping which is in the clear of course and then feed that back to some software he wrote to to intercept it so I haven't ponied up for a $1500 usrp v2 yet but when I do I'll talk to him and and replicate his method that's not the easiest way to do it I'm trying to go for the low-cost way and but it's least way to start to actually see what what's going on there and I I alluded a couple times I was hoping to come here and say here's how I sniffed my water meter but I couldn't do it I tried some what looked some ones that look easy first like the amtel rz600 which actually is advertised to listen in a number of frequencies and to have sniffer software for it and they don't so the next one is funcube dongle pro which which comes out of England and that's a software radio peripheral for like 64 to 1700 mega hertz but I got that like a week ago and I haven't tried to configure it yet so I'm looking at a number of other things as well and and hopefully that'll be that'll be my talk next year or smook on earlier in the year because it's it's possible to do this but because it's 900 megahertz it makes it they make it really hard but the point is it's not impossible people have tracked fhss before and of course there are there is hardware to read 900 megahertz so I'm going to be working on putting it together and show proof of concept hopefully for a man in the middle attack and wrapping up I got the the hook a few times water meters are integral part of the national drinking water infrastructure I won't read the rest of it but the bottom line for my research is the major concern is privacy and surveillance whether or not you have hydro sense if you have hydro sense that ups the ante quite a bit tampering with water meters is already something going on this gives the bad guys or the homeowners yet another way to do it and so again the purpose of this talk is to reveal what I know about vulnerability so hopefully the manufacturers and the industry can can use better practices and secure them so we won't have these vulnerabilities turn into real problems and and final this is a growth industry for water utilities as well as for hackers and evil doers and if anybody wants my white paper where I talk more about this up in depth email me at john mcnevic comcast dot yet dot net thank you