 Hey, everybody. Welcome to DEF CON. All right, we got Laura, Water Meter Security Analysis. This is your presenter, Jimmy. Give him a warm welcome. Thank you, everyone. First, I'd like to clarify that this work is not only done by myself, it was done by many done by my team members. And one of the members, because the US Consulate rejected his visa, so he cannot be here. So, yeah. Every year we got speakers rejected of the visa. I think this gentleman might be a big national security threat for the US Consulate. Okay, I'm going to record a short video for him to give him what he feels to present in front of such a huge bunch of hackers. So, everybody. Sorry, sorry, sorry. Okay, let's start off with the visa in town. His name is in town, okay. Okay, thank you. Yeah, every year I got many friends rejected. So, let me quickly introduce my company and our team. My team is called UNCON team. We are doing wireless security, hardware security, and so on. And we are from the largest security company called 360 security technology in China. And today I'm going to present how the process we took to analyze this so-called smart water meter. So, this is how it looks like in real life. So, you know, on the net, you can see it's like, just look like the normal water meter, but there is a dial, a red circle. So, that's just like a magnet. So, when the water meter runs, the magnet will rotate and there will be a magnet sensor on the cover on the next slide, I will show you. And on the right is a solar panel, solar panel powered gateway, which just like relays the water meter data to the server via the GPIS. But the communication between this water meter and the gateway is using low-routes, kind of prior to protocol. And this is the cover of the water meter. When you see this way, there is a circuit board. And there is an antenna. And also, this is a gateway, which you can see there. It's a GPIS module and a low-rout transmission module. So, this is actually the parameter and the model of the chips. So, you can see there is an NCU, which is used to configure the low-rout chip every time it pops up. Because this might be... So, we will later introduce how we can attack the communication between the NCU and the Lora module. And we have the antenna parameter and the battery. So, this, the way... Why are we going to use this Lora? Communication because it has low power. So, this little battery can power it up to 10 years. So, that's why they are using this. And there is a whole sensor to detect the rotation of the magnet as I said here. So, I don't know if you can... Point or something? No. So, there is a magnetic sensor called TMR3 of 1 that can detect the water meter when it's running. And there is an MCU. So, configure... MCU is here to configure this normal chip. And this is a gateway discipline assembly. So, there is a GP-RIS module here, the white rectangle. And there is a normal module. So, it's just like very typical architecture for an IoT device. And there is an IP room to store the data. Maybe to... When it's in the GP-RIS to maybe buffer the water meter data. And actually, the gateway you usually implement gets used in a different chip, but they are using the same chip as the water meter. So, they have to use... Because this is cheaper than to use another chip dedicated to... for the gateway. Now, let's talk about how we can fix the water meter data. So, you can... As we said, you're just detecting the rotation of the magnet. So, we can use a strong magnet to put it near the sensor TMR3 of 1 sensor to just interfere the signal. So, you can see when the magnet rotates, the voltage produced on the water meter, the sensor, will change. So, we can use... You can see if the... There's no... Okay. So, you can see that this... When the magnet is in this angle, there is 400 millibolt voltage. And when the angle changes, the voltage changes accordingly. So, that's how they can detect the water meter when it's running. So, we use a strong magnet to interfere with this magnet field. So, because the copper is a plastic, so it's still working, so you can... Essentially, you have to see that we are not using any water. But this can be caught if they come to your house and actually take a look at the water meter. So, that's one way to spoof the sensor data. And another way is just to disassemble it and use the water regulator to spoof the sensor voltage. It's the same effect. So, the Lora frequency is different in each country. So, this is... For example, in the US, it's 915 MHz. So, in other countries, it's different. So, when you're trying to do research on this kind of mid-Nora-based device, you have to maybe tune your HDR device to that frequency in order to catch the signal. So, this is the format of the package. So, you have this preamble which will notify the receiver that there's a package coming and you have this up-chip, down-chip that you're encoding data. So, actually, there is a very pretty complex set of parameters that you need to configure. So, when we do wireless security research, we often use SDR. So, we have to configure the parameters for the receiver or for the decoder. So, there are many sets of configurations. So, actually, researchers from the US company in Bastille are doing wireless security research. It's something to decode the Mora traffic. But the way we tried their code, but it's not working, I guess, is because the configuration of the parameters are different. So, we have to write our own decoding code for this traffic. So, actually, one of our team member wrote the code to... You use the map to decode the traffic and we upload this module to our GitHub. So, if you are interested in doing some more research in the future, you can go to look at the code. But this is still not very easy to use. So, we switch to another method. So, actually, because, as I said, there is... My MCEO used to configure the NORA module every time it's powered on. So, what it does, it's using SPI-serial communication to configure the NORA module, all the parameters, which frequency and the different next spectrum factors, something like that. So, we used this logic analyzer to capture the traffic on the serial communication interface. And we can figure out how this NORA front and NORA transceiver is configured. So, and then we just go and buy another NORA module and use the same configuration in order to receive the traffic to decode the traffic. So, it's pretty smart, this kind of... So, once you've got all the traffic on the serial communication, you have to figure out what those traffic means. So, we figure out by looking at the documentation where this is what kind of instruction means. So, for example, there, when you see this traffic, it means it sets the frequency to the 490, 92.25 mHz. That's the frequency we mentioned in the previous slides, where we say that different countries have different frequencies. So, you can see this is the Chinese frequency. Okay, now we've got the configuration. So, we use another module to configure it in the same way and we can see the traffic. Okay, so, now we've got the traffic, we have to reverse engineer the communication protocol and say how they transmit the data. Yeah, surprisingly, we find it not encoded, it's just instant implanted. Perhaps the thing that NORA communication is by itself is very hard to decode. So, they're using kind of like their proprietary protocol. So, there is an idea of each water meter and actually we can screw for the traffic here. And they are transmitting the water usage data and also the temperature. So, let's see if the privacy risks. For example, if I see that there is no water usage because the water usage data is transmitted in plain text, so we can actually save the data to say if somebody is at home using their water meter. So, we can actually profile the habits of this user so to say if he's working routine when he comes home and when he leaves for work, something like that. And we can also like explore the data to make somebody like see where we can see that there is a lot of water and gets over chest. And we can also for the gateway to issue instructions for example here. Because this is like the 2-way communication, so not only the water meter have to upload water usage data but also the server might issue some command to the water meter. And also the NORA is not only used in water meter. So, they are usually used to control gas valves or other like just like you can think of it like a TPRS or ZP. They can be used anywhere to build a connected device. So, if we can get traffic or through the traffic we can cause other chaotic consequences. So, this is how the communication links work. So, the water meter actually sends the data to the gateway and the NORA gateway to send the data to the server using GPRS and GPRS everybody knows that the traffic is... that communication link is not safe. Everybody maybe can sleep or through the traffic. So, we can use like fake base station to attack the... to do the main meter or to just through the gateway. So, this is my colleague trying to sleep the GPRS traffic. So, we set up this base station using BDS and we managed to get this gateway to communicate to our fake base station. And actually this is very common kind of attack in... especially in China. So, people are using maybe like this GPRS to unlock shared bikes. So, people are trying to improve the unlock command to make the bike open itself. So, we are doing... this is kind of very common techniques. So, when we got the fake base station set up and the gate we connect to our fake base station we can see what data is sent into the server. And when we analyze it using wire shock and reverse engineer the protocol used between the gateway and the server. So, this is how the traffic looks like. So, you can see there is a gateway ID. There is a header and counter counter code. And also payload. So, all kind of information. Again, it's not encrypted just using a CRC to check the integrity of the packet. So, we can actually, as I said, we can like improve the gateway to transmit fake water meter data. Water use data to the server. So, nice take a look at the overall communication link. The water meter to the gateway, gateway to the server. So, we have reverse engineer the two communication links and all kind of private communication protocol. So, the Y is over LORA protocol. The other one is over TPRS. So, next one again to see this whole like test environment. We have this magnet to interfere with the magnet center. We have this ADULA module used to configure the NORA module we used to sleep the traffic. Because we have like reverse engineer the configuration process of the MCU to the NORA module. So, we can use ADULA to configure our module to sleep the traffic. And the next step is to like using open BTS to reverse to analyze the communication between the server and the gateway. So, in conclusion that we can see that once again we can sleep in your privacy to profile the user. And we can actually to force the data in each state, the NORA state, whereas the water meter communication with the gateway. We can control traffic between the gateway and the server. So, actually we have to like every time we break something we have to figure out a way to actually remediate or just to remediate. So, this is using NORA VAN protocol. This protocol is brought up by NORA Alliance. So, we can use for example to prevent the data from being sproofed or forged. We can use message integrity like maybe like HACNAC. Based on some kind of encryption key to check the integrity of the packets. We can also use encryption. I think that why didn't we use encryption in the first place is because this is like quite a no-power application. The encryption may consume a lot of power. So, that's why they didn't like encrypt the water meter in the first place. Or they just like think like obscurity is like security is something like that. I think that NORA is hard to decode. It's not like the GPRS that you can easily like to sleep the traffic. So, we can prove that this is not possible. We can still like get to traffic. So, they have to improve the security by increasing the traffic in each state. So, we have this. This is actually the NORA standard by NORA Alliance. Everybody can look at it. There are like security measures but it seems that they are not following it. So, anybody have any questions? This is a reference. The past research they have done great job by like providing people with the code to decode the NORA traffic. And we have this all kind of resources. So, anybody has questions? Okay. Your question? Sure. How can a company protect their infrastructure? You already deployed infrastructure, how can they protect that? Yeah, I don't think they can actually do that because usually when you use this kind of communication you don't implement some kind of over the air update mechanism. So, you have to like maybe replace the infrastructure. So, you have to think of security in the first place. Or you just like, for example, the magnet stuff, you can change the plastic cover into like metal cover. So, that will be a problem that somebody use to interfere with the magnet sensor using a strong magnet. So, if somebody don't want to pay water, they just put this magnet on the water meter so it's not running. Anybody else have a question? Okay, thank you.