Important!
If you do this yourself, and do anything malicious with it, there might be legal risks involved. I just did this because I recently had a lecture about Avans 1.1 Gastcollege Hacking session, and not to do any harm.
Recently I started having a school project about a Smart Meter. I created my own meter that would send it’s data to Avans, to be used in our code.
One of the steps to setup this Smart Meter involves connecting it to your wifi and saving a screenshot of your device ID. But when I looked at this screenshot a while later, I noticed something…
MQTT Settings..
Now is it that most people in the 1st year wont know what this is, But on my last internship I just so happened to work with MQTT, as seen here.
So this is where my plan started. I wanted to know a few things.
- How secure is my
Smart Meterdata - Can I spy on others (just to se if I can, and not to use it)
- Can I make a
"Smart Meter"with#code/javascript/node - Can I learn something from this.
So with this in mind I started the plan. And I had a few ways to try.
The “Attack”
"Attack"
It’s not really an attack if you just, look around without doing anything? That’s why I put it in air qoutes.
Scripting
First I created a simple Node script to see whether I can intercept messages. I didn’t know if it was normal MQTT or WebSocket’s, so I tried both.
After a while I was able to connect. But I didn’t see any radio chatter. And When I changed password I am not authorised. So I knew that I was on the right track. But it also means it is a write only login.
This is where I want to try 2.
Decoding the Meter
My next plan was to look into the website that flashes your Smart Meter. To see whether I can read in, and find any clue.
So I went through the website to get the sm-esp8266.bin file that is uploaded to my Smart Meter. Then I wrote a Python script that parses it to .txt. and ignores invisible characters. This gave me no insight at all sadly.
So I had to go to plan 3.
Gaslighting my Smart Meter
This was the most complicated plan.
Plan Of Action
- Find a docker container for an MQTT broker that I can run on my VPS.
- Make my script from step 1 be able to use this Broker.
- Connect my Smart meter to my own Broker.
Obviously I have done them all. Otherwise you wouldn’t be reading this. And luckily my MQTT broker has logging built in, this made it really easy to copy and paste the data.
The only thing I had to do now is write a node script to send messages every 20 seconds, on a non existent PLC (don’t want to mess with anyone’s data). And that’s it.
So I wrote a Python file to export the MQTT JSON data to an actual json file. And then I made a node app that sends the messages.
I created a custom code for my smart meter: 2005-POK-EMON-V00-AAAAAA-AAAAAA
As you can see, I succeeded:
This is quite powerful.
Conclusie
Het systeem is niet veilig. Onze data die we sturen is dat misschien wel, maar een indringer kan zomaar dit opzetten, an trash data over doe normale goede data heen spammen waardoor de data niet meer nuttig is.
Ik ga verder zelf om 16 uur de neppe Smart Meter uitzetten. En verder ga ik dit melden bij de docenten.