> In the video it appears that Peter was using the Flipper Zero to wireless turn the power meter on and off, which also controlled the power to a large AC unit. Eventually switching the meter on and off while under a heavy load resulted in the meter self destructing and releasing the magic smoke.
Calling out Flipper Zero for someone (ab)using the meter's remote control features cuts me the wrong way: you could've done the same with any other SDR, not just the Flipper Zero.
It's not even a surprise this happened, the cut-off is not meant to be operated constantly to cut heavy loads. Similarly you should not use a breaker to turn off heavy (or any, in that matter) loads as you're needlessly wearing down the protective device, instead of a separate cut-off switch that's designed to be replaceable. Especially since it can be positioned downstream from the protective device.
It all boils down to which part of the circuit you can easily repair in case of a fault, in this case the meter is by far the least accessible.
Why would a power meter allow an unauthenticated client to turn the thing on and off wireless?!? Sure, if you flip a switch handling a large current often enough, something will break (and I am impressed it's not the AC in this case).
But why does the power meter accept commands from something 'outside', something untrusted?
I mean why are power lines not locked up and buried underground secured locked steel cages?
Because some things work better with trust vs convoluted security.
I think this is something a lot of computer nerds don't get (myself included at one point). It's almost like if something can be accessed we are allowed to access it and it's the fault of the person securing it. But a lot of our society works on trust and I think we'd live in a much more difficult world if everything had to be secure enough to resist any attack.
If this thing was connected to the internet I get it, but you already need physical access to the meter why add another layer of security on top of that? If someone has wants to mess up your power and they have physical access there's plenty of ways they can do it without wireless communication.
I would just add a simple layer of device-id based password generation function which is hard to reverse engineer. The devices used by authorized people would auto-generate it and will be transparent to them, yet it'll prevent many people from getting in. Add a rate-limiter on top of it, and it's impractical to brute force it.
If Philips can secure its SoniCare brush heads this way to prevent tampering and counterfeiting, a utility company or meter producer which enables a much more important infrastructure can be a little more mindful about what they are doing.
Definitely agree with you here. The parent has a very valid point about not always over-securing things that don't need to be secured, but physical line cutting and wireless shutoff are very different threats.
Someone walking around your neighborhood cutting every single electric line on the side of a house, risking electric shock and trespassing on your private land is much more likely to get caught than somebody rolling through your neighborhood with a flipper zero and a high power antenna turning off all of your meters.
If someone had a grudge against you, and they started to "release the magic smoke" from your meter once a week and the power company is upset with you and your HVAC system doesn't work anymore, in addition to the fact that the compressor in your AC is toast because of someone energizing and de-energizing the circuit so rapidly. Now you are out thousands of dollars and, on top of all that, no matter how many cameras you put up, you'll have a hard time figuring out who's doing it.
Which is exactly how you end up with more etrash when a company goes out of business.
Also, you've just made replacement/repair/support far more complicated and dangerous for everyone than it need be. You must be 10% smarter than any piece of equipment you are operating to safely use it, and be "ahead of the machine".
I truly believe we have suffered greatly as a civilization for our willingness to lose sight of that, and to have allowed the siren call of "abstraction" to charm us into making things so absurdly complicated that short of neverending population growth to bring into existence more people to solve all the new problems people have created, one is hard pressed to even read everything necessary to understand why most things are the way they are.
When done with proper contracting and documentation, losing a company is not a problem, because either you put the spec and the algorithm on the table, and people implement it to get certified, or you get the technical docs to use when/if the company goes out of business.
Practically, it doesn’t do anything more complicated. Device provides you an ID without a password, but accepts everything else with a password. In many countries, if not all, infrastructure equipment is already protected property. Nobody except the utility company touch, repair, reconfigure that meter, anyway.
Overcomplicating stuff is indeed a problem, and it’s a combination of poor engineering plus monetary greed in most cases. Also it’s a side effect of evolution of technology. I would love to discuss it to death, but this is not the place and I don’t have much time for it either.
Yeah, a lot of this infrastructure was built on a trust-based society so we're having to slowly learn that isn't possible in our current culture and population size. It's sad.
Because security is not a priority for the industry. Most have no security, default authentication in the rare case that they have it, and they use protocols with no support for it. The field is decades behind in security practices (it's pretty much IoT) and won't improve unless forced to.
It's also difficult to update such devices in the field so even if they do fix such issues it's only for new units or a new product line which most customers won't bother with until forced to by regulations / incidents as it's expensive to replace them (you have to send someone out on the field as there are pretty much no OTA updates).
The field is decades behind best practice because these systems have multi-decade operational lives.
There's an absolute chasm between implementation intervals that can be achieved through pure software systems and those with distributed hardware components. Throw in a few layers of abstraction where those designing, purchasing, installing, operating, and maintaining those components are all unrelated parties with different (and potentially conflicting) motives and any sort of cohesive systems engineering is hard.
This doesn't excuse continued irresponsibilities in product security, because they absolute exist, but "impressively fragile yet surprisingly functional" is a completely logical Nash equilibrium to settle on given the surrounding non-technical components.
> The field is decades behind best practice because these systems have multi-decade operational lives.
This would be more convincing if not for the fact that smart meters are IIoT. They're a new thing. IIoT is kind of an unholy breed between those hardcore industrial engineers you talk about, designing hardware with multi-decade operational lives, and the people implementing the IoT part using webdev practices, trying to put Docker containers full of NPM modules onto the industrial devices (and if they can't fit there, then plugging them immediately upstream).
Now that latter group is (mis)using bleeding edge tools to develop greenfield solutions - and thus should very much be able to keep up with basic security practices developed in the last 20 years.
But we are not talking about them using too weak RSA keys from 2 decades ago, or even not about transmitting passwords unencrypted, so anyone with a right radio could glean that.
We are talking about a complete lack of any access control. Like two wires instead of an ignition lock. An electric box with a mechanical meter and switches would at least have a padlock on it.
Neither is long term functioning of the electric grid if you read the IEEE. Go read the IEEE journal where every few years someone writes an article warning that the electric grid will fail catastrophically when an 1859 level solar flare occurs that we can prevent with a relatively straightforward fix.
Technical debt exists in disciplines other than software development.
> Why would a power meter allow an unauthenticated client to turn the thing on and off wireless?!? Sure, if you flip a switch handling a large current often enough, something will break (and I am impressed it's not the AC in this case).
I would guess until recently power meters just had no reason to be secured. We live in a multi unit building (I would guess around 120 of them). There is a shared key that goes to the central electricity room where the meters for all units are. I could turn off anyone's electricity by either unscrewing the main fuses there or by switching the breaker. People are a lot more trustworthy in practice than you would think.
Most people abstain from committing crime not because they will go to jail, but because pointlessly harming another human being is stupid, a waste of time and effort, pointless, and only makes the world worse.
The security of billions and billions of devices (e.g. industrial control systems, PLCs,[0] SCADA,[1] ERTs,[2] etc.) that are responsible for controlling and monitoring virtually every aspect of modern life (e.g. power grid, water purification, natural gas transmission, oil and gas extraction, vehicle traffic control, rail signalling, pharmaceutical manufacturing, etc.) is appalling.
The manufactures and integrators of these devices are just now beginning to realize that the internet exists and that their devices aren't always connected to perfectly isolated RS-485[2] networks or connected to a network at all. They commonly contain hard coded passwords, passwords with staggeringly limited length and complexity, plain text authentication, default passwords, and other backdoors. Working with such devices is like taking a Delorean back to the early 90s, the eighties, or even earlier... it's the wild west.
It pleases me beyond words that hacking contests like Pwn2Own[4] have begun to include these systems in their competitions. This is a massively important area of security research that has historically been ignored.
The security of these systems is indeed terrible. From my experience, operators often justify it by saying that they are not connected to the internet, while at the same time assuring you that they can easily handle emergencies through remote access from their personal laptop :/
However, what scares me when looking at open vulnerability research taking off in this space, is that these components have a much longer lifetime than regular IT, and are harder to update, not to mention that outages due to bad updates will almost always directly impact production. So it does seem to me that while increase in awareness is a good thing, the vulnerabilities ound in Pwn2Own and similar might be used more easily by attackers than defenders.
That said, i don't have a better solution either.
We don't know whether the meter accepts every command, or the device has a fixed security protocol reverse engineered and known by researchers.
These protocols exist to get current readings from meters for data retrieval ease, and generally have a combination of security through obscurity and simple authentication to enable mass readings (by authorized people) easier. IIRC, these things can talk P2P in densely populated areas, and you can get all meters' readings in mere minutes, tops.
In any way, after and initial PoC, the rest of the video gets into territory of equipment abuse, and I got angry and sad while watching it. You can do it, OK, then why damage things which are not yours? Document your findings and leave.
That also made me angry to watch. He knew what he was doing and got the result he was hoping for. I hope his electric company is aware of what happened. The serial number and electric company name are both clearly visible in the video.
In my area of jurisdiction certain public places like bars and restaurants are required to have an externally accessible way for fire teams to cut power in the event of e.g a flood or a fire that would require soaking the place.
These are usually placed above the main door, and are made of a lever ending in a loop in which you hook a spear and pull down.
Neighbours unhappy with such places making noise would regularly pull them, cutting power, destroying wares that are in fridges, and whatnot.
The typical (and only, really) defense is to make the lever inoperable so you can frequently see them destroyed.
Having open remote RF access in these cases would be a disaster (until tinfoil is used as a defense)
> Because your a terrorist or an AI looking to destroy mankind?
I didn't know we reached Ghost in the Shell level cybernetics, sorry. TIL.
> You're drifting off into is/ought territory in why people do things and that is something that is very difficult to predict and control.
No, I'm just asking a question. What he has done has no place in my ethics and morals. I don't tell anyone what to do, either. It's his life, he should deal with the consequences.
I don't disagree, this is why we typically have laws against destruction of property.
Conversely we have an increasingly globally connected world that is wholly dependant on software to keep functioning day to day. If someone figures out how to modulate your wireless router (I mean, long shot, yea) to smoke your neighbors power connection the 'ethics and morals' of said remote attackers is nearly meaningless. Especially in the case they live in a foreign country. Said attackers will be able to harass you with impunity while your power company is walking around with its thumb in its ass trying to figure out what's going wrong.
An untrusted finger can just switch the main breaker or an untrusted hammer can just smash the meter. There’s far easier ways to be destructive if you have physical access to the meter, which by default everyone is going to have because meters are required to be accessible by the public per electrical/fire/building codes.
A camera can easily catch someone with an hammer, it's kind of much harder to go one by one to destroy them that way and it's also probably much more dangerous to try to break something connected to the power lines like that.
This on the other hand is quick, can be done away from the meter, away from cameras, and can reach many meter at the same time. Considering the few terrorist acts that have been done to electricity distributions points, it does seems like a good ways for them to do a big impact easily, with the right antenna and amplifier.. you could do quite a bit of damage.
> you could've done the same with any other SDR, not just the Flipper Zero.
The specialness of the flipper zero is not that it can do more than any other SDR. The specialness is how easy it is to use. The question is what you can do in that 'easy mode'.
That, in the easy mode, you can do this kind of realistic and meaningful damage is noteworthy. Because this potential is brought to the masses. It probably won't be the start of widespread SDR-based cyber-crime, but that brings it one step closer. That is why I consider this noteworthy news about the flipper zero specifically.
Since the advent of cheap SDRs and TI CC1100 devkits it's been a case of "grab code off Github and go do shenanigans". The only specialness here is that it's battery powered, but even previously you could have been running a laptop and HackRF in your backpack.
For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.
It's the top comment from Dropbox's announcement thread on HN, 15 or so years ago. It has become meta-commentary both about HN's cynicism, and that you don't need to do something novel to create a new product category, it's enough if you just make it a lot more convenient than anything before.
The flipper zero doesn't require anything near as scary to a layman as downloading code of github, and tgen trying to run it based off a readme.md that was poorly written and aimed at people who know how to code. People who don't realize that a # instead of a $ means the prompt means you need root, who have no idea what a shebang on a script is, etc. For them 'just run some code of github' will be a hell of how does bash/sudo/apt/pip/make/chmod work?
The flipper zero has a screen and buttons, and a defined way to upload new 'attacks' on to it, aswell as a simple way to run those. To normal people that lowers the barrier sooo much.
This reads like the infamous Dropbox comment, with the Flipper Zero you don't even need to grab code off GitHub, you just have to open a menu and press some buttons.
That said, it’s also important to demand device makers build better protections into their software (like rate limiting) in the same way they do for the hardware. Otherwise it leaves the door open for legislature trying to ban screwdrivers (tools)
I'm not arguing the flipper shouldn't exist. This kind of potential ruin will be required to get manufacturers to wake up to the risk of bad radio security.
I was arguing that this real-life example of impact is actually important for showing the impact of bad radio security, by putting dangerous tools in the hands of the masses.
For any remotely-controllable power meter, its contactor switch should have been designed to sync with the zero crossings of the AC waveform. That would have completely prevented this damage.
I know it would have made the meter more expensive, but it was absolutely forseeable that a wild RF signal could have induced repeated contactor reclosings. They should have built it properly.
I got the vibe they were treating it as a cool hacker tool not calling out the Flipper Zero. But I don't know what any of this is really. I'm just some guy!
At the same time, I'm in awe and in horror of seeing those high current, high voltage disconnects being opened only to end up with a few meter high arc of current jumping through the air between contacts.
I was taught the procedure of disconnecting a 10/20kV disconnect for an on-site transformer (alas, only an old one that had been decommissioned) and that thing scared the crap out of me when I first heard the spring loaded high voltage disconnect actuate.
Having a 3 meter fibreglass pole to actuate the thing, just incase, tells you there is a real risk of the thing blow up in your face, on a good day.
This has nothing to do with the flipper zero or any other device using the CC1101 chip. It is the responsibility of the manufacturer of such smart meters to make them safe and if they are incapable of preventing a sub $10 chip found in thousands of devices from causing catastrophic failure then who is guaranteeing me that the meter is actually counting correctly!
This is a failure of regulators and manufacturer, the media will spin it and next thing you know flipper zeros will be banned and smart meters will be as shitty as this one.
who is "you" in your post. your first sentence makes it sound like you think the owner of the device is at fault, but the second sentence makes it sound like the maker of the device should be held responsible. maybe unintentionally ambiguous?
Sorry for the ambiguity, you as in you, the designer/manufacturer of the product.
The owner has no way to know the thermal limits of some unknown internal switching component, and even if they have who says the radio signals are emitted by the owner?
How are you sure that it was the number of presses that caused it? It could have exploded on the first switching, because it's not designed to be switching off heavy loads.
Then you can sue the electrical engineer who placed that component into a destructive path. If you use a lamborghini car instead of a lamborghini tractor to plow your field don't be surprised if the car breaks.
But if you use a smart meter (which by definition is in the path of the load) to switch something on/off it should not break as long as the load is within the spec of the meter. If it is out of spec of the meter, see above.
On a electrical component level the switching element they are using is rated for a maximal temperature. If they continue switching when it is outside of that temperature, because they did not observe a cooldown phase or don't guard against overheating in any other way, it is totally on them. They are operating the switching element outside of the scope, and they should never do that, even if some input tells them to do so.
Because someone unauthorized used a device to force it to do that.
These devices are not built to be operated by the general public. Anyone who operates these devices knows to reduce the load first.
I don't see the sense in saying "these devices, built for a specific industry with specific, exacting specs, should instead have been built with different specs that were never meant to occur".
Everywhere in industry we train operators to know how to operate machinery that can be made to break itself, because it's cheaper to train the operator than to make the machine unable to break itself.
Yeah, but you know why load breakers are usually in electrical rooms with a lock on them? Because that is one of the mechanisms used to ensure only authorized personal is doing the switching.
Guess where you don't have that? When you accept inputs via radio. The least you could do then is rate limit the input, better even would be authentication. This doesn't even has to be misuse. It could just be some wonky device sending the "wrong" sequence of zeros and ones on the right frequency and boom.
Guarding against this kind of interference is totally the task of the manufacturer. Designing the device in such a way, that you cannot turn a load switch into a makeshift dimmer for a short moment as well.
>Because someone unauthorized used a device to force it to do that.
Seriously? The device has no authentication. By the design, anyone within range is authorised.
And it wasn't "forced". There's no code execution here. It was sent commands, it accepted them.
And comparing it to industrial applications with trained workers is just absurd. This is not some hugely complicated industrial system. I really don't see how logic for designing heavy machinery for industrial applications can be uncritically applied to consumer devices. It's just a different space, with different requirements and it's much less complicated.
> Anyone who operates these devices knows to reduce the load first.
How? This is a system for remotely opening a circuit. The user can’t reduce the load first. At best they can (likely with too much latency to be at all reliable) wait for the meter to report a small load.
How does it enforce that? Is it just based on signal strength?
> The intended user can switch off or unplug the load in person then operate the meter.
This is just the wrong way to think about it. The "intended user" is all nice, but what can an attacker do? That is how these problems need to be analysed.
I regret to inform you that remote means from the office. These meters use a mesh network to report usage and receive instructions from the utility’s central systems.
If a technician were on site, they could physically remove the meter or open the main breaker.
The remote sends a signal to the chip in the device, and that chip decides what to do, often ignoring the signal if it's currently busy or otherwise doesn't want to.
There is no force here. Even if it wants to turn off on request in case of dangerous external circumstances, it doesn't need to turn back on so easily and rapidly.
I would probably expect a collision avoidance in ultra-modern farming tractor. Or at least it to monitor what is in front and stop if clearly unexpected object would be in the path. They are nearly self-driving anyway. And critical failure is expensive in many ways.
Now, smart meter being able to shut power off is somewhat expected. But I would also expect it to be protected command.
It appears to have broken after only a small number of switch changes. My guess is the radio'd commands are an incorrect sequence which operates the meter in an incorrect sequence. E.g.
1. Disconnect circuit 1
2. Connect circuit 2
Bypass step 1 by only sending 2 and bad things happen.
> It's not necessarily the fault of the manufacturer if a device can be harmed by deliberate RF-based (mis)use.
I am not too familiar with the FCC as I am from Europe, but even the linear motor of a standing desk will rate limit the amount of movement you can make it do within a given time frame (those linear motors are not designed for permanent operation).
If your meter is rated to switch a certain current, that rating is made under the assumption of a certain ambient temperature and temperature of the switching element. Switching it heats it up, so there has to be a cooldown period if you plan to still operate it within spec. Operating components within spec is the task of the manufacturer, and checks to avoid going out of spec should be one of the first things to design into such a product to prevent house fires or malfunction.
Guard mechanisms like rate limiting are cool because they can protect you against liabilty if your programmer makes an error, but they become more important the more exposed the controls are. There is a reason why e.g. a RCD cannot be permanently be fixed in the on-position (the switch is not tied to the lever internally), because you want it to switch off even in the case of misuse in order to save lives. This is magnitudes more important if your controls are exposed to external inputs (e.g. via radio, or over the network/internet), as accidental or malicious misuse might be more prevalent there.
Note: I am not saying there is a strict legal requirement to do this, I say that this is what I expect from a modern design made by professional electrical engineers.
No device is built for abuse like this. You could flip a switch manually multiple times and cause failure
Do you even know how much regulation exists behind meters and electrical equipment?
What's next, complaining that the meter can't handle a sledgehammer?
You call weakness I call vandalism
Same as the brats who go and do a "tiktok challenge" of robbing an easily accessible car than finding out they're not immune to handcuffs and jail cells
Edit: and while a self-protection/rate limiting would be good, this could as well as easily be turned into a denial-of-service attack by causing the switch to be off. Better than failure, sure, but still an issue.
The expense of your desk motor burning out has a cap though. The expense of a utility controlling device not shutting off after intentionally being stressed/hacked is potentially very high and may require human intervention to detect, maybe they decided it’s better if the device fails under this type of abuse which will bring humans into the loop to detect the problem.
Not turning off would be a bad protection, but it could also decide not to turn on. Something as simple as only allowing three remote turn-on commands every hour, anything beyond that requires a physical override.
The device not switching on when overheated could attract humans' attention, too, without the need to replace the device, which may be an involved process for high-power circuits.
Not the poster, but they are right. The linear motors in standing desks are not made for permanent use (they would heat up too much if used that long). In the datasheet they will typically put something like "can be used for maximum of x minutes within x+y minutes".
The desk controllers I have seen check for that limit (as one should).
Every controller should reject input that leads to destruction, especially if the input is wireless or comes over network.
Plenty of devices have protective circuits. My cheap paper shredder is very aggressive about heat management - once it detects it's heating up too much, it'll shut itself off for ~30 minutes to cool down. That state somehow[0] persists even if you unplug it, so I had to learn to feed it paper at the right pace, 'lest I'll be taking half-hour breaks every 2-3 minutes of shredding.
--
[0] - The shredder is of the cheaper kind, and shows zero indication of any computer on board, so I'm assuming overheating shutoff is charging up some capacitor that's grounded via a high-resistance path and discharges at a known rate.
I have a shredder that cuts out when it overheats too. It's a PTC thermistor controlling a relay, the thermistor is glued to the motor housing and the relay coil contact is wired through it. When it heats up too much, the resistance increases to the point that the relay is no longer receiving enough current, and it de-energizes and opens its contacts, breaking the motor's power supply.
No, you got it right. It's a bi-metal in all electric motors that I'm aware of that have overheating protection.
I actually had a dangerous situation here once in a big compressor motor that had a faulty soft-start circuit, that caused the bi-metal contacts to fuse so the protection no longer worked. By the time I noticed the compressor motor was way too hot to touch.
Does bimetallic strip have some kind of passive hysteresis? Because what I observed with my shredder is that, if the overheat protection kicks in, it won't turn on for the next 20-30 minutes. You can flip the switch, or even unplug it from mains, doesn't make a difference - it won't turn on for almost half an hour.
Now, that could be explained by e.g. the engine itself having enough thermal capacity to keep the shutoff switch active for a while, except... if you are careful and do small pauses between shreddings, you can keep going indefinitely - and those pauses don't feel enough to let the engine cool if that was the only thing that mattered.
Like, you shred something for 3 minutes straight and get 30 minutes cutoff, vs. shredding something for 1 minute, then 30 seconds break, then 1 minute, then 30 seconds break, ... and you can keep going like that for hours.
I agree that for a single meter (which for some reason is bolted to the outside of the house), the risk of vandalism is the same, whether it is remote controlled or not. However, a vulnerable wireless (or even internet-connected) meter would allow massively scaling up the attack. Taking an entire city (or even country) off the grid by flipping all the breakers would cause some serious damage.
One could argue the ability control power under load is a safety feature. What if they hardened the wireless attack surface and added a manual safety switch which could also be used to intentionally brake the device, would that be better? I don’t think it would. I really don’t think the device needs to be stupid proof at the expense of the ability to be directly controlled by not-stupid persons and above.
Oh no, it definitely can and should. There’s absolutely no excuse for not adding a sensor or even a dumb counter to implement a simple action limiter and constrain operation with a safe envelope. It’s basic engineering
Even if the designers valued tamper-resistance and/or direct control of the device over broad durability and/or protection against intentional vandalism? It seems burn out after being switched on and off repeatedly under load may be an acceptable failure mode in this type of device.
Abuse or not the meter should certainly protect itself against something like you just described. Now a software fault can blow up all the customer's meters and you think that's fine and good?
“Abuse” implies intent. A bug occurring without said intent most certainly is not “abuse” in the common definition of that word.
And sure, they’ll have to fix it, but it’s still a glaring issue that should have never happened in the first place. A smart meter should very much be tolerant to this form of “abuse”.
As other commenters have said, controls for such a thing should most certainly have been put in place by the smart meter manufacturer. This isn’t something they couldn’t possibly protect against like your sledgehammer example. This is fully within their control, they just chose not to protect against it.
What if the electricity operator failed to control the frequency or voltage of their supply correctly and caused too much power to go to their customers? It seems reasonable for your electricity meter (which is usually supplied by your electricity supplier so their equipment not yours) to trust the electricity supplier in general. There are far worse things the supplier can do to the meter than send erroneous power cycle signals.
Your argument was ‘the meter should be designed to be robust to software error at the power company’
My argument is that ’software error at the power company’ can easily cause catastrophic failures at the meter, which it stands no chance of being able to prevent. So why should it specifically be built to defend itself against the remote possibility that the master control program sends it too many on/off switch commands too quickly?
"robust" doesn't mean "immune to every possible variant". An inability to protect against the wrong voltage doesn't imply you shouldn't bother to protect it against wrong commands.
Why should it specifically be built that way? Because it's bad for devices to self-destruct with no attempt at mitigation whatsoever.
Actually, my argument was "the meter should be designed to be robust enough to prevent this particular issue".
As the other commenter stated, that does not in any way imply "robust against all possible issues coming upstream" and it would be ridiculous to expect that.
With physical hardware being operated outside its design limits, ‘robust’ can mean ‘has safety mechanisms to prevent it happening’, but it can also just mean ‘fails in a way that is serviceable without causing collateral damage’. Or ‘fails catastrophically but at least without causing loss of life’.
Which scenarios you engineer the system to tolerate with what level of survivability and serviceability is going to be a matter of engineering to budget, right?
Turning something, anything on and off a few times seems well within the design limit for such a device.
If a standing desk and shredder can handle that, then a smart meter should very much also be able to.
None of this was your original point, anyway. You instead chose to focus on a completely different and irrelevant failure case.
There is a world of difference between "voltage regulation issues might cause major problems" (your point) and "turning the thing on and off too quickly causes the whole thing to self-destruct" (the actual point).
I think the law is a good second line of defense. Humans are wired to think "if I gave into that Intrusive Thought, I would suffer consequences." So that mostly keeps us in line. But, a good password and some input validation also get you pretty far; nothing is better than a computer at telling you "No!" No judge, jury, or building with bars over the windows required. Just some text in your text editor, and then if someone wants to be evil, they can't be. Pretty good.
Indeed. I don't lock my doors because I think that is a serious deterrent to someone who truly wants to get in. I lock them, as they say, to keep the honest people honest.
The denial-of-service scenario does not render the issue moot; on the contrary, it is another example of what can go wrong when these devices are not secured properly.
In general you have a point, but making these devices accessible to remote tampering is an avoidable escalation of risk with no counterbalancing upside.
The more media attention and crappy unauthenticated infrastructure broken, the better.
Requiring proper security in public infra creates market requirement for companies to release better, more secure, products to the public infra market. Not just whatever open radio based MVP thing they can whip up.
And that creates jobs for not just EE engineers, but as security requirements increase then it creates jobs for SW engineers also (and if the existing players are too slow, opens the market for agile startups that can do it better).
What's more, it makes our infrastructure more resilient to random RF and electronic warfare.
My bet is that they are leading with the Flipper Zero for a reason.
This shit has been broken since the beginning and enacting laws to fix this shit will be slow and expensive and many companies will be lobbying against it. Much easier to outlaw the Flipper Zero - as if that was the problem.
Unfortunately even though the unprotected meter is at fault here, this is more likely to result in an SDR ban rather than getting all crappy meters fixed.
Interesting... I used to work on testing these old elster meters. Looking at the style number of this meter, it doesn't look like it's equipped with a disconnect relay, so at least he's not messing with that (even if a meter was equipped with a disconnect relay, the meter display should still be on during a disconnect event). I suspect he's cutting power to something other than the meter itself.
I also see it's equipped with an energy axis (elster proprietary wireless network) so at the very least he'll be getting a fun visit from his power company wondering why he tripped various tamper detect flags in the meter (assuming his power company is actually ameren, a utility company in Missouri and Illinois and not canada like his yt profile says...). Since it also has that radio, I know it should also be encrypted. Unless that specific power company disabled LAN/WAN encryption... which we generally don't recommend and Canadian power infrastructure is pretty strict anyway when it comes to meter security.
I'd be interested to see what exactly the flipper was communicating with (I'm sure my upper management would be even more interested as well).
edit: I also just noticed the meter is stuck in test mode and the backup battery is missing. You can actually buy these meters on ebay, which is what I'm suspecting this guy did.
The smart meter should have had better security. But the device isn't designed to switch heavy loads repeatedly, this is only meant to be used sporadically as an emergency cut-off (for instance, in case of a fire or if the customer is permanently disconnected for some reason). In case of a fire nobody cares about whether or not the smart meter survives. In case of a disconnect for administrative reasons the disconnect usually happens at night to minimize the risk of arcing.
Keep in mind that your typical electrical service is 10's of KW and that switching that kind of power repeatedly under load requires a device that is essentially sacrificial in nature. Now let's see what they charge you for that meter replacement, it's not going to be cheap.
Note that the meter isn't yours to mess with, it is in your house and on your property but from an administrative perspective your stuff starts after the mains cutoff which is downstream from the smart meter. Anything before that including the mains cutoff is the property of whoever manages the local network, either a specialized grid operator or the utility company that sells you the power. You can see which way it works by looking at your electricity bill and by whether or not you call your utility when there is a problem with the local grid or the network operator. Where I live these are separate legal entities, but in some places it is just the one.
Finally: don't mess with the grid, it's a shared resource. It is trivial to cause damage by for instance injecting power at higher voltage levels than the appliances in the houses around you can deal with, blowing up a meter before your ability to cut off can have very unpredictable effects. In theory it is all safe and it should be able to withstand some abuse but in practice older networks still exist and not all of them are equally robust. So just don't.
Companies are remotely turning off meters for billing reasons when that isn't completely safe? They're just hoping and assuming if they do it at night there won't be much load? That doesn't sound very reassuring.
It isn't. It just saves a trip to the premises and makes reconnecting a lot easier. There are still extra fuses upstream from that particular disconnect (on premises, typically in the box just below the meter). Nothing to worry about, even if it would short out completely.
The apartment buildings in my area all have wireless gas leak detectors, this video makes me want to take out my HackRF and start experimenting with mine.
Flipper Zero isn't what's causing this, the bad "smart" devices are, and the culprits themselves, of course. Just because you can hack a system, doesn't make it legal. Know your local laws. Mine says "accessing any IT system without authorisation is punishable with imprisonment from 3m to 3y; accessing the aforementioned system with the purpose of obtaining data is punishable with imprisonment from 6m to 5y.", vague enough for all of these things.
And reporting to the vendor is suicidal. At least assuming the stories I hear about vulnerability disclosures are representative, which I think they are.
In their place, if I were to inform the company, I'd do it anonymously. If it was an actually important issue - as this very much looks like - I'd consider informing the building manager, HOA, the gas installation company they use, and every local journalist, all together so they know about each other - and then CC that to the vendor.
Another option can be your country's CERT. In reasonably developed countries they generally have competent enough people to understand the concept of responsible disclosure (i.e. won't try to harass you for doing a good thing), and if they realize "oh shit, this is a critical infrastructure risk" they're probably in the best position to address not just the specific case, but also drive improvements (including via regulation) across vendors.
If you order a robot off a cliff, the proximate cause of the damage is the cliff.
If you order a robot to turn on and off too fast, the proximate cause of the damage is the internal power circuitry. Which makes "self-destruct" pretty appropriate language.
I thought the same. I think they probably meant "causes meter to self-destruct". Whether that's true or not depends on whether the functionality was used correctly. It's definitely possible to destroy a device by abusing "permitted" inputs. For example, revving a cold petrol engine will eventually ruin it. In that case the title should really be "guy destroys meter (using a Flipper Zero)".
In The Netherlands, functionality to remotely disable smart meters is forbidden by law to protect from (large scale) cyber attacks. Seeing how poor the security on this specific meter is, it only confirms that this was a great decision.
Yeah it's pretty weird. With the word "suicide" it's sometimes used in this way to mean that one is pushed to commit the act by someone else. (Maybe more so in other languages where the verb is to suicide oneself). So it could mean that one device tricked the other into running a self-destruct command. But in the OP one device is sending commands that directly result in the bricking.
I think they mean "destroys", but they don't want Flipper to look evil, they want the smart-meter to look fragile instead, so this unusual wording is used.
Everyone even marginally aware knows that modern society is held together by a thin layer of "security". The Flipper just makes what was available for a long time cheaper and more accessible.
Many many firmwares are absolute rubbish fed by solo or duo developer teams, writing crap C or worse C++ using a vendor hal, code gen tools, and a super loop.
Good luck picking it back up or having another embedded person sort out the random zup file of sources and built images that these sorts of things encompass. Using some god awful half baked custom ide.
Not to read too much into a video like this, but their tone when they say "Flipper, what did you do...?" — and then a bunch *more* switching — is quite the study in humans and (ab)use/hacking of technology.
I came here to say exactly this … complete avoidance of responsibility on the author of the videos part.
“Flipper what did you do?”
Should have been
“What did I make flipper do?”
In addition the articles title “flipper causes meter to self destruct” should be titled “person using radio device to cause smart meter to rapidly turn on an off causes failure in meter components”.
I’d probably phrase it more like “Idiot with ‘hacking tool’ rapidly switches electricity meter without understanding current inrush and failure states of high voltage high current system, luckily escapes death by explosion or causing a fire”
I hope the Flipper Zero will be a wake up call to make things secure.
Otherwise, it could lead to tech not being trustworthy, or Flipper Zeros and anything like it getting banned.
It really seems like there are so many threats to technological society right now and not many people trying to defend it and make sure that in 50 years we still have access to the internet for most people and sensors monitoring our water supply.
Not having much in the way of specifics about how this wireless vulnerability was found and exploited, this is really scary. It's one thing using Flipper Zero to pop the charging port on Tesla's [1], but this is just plain dangerous!
Yes, but unless you typically trespass on a neighboring property you won't get access to somebody's meter. With this you could potentially cause damage by standing outside the property line.
The radio isn't wired directly into the power supply. There's software in charge, and it would be bad for a software-controlled power button to do the same thing.
I thought most compressors were soft start - Most of the gear I’ve seen waits a random amount of time before spinning up for this exact reason (Power cuts and loads of fridges, ACs, ovens, whatever coming back on at once with a big ol’ inductive load)
Poor inrush current protection. That is a 100% meter/appliance fault, not the Flipper Zero, which just operates wirelessly a switch function that has been provided by the manufacturer from the beginning.
Interesting. I have heard about the Flipper Zero but I did not know which radio chip they were using before, the CC1101 [1]. I ran a failed startup and made a bunch of arduino based boards with TI CC1200 [2] chips. I failed spectacularly to deliver on my promises made during a frantic kickstarter run, delivering about 50% of the hardware before caving to extreme burn out.
The issue is, I now have hundreds of boards with nice 64mhz Cortex M3 chips that run arduino code, and an attached CC1200 radio chip. They are pretty cute boards. But people already paid for them and I failed to deliver those to them, so I can't in good conscience sell them. Instead I have many boxes of these boards filling up space under my raised bed.
I would love to donate them to some educational purpose, but I worry they are a bit of an odd board no one would have a big use for. I guess though if the flipper zero with a similar chip is useful, maybe these can be useful too. When they communicate over the normal protocol they can have up to 1km wireless range (high above ground, no obstructions).
I do go to a hackerspace every week so I will have to bring some by and see what people say. But if anyone here has specific suggestions for places to donate them where they will actually get used, please share!
You could try updating your backers and see if they will pay the postage for the devices they already paid for! Honestly, the mentality of some kickstarter creators is beyond belief.
If you have the devices, that you acknowledge that people paid for, then at least attempt to provide your backers with something.
You didn't go into receivership as you still have the assets - at the moment you just sound like a fraudster.
I did attempt to give the backers something. For years I did the best that I could. I went in to tens of thousands of dollars of personal debt just to be able to produce the boards, and then had to work a full time job to pay off that debt. Working full time and paying off debt left very little time or money to pack the items and pay to ship them. After years of burnout I was spending all weekend packing and shipping items, and after doing that for months, and at some point after delivering about 1/2 the hardware I just hit a wall. I was unable to continue. My mental health was horrible. It continues to be the worst period of my life, and I gave it everything I could for 5 years.
I very much gave what I could, but when you fuck up in business sometimes you just have to walk away. I really needed to for my own mental health. The product launched in 2013 and I walked away from it in 2018. It took me years to recover. To this day I can’t really even stand to mail simple packages. I’m not going back - that period of my life is over.
I just never figured out what the product was really good for, so I’ve been unsure who to donate the remaining stock to.
I did my best for 5 years, but I really fucked up the business by over promising (I was young, this was 10 years ago). I hit burnout a couple years in, and kept pushing. Then I had to take on debt to keep going, so I had to get a full time job to start paying off the debt. With a full time job and debt to pay I worked weekends for months to try to deliver, but after years of burnout and still so little progress I eventually had to give up.
I’m seeing a lot of comments about “you should do X” but I don’t think a lot of people understand what extreme burnout is like. My mental health was horrible after all of that, and at some point I literally couldn’t will myself to continue. After five years of work I announced the project was over in 2018. Some people understood and some people were upset. But I did everything I could for 5 years, and by that point there were a lot of better products on the market that people could actually buy, unlike mine. You give as much as you can but at some point you have to walk away.
Hackerspaces are probably your best bet. They might have the contacts. I would also specify that they would need to pick them up, or at the most just do one big delivery. Don't mail each one out to individuals. Ebay could work like that at a stretch, as I know some Hackerspaces are inundated with gear.
If that fails, just destroy them. Remove them from your life should be the priority you are literally dreaming above them every night.
All good points, thanks. I had a horrible nightmare about being trapped last night after discussing all this right before bed! I’ll take a bag of em to my local hacker space and try to entice people to use them.
See my other replies above, but I had to take on debt to even get the hardware made, which then required me to get a full time job to pay off the debt. I tried to continue running the business on weekends but after years of burnout, working 7 days a week was killing me. I simply exceeded my capacity to continue operating the business, and so was unable to try selling the boards to refund people. I elaborate on this in the other replies but basically I had pushed through burnout for years on end by that point, and eventually you just hit a wall. You get to a point where there’s nothing you can do but walk away. That was 5 years in with no hope of success. I felt awful for letting all those people down, but I simply couldn’t continue to operate the business in any capacity, and no one wants to buy a failed business with loads of debt that has been eclipsed by venture funded startups shipping successful products.
Oh I read your other posts about no longer being able to run the business, your statement about not being able to sell them in good conscious just implied to me that you would otherwise be able to sell them.
Calling out Flipper Zero for someone (ab)using the meter's remote control features cuts me the wrong way: you could've done the same with any other SDR, not just the Flipper Zero.
It's not even a surprise this happened, the cut-off is not meant to be operated constantly to cut heavy loads. Similarly you should not use a breaker to turn off heavy (or any, in that matter) loads as you're needlessly wearing down the protective device, instead of a separate cut-off switch that's designed to be replaceable. Especially since it can be positioned downstream from the protective device.
It all boils down to which part of the circuit you can easily repair in case of a fault, in this case the meter is by far the least accessible.