Monday, July 23, 2012

The security Silly Season is upon us

Lots of crazy security news, since the Black Hat security conference is this week.

Open Source "Smart" Power Meter hacking framework is released
Security outfit SecureState’s smart meter hacking framework, Termineter, has gone live over at Google Code.

The software is described as having a structure like Metasploit, with a similar interface and ability to be extended with external modules.

Termineter isn’t up to the full doomsday-scenario “remote attack” that troubles owners of critical infrastructure who stupidly opened up their control interfaces to the Internet (so as to save themselves the cost of private networks): it gathers smart meter data over the devices’ local serial optical interfaces.
"Extensible Framework" has been the security hotness for five or six years now.  I've been warning about these stupid "Smart" meters for basically as long as I've been blogging.  Companies rushed to get them deployed before the security framework was thought through.  Welcome to Hell, Department of Energy types!

For everyone else, I think that the first use for this will be to audit your power company.  This tool likely will let you get access to all sorts of meter data, so you'll be able to tell if the power company is trying to rip you off.  Or if someone has pwned the power company and is messing with you.

It's the End Of The World As We Know It

A couple of folks have emailed links to this (thanks), although the security community is pretty well going bonkers over it:

Looks harmless, right.  Of course it does - that's the point.  But inside this friendly looking power strip is a linux computer loaded with H4X0r 'sploits, WiFi and enhanced Bluetooth radios, WiFi key cracking goodness, and a 3G cell phone for high speed pwnage even if there's no WiFi.  If the Bad Guy drops one of these in your office, he can get presto-changeo reverse SSH shell access through your firewall, tunneling back through an outbound https connection.

And oh yeah, the power outlets all work, so nobody's the wiser.

This 100 proof pure distilled evil is brought to you courtesy of the good folks at DARPA, which is very, very interesting indeed.  As ZDNet truthfully says, if you see one of these around the office, make sure it's supposed to be there.

Ready, fire, aim, apologize
Black Hat conference Organisers of the annual Black Hat conference have apologised after an estimated 7,500 conference delegates received a suspicious email yesterday resembling a phishing attack.

The dodgy email, informing entrants of a supposed password reset, was sent out after a volunteer with ITN International, the third-party firm handling on-site registrations for this week's Las Vegas conference, "pressed the wrong button" on a mail-out webform, the organisers explained.
Oops.  Remember, if I come across as paranoid, I was trained to be that way by the finest minds in the Free World.

More over the next few days.


Anonymous said...

The power strip is the size of a house brick maybe that should clue people in. Probably has made in China.

Ruth said...

And yet I can't get through to people WHY I DON'T WANT A SMART METER. Dammit.

Dave H said...

If Termineter is a smart meter hacking tool then Hyperterminal can be used to hack the Pentagon. The protocols it uses (ANSI C12.18 and .19, also called ANSI Tables) aren't used by anybody as far as I can tell, and I work in the industry.

My meters have minimal support for ANSI Tables because utilities like to see it on the brochure. But every time someone asks for it we ask them, "What are you going to read it with?" They never have an answer. There are software products that know a number of manufacturers' proprietary protocols, including our own, but they don't do ANSI Tables.

Besides, that serial optical port they're talking about isn't even wireless. It's just a 9600 bps serial port that uses infrared LEDs instead of RS-232. You'd need the special connector to attach to it, or cobble together something with perfboard and LEDs from Radio Shack. Either way you'll need physical access to the meter to interrogate it.

Anonymous said...

The Power Pwn! Nifty little device, I just can't believe some .mil agency would bankroll such a thing. /sarc

If it ain't APC it ain't for me. O' course, it APC ever gets any DARPA subcontracts it might not be for me anymore (they don't do they?!?).

Old NFO said...

Good 'report' and we all now this is just the TIP of the iceberg...

Ruth said...

Dave: dress up in a uniform, and wander the neighbor hood early/mid afternoon. Access to outdoor meters no problem.

DaddyBear said...

Mitnick demonstrated something like that last year. His was some kind of wall wart that had some official looking badge on it, so he could plug it in and no-one would mess with it. He used it during a pentest at some government facility or another by plugging it into an external power outlet after talking his way through the front gate and being invited on a facility tour.

Dave H said...

Ruth: Agreed, for residential and commercial meters. But the big iron used to control the grid and power plants is locked up in substations. Usually.

Borepatch said...

Interesting that I've already gotten comment spam flogging security devices. Let's keep safe out there.

Anonymous said...

Ruth I tried that but got arrested apparently they didn't like the maids uniform.

wolfwalker said...

That 'power-pwn' thing ... I'm not sure how successful it would be. Or rather, how long it would last.

Now I'll admit I'm a compulsive noticer-of-things. Maybe nobody else would see it. But to me, that doesn't look like a modern power strip. First, I've never seen a power strip in which every outlet has room for a wall wart without interfering with the outlet next to it. Second, this is a large dual-row unit, the kind you'd use in an office or an entertainment center, but it has no color coding, no display window, no indicator lights, no warning stickers, and no extra ports for giving protection to cable TV, phone, and who knows what else.

Any modern IT/network guy who saw that lurking under a desk and didn't have at least a tiny trace of curiosity cross the back of his mind...

agirlandhergun said...

I am so glad I know you people cuz I am clueless on so many of these things.

Anonymous said...

Well, keep in mind that the externals of the thing can be tweaked within certain limits. And made to resemble a product from a locally abundant manufacturer — "local" in the sense of being commonly found (hence appearing normal and ordinary) in Chinese or Pakistani internet cafes...

Seriously, this kind of black manufactured item can be used for both good (us against them) as well as bad (them against us).

I'm sure we've got ample enough craftyness to make these things ourselves (and deploy where useful for us). My worry is more the mindset that we're just so damn smart no one could pull something similar on us.

That's the kind of complacency that really hurts us.