Tagged: smart meter

Video showing Flipper Zero Smoking a Smart Meter may be Fake

A few days ago we posted a YouTube video by Peter Fairlie which shows him using a Flipper Zero to turn a smart meter on and off, eventually causing the smart meter to destroy itself by releasing the magic smoke.

The video has rightly gone viral as this could have serious implications for the security of the residential electricity infrastructure in America. However there has however been some skepticism from smart meter hacking expert "Hash", and over on his YouTube channel RECESSIM he has talked about his suspicions in his latest Reverse Engineering News episode.

In Peters video the description reads "Flipper Zero's attack on a new meter location results in the sudden destruction of the Smart Meter. Something clearly overloaded and caused the meter to self destruct. This might have been caused by switching the meter off and on under a heavy load.", and so it appears he is talking about Flipper Zero directly controlling a smart meter service disconnect feature wirelessly via some sort of RF interface.

However, Hash is an expert in hacking smart meters having done many experiments and videos on his channel about the topic. He raises suspicion on this video with the biggest point being that the Ameren meter brand and model number featured in the video actually does not have any ability to be switched on and off wirelessly. Hash instead believes that the smart meter may instead be connected to a custom wireless relay system created by Peter which is not shown in the video.

Secondly, Hash was able to track down Peters address via GPS coordinates Peter accidentally released in another video. This shows him in Ontario, Canada, outside of the Ameren meter service area, which is for Illinois and Missouri only. Hash speculates that the Ameren meter was purchased on eBay for his experiments.

So while the meter breaking and smoking may be real, other Ameren meters should be safe as the only reason it was able to be controlled wirelessly and insecurely was due to it being connected to a custom wireless relay system. 

It's not clear if Peter set out to purposely mislead to gain notoriety, or if its simply an experiment that he did not explain very well. Peters YouTube channel is full of other legitimate looking Flipper Zero and RF hacking videos so it's possible that it's just a case of Peter not explaining the full experiment that he was doing correctly.

(In the video below Hash talks about the Flipper Zero Meter story at timestamp 4:31)

Flipper Zero Kills Smart Meter?? - Reverse Engineering News - June 13th 2023

Flipper Zero Self Destructs an Electricity Smart Meter

Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. 

We've posted about the Flipper Zero a few times before on this blog, especially given that it is now a famously known device, having found popularity on TikTok and having been reviewed by famous Tech YouTubers like Linus Tech Tips

Recently a video on YouTube by Peter Fairlie has shown the destructive power of the Flipper Zero. In the video it appears that Peter was using the Flipper Zero to wirelessly turn the power meter on and off, which also controlled the power to a large AC unit. Eventually switching the meter on and off while under a heavy load resulted in the meter self destructing and releasing the magic smoke.

Remoticon 2021: Smart Meter Hacking Talk

Remoticon 2021 was an online conference held in November 2021 and videos of presentations have recently been uploaded to the Hackaday YouTube channel this month. One very interesting talk was the presentation by Hash Salehi (RECESSIM) on reverse engineering electricity smart meters that are used to remotely monitor and bill home electricity usage in some neighborhoods.

In the past we've posted about Hash (RECESSIM)'s series on smart meter hacking a few times before. In this latest talk Hash summarizes his smart meter hacking experience, talking about how he went from reverse engineering the firmware, to using an SDR to capture and decode information from all the smart meters in his neighborhood, and finally to determining how to actually transmit data to his own smart meter network.

Hackaday have also posted a full writeup on his talk. This is a very in depth reverse engineering project so it is a great talk to learn from.

Remoticon 2021 // Hash Salehi Outsmarts His Smart Meter

Decoding and Logging GPS Coordinates From Wireless Smart Meters

Back in April we posted about "Hash's" RECESSIM YouTube series on hacking electricity smart meters using a software defined radio. Recently his series continues with a video on decoding and logging the GPS coordinates sent by the smart meters used in his area. Using a car, SDR and laptop he was able to drive down the freeway collecting smart meter data as he travelled, decode the data, and plot it on a map. In his video Hash explains why there is GPS data in the signal, and how he was able to reverse engineer and determine the GPS data.

Smart Meter Hacking - Decoding GPS Coordinates

Reverse Engineering Wireless Mesh Smart Meters with Software Defined Radio

Over on YouTube channel RECESSIM has uploaded a three part series on reverse engineering smart utility meters. In many locations wireless mesh smart electricity meters are installed in houses allowing for completely wireless monitoring. These mesh network devices pass the wireless data from meter to meter until the data reaches a router that is typically placed on a neighborhood power pole.

In the first video Recessim explains how a smart meter mesh network works, and demonstrates signal reception in the 900 MHz band with a USRP B200 software defined radio.

In the second video he demonstrates how he can see meter ID and power outage information from Oncor meters, explains his GNU Radio flowgraph setup and goes on to explain how he reverse engineered the data packets.

Finally in the third video he performs a few teardowns of smart meters he found on eBay, and shows his reverse engineering setup with a faraday cage. More videos are likely to be on the way, so you might want to consider subscribing to his channel for updates. Recessim is also diligently recording all the information he's discovered about the meters on his Wiki.

Playlist: Smart Meter Hacking

RTLAMR: An RTL-SDR Receiver for 900MHz ISM Smart Meters

Smart meters are meters that monitor electricity usage and wirelessly transmit consumption data to the electricity company. They are a part of the “smart grid”, and allow for better electricity control and usage reporting.

Douglas recently wrote in to us to let us know about his work on RTLAMR, an RTL-SDR based Automatic Meter Reader (AMR) decoder. Currently Douglas has tested the decoder on his local Itron C1SR smart meters, but notes that it should work on any meter using the common AMR protocol known as Electronic Receiver Transmitter (ERT).

Over on his website Douglas has also done a neat writeup discussing the ERT protocol and showing how he decoded it, including the steps of preamble detection, matched filtering, bit slicing and error correction.

We would like to note that we also recently posted about a similar project about decoding Elster R2S smart meters.

RTLAMR Smart Meter Decoder Flow Diagram
RTLAMR Smart Meter Decoder Flow Diagram