Monday 26 May 2014

Scottish Power Unifi - Reverse Engineering

Executive summary


The Scottish Power Unifi (and likely other similar devices developed by Green Energy Options or intamac) appear to be inherently insecure:
  1. Your electricity usage data will be sent over the internet without any encryption
  2. Commands to remote control appliances are sent back from the server without any encryption
  3. Your usage data is not, as you might expect, held by Scottish Power, or even Green Energy Options whose name is on the device - your data is being held by Intamac, a company you've probably never heard of.
There are multiple ways an attacker could remotely monitor your usage, or control your appliances, without needing to determine your username/password. They could also easily cause incorrect usage data to be recorded (although this data is not used for billing purposes). This could perhaps be a breach (by Scottish Power) of item 11.2 of the unifi systems terms & conditions.

The above does not appear to be a bug or accidental omission, it seems to be deliberate design.

I believe some of these same companies are involved in smartmeter development. This worries me.

Full Article

I recently spotted the Scottish Power's Unifi device, which is an awfully neat looking device:

The main components are:
  1. A battery powered sender & clamp meter, to be placed in your meter cupboard.
  2. A display/control unit & PSU
  3. A "bridge" (network interface unit) & PSU, to be connected to your broadband router, to send the usage data to their servers for display on the website / iPhone app.
  4. A single socket; the socket is both used to measure the power usage of the connected appliance, and to switch it on & off via the control unit or the website/iPhone app. You can buy more of the sockets, upto 6 per system.
The big disadvantage to this unit is that the more interesting features (those that involve the website / iPhone app) are only available if you're on specific Scottish Power Unifi Fixed Price Tariff. In fact it seems that you lose access to the iPhone app and the website when your fixed price tariff expires, and apparently if you renew they send you out another set of the hardware - no wonder they're cheap on ebay!

Curiously, despite this unit first appearing in May 2011, I've been unable to find any sign that anyone else has tried to reverse engineer the protocol!

Some digging revealed that these Unifi was developed by Green Energy Options Ltd and is also known as the GEO Ensemble. Further digging reveal they in turn sourced the devices from another UK company, Intamac Systems Ltd. Intamac seem to have some API information but sadly this doesn't appear to cover the protocol the device uses to send data to the server.

It seems like they also produce similar devices for n-power (SmartPower), British Gas (EnergySmart) and EDF Energy in the UK as well as various foreign utilities and so on.

So, having drawn a blank on finding information anywhere else, it's time to break out my favourite set of tools for picking apart network traffic:
  1. tcpdump
  2. ngrep
  3. tcpflow
  4. wireshark
  5. a linux server with two ethernet ports, bridged together
 Off we go - hook the bridge up to the spare port on the linux box, start tcpdump:

tcpdump -i eth1 -w unifi-initial.pcap

power the bridge up, and leave that gathering data for a few hours - then it's time to start analysing the data.

To start to get a feel for what the device does, we load the pcap file into wireshark, and see a lot of http traffic from the device - a great start, and I'm very happy to see that there doesn't seem to be any encrypted traffic involved. Or at least I'm happy from a reverse engineering point of view - but this may mean these devices are transmitting data in the clear that you might prefer was kept out of an attacker's hands.

We also quickly run nmap against the device (now we know it's IP address); sadly it doesn't seem to have any open ports:

# nmap -p- 192.168.1.131

Starting Nmap 6.00 ( http://nmap.org ) at 2014-02-22 22:03 GMT
Nmap scan report for 192.168.1.131
Host is up (0.0016s latency).
All 65535 scanned ports on 192.168.1.131 are closed
MAC Address: 00:0B:3C:36:14:90 (Cygnal Integrated Products)

Nmap done: 1 IP address (1 host up) scanned in 338.74 seconds

tcpflow is a great way to split the captured TCP streams out:

tcpflow -a -r unifi-initial.pcap

This spits out a load of files into the CWD, eg:

192.168.001.131.50564-213.212.106.067.00080
213.212.106.067.00080-192.168.001.131.50096

There's a whole load of data from when the device was first powered up (which I fear will be almost impossible to figure out the meaning of), however looking at the other files I do start to see some patterns. ngrep is useful for figuring out how often packets are sent, for example to see a timestamped list of all HTTP POST operations:

ngrep -t -I unifi-initial.pcap POST

The first interesting data is packets like this sent to the server every 10 seconds:

POST /service.asmx/Bridge HTTP/1.1
Host: env.intamac.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 031

DI=000B3C361490&DT=0001&DA=0000

with a response of:
HTTP/1.1 200 OK
Date: Sat, 22 Feb 2014 17:44:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 227

<?xml version="1.0" encoding="utf-8"?>
<GenericResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://tempuri.org/">
  <Result>SR</Result>
</GenericResponse>
Logically, it seems likely this is how the iPhone app & website would pass back a message to the device to tell it to switch one of the remote sockets on/off. (Sadly I don't have a suitable Scottish Power account so can't use the website or iPhone app.)

It seems logical to surmise that the response, telling the device to switch the sockets on/off, is also not encrypted - ie. that anyone able to interfere with your internet connection or that of intamac (or anywhere inbetween) is able to switch your appliances on or off.

The other interesting packet seems to be sent about every 15 minutes:

POST /service.asmx/Bridge HTTP/1.1
Host: env.intamac.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 119

DI=000B3C361490&DT=0001&DA=C0010029001C3213160E000000000000670036000000000000000000000000000200000000000000000000000001
 with a response of:
HTTP/1.1 200 OK
Date: Sat, 22 Feb 2014 19:44:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 256

<?xml version="1.0" encoding="utf-8"?>
<GenericResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://tempuri.org/">
  <Result>ST</Result>
  <CMD>C00E001B221316</CMD>
</GenericResponse>
It seems likely this is how the actual electricity usage data is sent upto the server.

The DI=000B3C361490 part seems to be a unique identifier for my device, presumably this is how Scottish Power link it up to your account.

The DA=C001 part seems to be the unique data so presumably that's the usage data. Here's some more examples.

The 002900 seems to be constant so far.

Fields I've decoded are:

   : Some kind of sequence number: generally in order, apart from when (for an unknown reason) the unit falls to send a 15 minute packet when due.
   : Some kind of timestamp, in hex, roughly MMHH
   : Day of the month, in hex
   : Set to 1 if a packet is being sent late / out of order
   : Seems to be related to electricity usage for this 15 minute period (it's low overnight, high during evening)
   : Could be internal temperature 
   : Possibly cumulated electricity usage for the day - always zero if the packet is delayed/out of order
   : Repeats of the previous field for each of the 6 paired sockets (but in different units)
   : Energy usage in this 15 minute period, measured in same units/scale as the cumulated usage

It's of note that this data is completely unencrypted / in plain text - your usage data is exposed in the same way as the control backlink is.

0029002032141626000000000000660052000000000000000000000000000500000000000000000000000001
0029002102151634000000000000660058000000000000000000000000000700000000000000000000000001
002900221215161900000000000066005B000000000000000000000000000300000000000000000000000001
0029002432151616000000000000650061000000000000000000000000000300000000000000000000000001
0029002322151615000000000000650000000000000000000000000000000000000000000000000000000011
002900250216161A000000000000650064000000000000000000000000000300000000000000000000000001
002900261216161F000000000000650068000000000000000000000000000400000000000000000000000001
002900272216161700000000000065006C000000000000000000000000000300000000000000000000000001
002900283216161500000000000066006E000000000000000000000000000300000000000000000000000001
0029002902171618000000000000660071000000000000000000000000000300000000000000000000000001
0029002A12171618000000000000660074000000000000000000000000000300000000000000000000000001
0029002B22171616000000000000650077000000000000000000000000000300000000000000000000000001
0029002C3217160F000000000000660079000000000000000000000000000200000000000000000000000001
0029002D0218160D000000000000650000000000000000000000000000000200000000000000000000000001
0029002E1200170E000000000000650002000000000000000000000000000200000000000000000000000000
0029002F2200170C000000000000650003000000000000000000000000000200000000000000000000000000
002900310201170C000000000000640007000000000000000000000000000200000000000000000000000000
002900303200170D000000000000640000000000000000000000000000000000000000000000000000000011
002900321201170B000000000000640008000000000000000000000000000100000000000000000000000000
002900332201170D00000000000064000A000000000000000000000000000200000000000000000000000000
002900343201170C00000000000064000B000000000000000000000000000200000000000000000000000000
002900372202170C000000000000630010000000000000000000000000000200000000000000000000000000
002900383202170C000000000000630012000000000000000000000000000200000000000000000000000000
002900390203170C000000000000630013000000000000000000000000000200000000000000000000000000
0029003A1203170D000000000000630015000000000000000000000000000200000000000000000000000000
0029003C3203170B000000000000620018000000000000000000000000000100000000000000000000000000
0029003D0204170C00000000000062001A000000000000000000000000000200000000000000000000000000
0029003E1204170D00000000000062001B000000000000000000000000000200000000000000000000000000
0029003F2204170D00000000000062001D000000000000000000000000000200000000000000000000000000
002900403204170B00000000000062001F000000000000000000000000000100000000000000000000000000
002900421205170D000000000000620022000000000000000000000000000200000000000000000000000000
002900432205170C000000000000610023000000000000000000000000000200000000000000000000000000
002900450206170C000000000000610026000000000000000000000000000200000000000000000000000000
002900461206170D000000000000610028000000000000000000000000000200000000000000000000000000
002900472206170D00000000000061002A000000000000000000000000000200000000000000000000000000
002900490207170C00000000000061002D000000000000000000000000000200000000000000000000000000
0029004A1207171000000000000061002F000000000000000000000000000200000000000000000000000000
0029004B2207170F000000000000610031000000000000000000000000000200000000000000000000000000
0029004C3207170C000000000000620032000000000000000000000000000200000000000000000000000000
0029001502121614000000000000670000000000000000000000000000000000000000000000000000000011
002900350202170C000000000000630000000000000000000000000000000000000000000000000000000011
002900361202170D000000000000630000000000000000000000000000000000000000000000000000000011
002900483206170B000000000000610000000000000000000000000000000000000000000000000000000011
0029004E1208170E000000000000630036000000000000000000000000000200000000000000000000000000
002900510209170C00000000000064003B000000000000000000000000000200000000000000000000000000
002900521209170E00000000000064003C000000000000000000000000000200000000000000000000000000
002900532209171A000000000000650040000000000000000000000000000300000000000000000000000000
002900543209170F000000000000660042000000000000000000000000000200000000000000000000000000
00290055020A170F000000000000650044000000000000000000000000000200000000000000000000000000
00290056120A1711000000000000650046000000000000000000000000000200000000000000000000000000
00290057220A1710000000000000650048000000000000000000000000000200000000000000000000000000

0029005A120B171C00000000000064004F000000000000000000000000000400000000000000000000000000
0029005B220B1713000000000000640052000000000000000000000000000200000000000000000000000000
0029005C320B1713000000000000650054000000000000000000000000000200000000000000000000000000
0029005D020C1712000000000000650057000000000000000000000000000200000000000000000000000000
 


Thanks to Justin Fletcher for spotting some of the above patterns!