Focus Axr Sd Meter Hack

  1. Gridstream Rf Focus Axr Sd
  2. Focus Axr Sd

Focus Axr-sd Meter Hack iceenergy.web.fc2.com › Focus Axr-sd Meter Hack 'Focus AXR' is the same as 'Focus AXR-SD', but it does not have a built in disconnect switch ref. AMI mesh smart meter (Landis+Gyr Focus AXR and RXRS4e) References. Bookslitlesite.web.fc2.com› ★ ★ Focus Axr-sd Meter Hack ★ ★ How to read your meter The SRP meter at your home monitors your daily power usage. Below are explanations of how to read each type of meter for our Basic, Time-of-Day, Customer Generation and Electric Vehicle (EV).

Notes below are bits of information that I found about Landis+Gyr Gridstream RF electric counters. All of it is public information and mostly obvious, I just needed somewhere to document it (unfortunately, the specification itself of the counters is not free, so I have not published any information about that). The above image is from a Hydro-Québec report to the Commission d'accès à l'information, linked below.

NB: I have zero interest in the health concerns of the counters. Those claims have been debunked multiple times. If you're so worried about your health, perhaps start with the excessive amounts of automobile pollution in and around Montreal. I was interested by the privacy of the counters. The initial claims from Hydro-Québec were very vague and they somehow thought industry standards should be secret, which is never a good sign in security, even (or perhaps especially) for large scale data monitoring. Here's a a great 31c3 presentation on an unrelated topic: SCADA StrangeLove: Too Smart Grid in da Cloud (this does not affect HQ smart meters, just food for thought regarding often poor security practices of grid devices).

Wireless Smart Meter that PEPCO is installing in our community is the FOCUS AXR-SD made by Landis+Gyr. How to read your meter. The SRP meter at your home monitors your daily power usage. Below are explanations of how to read each type of meter for our Basic, Time-of-Day, Customer Generation and Electric Vehicle (EV) price plan options. The meter was a Focus AXR model, which is identical to the Focus AXR-SD. Customers can attempt to register any ZigBee SEP 1.0 or 1.1 device with their SmartMeter™, but PG&E cannot provide any guarantee that devices not included on PG&E’s list of validated devices are compatible. Focus Axr-sd Meter Hack The smart meter does not use magnetic fields like the analog meter and so is immune to this hack. Home Area Network (HAN) (Wiki) The idea is to have various appliances connected to a network including the smart utility meters so that they can be turned on remotely in such a way as to use energy when it's not in demand.

tl;dr: The counters do use encryption. The communication protocols do use standards that are documented (IDIS/DLMS-UA). Unfortunately, to read those standards, one must pay a fair amount of money. I personally do not have an opinion on whether we should or should not use these specific counters. I agree on the need for such counters. I would however require to have open and freely accessible standards, since implementing good cryptography is difficult and audit by (academic or private) researchers should be welcomed.

Axr

Model:

  • Landis+Gyr Gridstream RF, Type: FOCUS AXR-SD, module model 26-1552
  • Includes: FCC ID: TEB-HUNTSU864, IC: 5931A-HUNTSU864 (RF module)
  • According to FCC, range is 902-928 mHz, output watts: 0.56. http://transition.fcc.gov/oet/ea/fccid/ (enter: TEB, then: '-HUNTSU864')

According to Landis+Gyr public documentation:

  • 'The Gridstream RF solution provides NSA Suite B approved non-proprietary cryptographic algorithms and proven RSA key management appliances for key storage, generation and scalable encryption/decryption processing capabilities. Additionally, the FIPS 140-2 validated SafeNet Hardware Security Module allows Landis+Gyr customers to securely store cryptographic keys used to digitally sign downstream messages and commands in order to provide a strong root of trust among the head-end system and the RF devices in the network.' Reference

  • 'Landis+Gyr strongly believes in establishing an open and mature security process. The Gridstream security solution is based on industry accepted security protocols and standards. It is built on the premise of openness: open architecture, open collaboration and open standards to bring the strongest security mechanisms for protecting the interests of utilities and end users.' Reference (page 5)

  • 'Gridstream offers the ability to add third-party components to the IT infrastructure, including a Key Manager from RSA Laboratories and SafeNet’s Hardware Security Module (HSM).' (ibid, page 4)

  • 'Iskraemeco, Itron and Landis+Gyr today announced a significant initiative in the development of interoperable smart meters supporting utility applications. The three companies expect the new offering will promote faster and broader deployment of advanced metering management (AMM) devices and services based on open standards, thereby responding to a compelling customer demand. [...] This is achieved by incorporating interoperable device interface specifications (IDIS) that are based on existing open international standards as defined and maintained by the DLMS-UA.' Reference

Québec: Régie de l'énergie:

  • Health risks evaluations (tl;dr: no)

Commission d'accès à l'information:

  • Rapport d'inspection concernant l'utilisation par Hydro-Québec des compteurs de nouvelle génération et de l'implantation d'une infrastructure de mesurage avancée - février 2013.

Selon ce rapport, il est indiqué que:

  • Les compteurs communiquent par sans-fil (wifi maillé, 900 mHz, bande publique) au routeur le plus près (grosses boites que l'on peut voir sur certains poteaux d'Hydro-Québec), qui les acheminera à un collecteur (ça ressemble à quoi?), pour ensuite les retransmettre au frontal d'acquisition via le réseau étendu (Rogers Communications).

  • Les compteurs transmettent leurs données six fois par jour.

  • 'Les compteurs [...] enregistrent la valeur affichée au compteur à chaque intervalle de 15 minutes. Chacun de ces intervalles est ensuite regroupé en paquets de 16 enregistrements, pour un total de quatre heures de consommation. Ces paquets sont appelés « profil de consommation ». Une fois le profil de consommation complété, il est transmis, via le réseau, vers le frontal d’acquisition. La transmission des profils de consommation est donc effectuée six fois par jour, soit environ toutes les quatre heures.' -- selon la page 8, section 10, il semblerait que le 'profil de consommation' soit composé des lectures enregistrées aux 15 minutes.

  • 'Les données transmises sont conservées pour une période moyenne de 45 jours sur le compteur et pendant 100 jours une fois parvenus au frontal d’acquisition. Une fois ces délais opérationnels expirés (lecture, facturation, etc.), les données sont archivées pour des motifs comptables pour une période de 5 ans.'

TEB-HUNTSU864 RF module

c.f. specs Régie de l'énergie du Québec, 2012-03-19

Focus counters have the RF module placed at the front of the counter. c.f. Régie de l'énergie du Québec, 2012-03-28, page 40.

According to a Hydro-Quebec expert, they estimate that 77% of counters send their data directly to a collector, and 23% will relay using an average of 4.4 relays on the mesh network. Of that 23%, 3% will relay through 19 counters. (ibid, page 79, F. Robichaud).

Unconfirmed

  • 'Focus AXR' is the same as 'Focus AXR-SD', but it does not have a built in disconnect switch ref

Types of RF meters

  • AMR “bubble up” meter (Itron/Schlumberger C1SR) - usually transmit every 30 to 60 seconds, read by passing trucks.
  • ERT (http://en.wikipedia.org/wiki/Encoder_receiver_transmitter) 'wake up' meter (Elster AB1R) - only transmits when queried by passing truck. Mostly obsolete, since does not implement a 'smart grid', i.e. live status of consumption and failures.
  • AMI mesh smart meter (Landis+Gyr Focus AXR and RXRS4e)

References

  • DLMS Security (PDF)
  • http://www.cyamon.com/Security/security1.html
  • http://dlms.com/documents/Excerpt_GB8.pdf

NB: I do not support 'hyper-sensitivity' theories. I reference some of those articles only because they often have good tech details on RF counters.

Measured radiation levels from wireless
smart meters of different models and technologies

Abstract

The radio frequency radiation from four models of wireless utility electrical meters was measured.Three technologies were included:mesh smart meters, AMR and ERT meters.

Gridstream Rf Focus Axr Sd

It was found that the meters radiated most powerfully out through the front and less from the sides and back.

Some meters could clearly be measured more than 50 ft (16 meters) from the front plate, at levels above ambient.

The ERT meter did not transmit during the test period, as it only transmits when prompted by a radio signal.

Keywords:Smart meters, mesh, ERT, AMR, wireless, emissions, radiation, measurements

Introduction

Wireless utility meters have become common in the United States.There are models available for measuring the use of natural gas, water and electricity for individual households, though the wireless electrical meters are the most common.The meters offer a variety of benefits, such as reduced cost of obtaining billing information.Some models also offer improved blackout detection, monitoring of power quality and load reduction during power shortages.

Focus

Some models transmit nearly continuously, while others transmit a few times a minute.Some older models transmit a few times a day or even just once a month.

Concerns and protests have been raised by the public in the last few years, based on numerous complaints from customers who claim health effects.There have also been protests from professional societies, such as the International Commission for Electromagnetic Safety (ICEMS) and the American Academy of Environmental Medicine (AAEM).

This report takes a look at the actual radio frequency radiation from four models of wireless electrical meters.

Methodology

The four meters were chosen to be far removed from other meters and other sources of interference.

The instrument used was a Tenmars TM-195 3-axis RF meter, which measures the frequency band from 50 MHz to 3500 MHz (3.5 GHz).All wireless electrical meters transmit within that range (usually around 900 MHz).

As the transmissions are not continuous, it was necessary to measure the peak value, instead of an average.According to Tenmars, the TM-195 instrument samples (measures) three times a second.As the pulsed transmissions from the wireless meters are of short duration (typically around 1/50th second) it was necessary to measure over several minutes to make sure at least one burst coincided with the instrument’s sampling.The measurements were all 5 minutes or longer, with 5 minutes the common period.

The measurements were taken at varying distances from the front plate of the wireless utility meter.

Measurements were also taken at different angles from the front plate, to see if the radiation levels were the same in all directions.

The instrument was placed on a tripod, about 5 ft (1.3 meters) above the ground, to be level with the meter.

Measurements were not taken of the transients (“dirty electricity”) put on the household wiring, nor of power frequency (ELF) fields.

Results

Meter

The RF emissions from four electrical utility meters were measured.The meters were of three types:

AMR “bubble up” meter (Itron/Schlumberger C1SR)

ERT “wake up” meter (Elster AB1R)

AMI mesh smart meter (Landis+Gyr Focus AXR and RXRS4e)

AMR “bubble up” drive-by meter

An Itron type C1SR meter was measured on a house in rural Arizona, several miles north of Tucson.The C1SR meter is also available under the Schlumberger brand.

This meter was owned by UniSource, one of the largest utilities in Arizona.UniSource owns the Tucson Electric Power utility, which operates in the area.

The C1SR meters can be programmed to communicate in various ways.This meter is programmed to transmit wirelessly every 30 seconds.1A utility vehicle passes through the area about once a month to pick up the signals from the meters with a wireless receiver.The communication is one-way, the meters do not know when their signals are needed, so they transmit all the time.

In some areas around Tucson, the utility uses the same meters in a fixed network where the signals are received by collector units mounted on lamp posts.

The radiation from this C1SR meter was measured at increasing distances from the front plate, as shown in Table 1.

Table 1:C1SR meter frontal radiation

Distance
ft m

Radiation
mW/m2

10.3

36.0

31

7.5

51.6

1.7

103.2

0.70

154.8

0.49

206.5

0.24

Ambient

0.06

The radiation from the meter drops off with distance, but was still above ambient levels at twenty foot distance.

Measurements were also taken behind the meter, which was mounted on the wall of the house.This meant that the radiation had to pass through the steel breaker panel and the 12 inch (300 mm) thick wall.The wall appeared to be standard wood-framing, thus providing little attenuation.At 3 ft (1 meter) from the backside of the meter, the radiation level was measured to 8 mW/m2.This is a 60 dB reduction from the same distance from the front side.

ERT “wake up” meter

An Elster AB1R meter was measured in a remote area of southeastern Arizona.The nearest town is Rodeo, New Mexico.

The meter is electromechanical with analog dials.Only a close inspection revealed that it was a wireless ERT meter, which the homeowner was unaware of.The meter has electronics mounted on the bottom of the mechanical meter, which can only be seen from underneath.A label indicates the ERT technology, and also lists an FCC notice.

ERT stands for Electronic Receiver Transmitter.These types of meters are read by a passing utility vehicle, which has a transmitter that sends out a signal.When the ERT meter receives this signal, it transmits its data.Otherwise, it does not transmit.

To verify that the meter was not transmitting, the RF instrument was placed 3 ft from the front plate.The peak value was measured to 0.0137 mW/m2 over 12 minutes.

The ambient level was comparable (0.0099 mW/m2).

AMI mesh smart meters

Mesh smart meters are a part of a sophisticated wireless network.The meters constantly communicate with each other to detect if any of the meters are malfunctioning and to pass along messages in a relay fashion.The network is controlled by special collector units, which gather up the information from all the meters in the area and pass it on to the utility.

Mesh networks are very busy.Court-ordered disclosures reveal that for one brand of mesh network, each meter transmits an average of about 10,000 times a day, with some meters transmitting as much as 190,000 times a day2.

Hack

Two different models of mesh smart meters were measured in the Dallas, Texas area.Both were of the Landis+Gyr brand, and using that company’s Gridstream mesh technology, according to the labels on the meters.

The first meter was located in a park in Hickory Creek, on the northwest side of the Dallas metro area.A wireless collector unit was found on a lamp post, about half a mile from the smart meter.

The meter was a Focus AXR model, which is identical to the Focus AXR-SD, but without a built-in disconnect switch.

The measurements were performed on two consecutive days (April 30 and May 1, 2012).The results are shown in Table 2.

Table 2:Hickory Creek Focus AXR mesh, frontal radiation

Distance

Day 1

Day 2

Ft

m

mW/m2

mW/m2

3

1

191

5

1.6

116

10

3.2

34

22

15

4.8

8

20

6.5

4

3

30

9.7

3

2

50

16.1

1

1

100

37.3

0.4

0.4

Ambient

0.6

0.02

All values are peak.

The measurements were taken in the early evening on both days and are consistent.The radiation levels reach the ambient levels at a distance of about 100 ft (32 meters) from the front of the meters.

The ambient levels varied significantly over time.On Day 1, the ambient level was apparently lower when the 100 ft measurement was performed, than when the official ambient level was measured.On Day 2, the level was measured to be 30 times lower.This may be due to the varying traffic on the cell towers in the area.

The radiation levels were measured at various angles relative to the front, to see how directional the transmitter is.The measurements were taken 10 ft (3 m) from the meter, as shown in Table 3.

Table 3:Hickory Creek Focus AXR mesh, angular measurements

Focus Axr Sd


Angle

Peak
radiation (mW/m2)

0º(front)

26

45º

9

90º(side)

0.06

180º(back)

0.07

Ambient

0.02

The antenna is clearly directional, with the radiation falling off rapidly to the side and back.At a 90 degree angle and beyond, the level is reduced by about 50 decibels.

The meter was mounted on a steel box, which could provide shielding towards the back, but not the side, which was glass.

A Landis+Gyr RXRS4e mesh smart meter was measured in a rural area near Seagoville, on the southeast side of the Dallas metro area.This model meter can be configured with various communication technologies, such as telephone modem, power line carrier (PLC) and wireless.According to the label, it used Gridstream Mesh wireless.

A collector unit was found on a lamp post about a mile away.It is possible that another unit was closer, but not found.

Measurements were taken from the front and side of the RXRS4e meter, as shown in Table 4.

Table 4:Seagoville RXRS4e mesh

Distance

Angle

Peak radiation

ft

m

mW/m2

10

3.2

Front

5.1

30

9.7

Front

0.8

10

3.2

Side (90º)

2.2

Ambient

0.2

All values are peak.

The radiation levels on the RXRS4e mesh meter were somewhat lower than the AXR meter at Hickory Creek.The reduction towards the side was also less (only about 50%).

Meter

It was not feasible to measure the radiation level from the back of this meter.

Discussion and conclusion

Three different wireless technologies are represented by four different models of meters.

As the meters do not transmit as a continuous wave, the peak values were collected.Readings were taken at varying distances to ensure that the values were true and not affected by the ambient levels.

The peak radiation levels were recorded for periods of at least 5 minutes, and no more than 12 minutes.

These peak levels varied between the models, with the C1SR being the lowest at 0.7 mW/m2 and the Focus AXR the highest with 34 mW/m2 at 10 ft (3 meters) distance.The C1SR may transmit less powerfully as its signal is received from a passing utility vehicle and there is no need for reaching much of a distance.

The C1SR meter transmits every 30 seconds, while the more powerful mesh meters transmit more often than that, sometimes multiple times a second.The peak recordings in this study only determined the strength of each pulse and are not affected by how frequently the meters transmit.The exposures from the mesh meters may thus be much greater, but cannot be quantified from this data.

All measurements were taken in rural or semi-rural areas, to limit interference from other transmitters.That the readings were higher than the ambient levels, and that they tapered off with increasing distance, indicates that there was no interference.The readings are thus credible.

It is possible that wireless meters deployed in more densely populated areas radiate less powerfully, though with meters placed closer together, the overall effect may be higher.This would especially be the case with apartment buildings and strip malls, where several meters may be mounted close together.

This study reveals that the meters do not radiate uniformly in all directions.The three meters tested radiated most powerfully out the front.In one case, a person standing 10 ft (3 m) from the side of the meter would receive a lower dose than someone standing 50 ft (16 m) from the front.

The ERT meter was found to not radiate any radio frequency when it was not prompted to do so.This type of meter is typically read monthly, but does not offer any of the functionalities needed for the smart grid.It is solely a labor-saving device and largely considered obsolete.

The ambient peak RF levels measured ranged from 0.0099 mW/m2 in a remote part of Arizona to 0.6 mW/m2 in a park on the outskirts of the Dallas metro area.A single wireless smart meter can raise the radiation level above the ambient for a distance of 50 feet (16 m).

July 2012

End notes

1)Disclosed by UniSource representatives at the Arizona Corporation Commission hearing about smart meters on September 8, 2011.Docket E-00000C-11-0328, www.azcc.gov.

2)Disclosed by Pacific Gas and Electric (PG&E) in response to administrative law judge ruling.Filed in document titled Pacific Gas and Electric Company’s Response to Administrative Law Judge’s October 18, 2011 Ruling Directing it to file Clarifying Radio Frequency Information, November 1, 2011.The document is filed at the California Public Utilities Commission under Application 11-03-014.

Comments are closed.