Assignment 6: Utility Meters

Overview

The rapidly coming Internet of Things (IoT) will connect all sorts of sensors and actuators all around us. This has the potential to make our lives easier, more efficient, and give us better control. One area is home automation, where you can use your iphone to control your thermostat, all your light switches, your locks, as well as cameras, and monitor the state of all your doors and windows. Usually these connect wirelessly.

One area of home automation that has already occurred is continuous monitoring of your utility meters. This is your gas, water, and electricity. These all use wireless connections. The meter has a radio, and it periodically transmits your meter readings. Originally this was done to eliminate the need to pay meter readers, who would have to walk each neighborhood once a month. Instead, they would drive a truck down the street transmitting a query packet to wake up the meter, which would then transmit it's reading. This is much faster!

Now the utilities are interested in a much finer grained picture of your usage. Readings can acquired every 15 minutes or so. This lets the power company PG&E charge you different rates for different times of the day. The water company can tell when you turn your sprinklers on, and whether you are only watering on your designated days. They can also tell if you have a leak somewhere.

From our perspective, the data that is collected provides a very detailed look at your activity over time. Remarkably, all this data is transmitted over unencrypted packets that you can acquire and decode with your rtl-sdrs!

Signals from Utility Meters

There are a couple of different frequencies that are used. We will be looking meters that operate in the 900 MHz ISM band (902-928 MHz). There are other meters that operate at 433 MHz, but I haven't seen any of them around here.

The radios for water meters look like this:

You have probably seen then around campus. Mostly these are water meters for sprinklers.

If you take your rtl-sdr and tune it to the 900 MHz ISM band, this is what you see:

Each of the horizontal lines is a packet. There is a lot of packet traffic in this band since it is a very popular ISM band. Some of this traffic is utility meters talking to each other.

The data from one meter looks like this, downloaded from the PG&E web site

This is the electricity consumption for my house over a day. On this day, you can see that everyone got up at about 8 AM, no one was home all day, and that everyone came home about 7 PM. The evening is when most of the power is used. Someone was up until about 2 AM. This is a pretty detailed picture. Water and gas adds even more detail. If you were a door to door fund raiser, when would you want to show up? How about if you were a residential property relocation expert? Both would pay for this information!

A high level description of how the meters communicate is here

Smart Meter Connection

This is an interesting system. The meters self organize into a mesh network, and pass packets along to access points, where there are then sent over a secure wireless network.

The issue is that for the link from the meters to the access point the data packets are sent in the clear. This is probably a historical artifact. When the meters were first installed, the PG&E truck would only drive through and query them up once a month. Unless you knew exactly what you are looking for, you would never even find these signals. Now, they are transmitting every 15 minutes, and are easy to find.

The mesh network aspect is particularly interesting. The meters talk to adjacent meters, and try to find a path to an access point. From there data is transmitted via the cellular network. Packets get automatically forwarded from one meter to another. If one meter fails, the network adapts to route around it. This is a very simple and robust way to build a network.

There are a couple of implications. There has to be a high enough meter density, to make sure each meter can find a path. This is a problem in rural or suburban areas. Adding meters helps. That is one of the reasons PG&E would like everyone to use these. The other implication is that if you monitor your meter, you will also see all the traffic that passes through it. That significantly extends your range. I think that is why I see quite so many meters at my house.

Digital RF Packets

The packets again are OOK with Manchester encoding. Same story as before. There is a preamble, several fields that are defined, and then a checksum to allow bit error detection and correction. A description of the signal is here:

Meter Signals

A description of the different types of packets and the data fields is here:

Meter Packets

This was originally reverse engineered by Gregory Hancock of GridInsight (see his original posting here. Once the information was public (wikipedia page), Douglas Hall (Bemasher) wrote rtlamr, which is the software we will use to capture and decode the signals. This is very widely used.

The output of rtlamr for about 8 minutes looks like this

The important fields are the time, the ID of the meter, the type of the meter, and the total consumption to date. There are other fields that rtlamr puts out, like the error correction CRC field. Also, several digits have been deleted from the meter numbers to protect my neighbors.

The key piece that is missing to make this truly problematic is the mapping from the meter ID to the actual meter. We won't go into that.

There are several different types of meters which can be identified from the “type” field. These are

  • Electric: 04, 05, 07, 08

  • Gas: 02, 09, 12

  • Water: 11, 13

The capture above shows almost all electric meters, with a couple of water meters. This makes sense, PG&E is much more concerned with fine grained reporting, so their meters report much more frequently.

Conclusion

The short range communication between the meters is easily decoded. This tells you a lot of personal information about each individual household. This would seem to be a problem! There are many questions. How did we get to this situation? Who benefits? Who is damaged, and do they even know how exposed they are? Your assignment this week is to look into these issues.

Assignment

You have several options for your assignment this week. For each topic, generate about 5 slides to describe your thoughts or results. Upload your slides here:

Week 6 Slides

1. As you can imagine, there has been a lot of controversy over the installation of smart meters. PG&E's motivation is well summarized by this article

PG&E Goals

The pitch that was made to the utility users is captured well in the press release from Palo Alto, when they first started a test program for putting the meters in:

PG&E Pitch

There has been lots of drama with people fighting to keep smart meters out. One example is Marin County, just north of us:

Community reaction

It is interesting to see the range of concerns. Which do you share? Also, it is interesting to see how nobody really seems to know how these things work.

You can choose any of these, and add your own search results.

2. Gregory Hancock pointed me to an interesting California law governing “advanced metering infrastructure” and security

California Assembly Bill 1274

What is your take on this? Do these meters comply?

3. Here is one day of data in excel format, collected at my house:

Meter Data

What can you find? How many unique meters are there? Choose one that has many entries and plot it. The data is the total consumption since the meter was first started. It is usually more interesting to look at the rate of consumption, which is just the change from one reading to the next. That was what the plot from my house showed above.

4. Install rtlamr, and run it to see what you get. You need to install the Go language support, but this all works pretty easily. You also need rtl_tcp. This is one of the binaries in the gqrx package. rtlamr will also install it for you. The code is on github, as usual

rtlamr

Around Stanford you'll mostly get water meters, but if you go home over break, you might hear a lot more. Or take your laptop and rtl-sdr, and go to a park somewhere in a residential area. I've never had anyone bother me while I was recording local RF signals.