Case Study

Apator - Security testing

About the Company

Apator Group is a dynamic capital group located in Central and Eastern Europe, which also consists of other commodities and is active in the international market. They are pioneers in the fields of communication and measurement equipment as well as IT systems. They use modern technologies in the detection and dissemination of information in networks and utility billing for example:

  • Prepay and electric credit meters
  • Heating meters
  • Gas meters
  • Water meters
  • Temperature sensors

Their goal is the security and comfort of their clients as well as encouraging their clients to be environmentally conscious.

As a provider of innovative electricity meters for B2B and B2C customers on the Hungarian market, we sought out a partner with an international reputation and experience in the field of IT security. We found a partner who satisfied all of those requirements in TestArmy.

Balázs Srej Export Department Metering equipments and systems

The Situation:

Apator SA and one of the largest Hungarian power plants required independent expertise to form a report on the effectiveness of password protection, including parameterization and protection of measurement data.

Challenges:

Specialists form TestArmy were tasked with checking whether the electricity meters were meeting the requirements of the Hungarian customer including:

 

  • Multiple authorization levels are required for parameterization
  • The devices are properly protected against external software attacks

 

The only available communication interface on the device is the standard optical port. In the meter, Apator provides a so-called opto-coupler that connects to a computer via USB.

The opto-coupler in the meter supplied by Apator was mechanically and signally compatible with EN62056-21 and is designed for use with DLMS/HDLC protocol (EN62056-46, EN62056-53). Data transmission speed is 19200 bps, 8N1 character format.
A dedicated APATOR program is available for reading and parameterizing the meter, but any DLMS/HDLC client program configured to work in accordance with the listed serial port parameters can also read it. The client’s program should be able to handle APDU COSEM up to min.284 bytes for both data transmission and reception.
All outside (public) associations require authentications of the LLS link. In the reader, the DLMS protocol provides communication in the client-server architecture, where the server has a counter. The server is a logical device defined as a measuring device.

Results:

TestArmy pentester specialists conducted the following security tests in their own lab in August 2017:

  • Communication tests between the electric meter and the reader
  • Communication eavesdropping tests
  • Brute-force access code tests

All of the tests mentioned above were successfully passed and after auditing the reports our experts concluded that the device is not vulnerable to any attacks in the mentioned areas.

Once again, we were able to utilize our expert pentesters to ensure borderless R&D and application security. We also welcome the face that we are becoming more known as a reliable partner within the energy sector which has made us more active in the energy sector both domestically and internationally.

Szymon Chruścicki Project & Business Manager, TestArmy Group SA

Apator S.A.
ul. Gdanska 4a, lok C4
87-100 Torun, PL
September 8, 2017

Our Cooperation with TestArmy was focused on auditing, testing and restesting security in the area of:
Communication tests between the meter and reader
Communication tests against eavesdropping
Brute-force access code tests
Our goal from the beginning of cooperation was to confirm that the device and associated applications met the defined security requirements. TestArmy completed these tasks with speed, flexibility and professionalism.
The team of specialists from TestArmy has sufficient knowledge and experience to meet all of the goals that were set by us. We would also like to reiterate their flexibility to adjust the testing process to our needs and working methods.
We plan to use TestArmy’s services in the future, especially when it comes to security testing.

Balázs Srej
Export Department
Metering equipment and systems