Case Study

Apator - Security testing

apator logo

About the Company

Apator Group is a dynamic capital group located in Central and Eastern Europe, which also consists of other commodities and is active in the international market. They are pioneers in the fields of communication and measurement equipment as well as IT systems. They use modern technologies in the detection and dissemination of information in networks and utility billing

The Situation:

Apator SA and one of the largest Hungarian power plants required independent expertise to form a report on the effectiveness of password protection, including parameterization and protection of measurement data.

JAs a provider of innovative electricity meters for B2B and B2C customers on the Hungarian market, we sought out a partner with an international reputation and experience in the field of IT security. We found a partner who satisfied all of those requirements in TestArmy.

Balázs Srej, Export Department Metering

Challenges

Specialists form TestArmy were tasked with checking whether the electricity meters were meeting the requirements of the Hungarian customer including:
  • Multiple authorization levels are required for parameterization
  • The devices are properly protected against external software attacks

The only available communication interface on the device is the standard optical port. In the meter, Apator provides a so-called opto-coupler that connects to a computer via USB.

The opto-coupler in the meter supplied by Apator was mechanically and signally compatible with EN62056-21 and is designed for use with DLMS/HDLC protocol (EN62056-46, EN62056-53). Data transmission speed is 19200 bps, 8N1 character format.
A dedicated APATOR program is available for reading and parameterizing the meter, but any DLMS/HDLC client program configured to work in accordance with the listed serial port parameters can also read it. The client’s program should be able to handle APDU COSEM up to min.284 bytes for both data transmission and reception.
All outside (public) associations require authentications of the LLS link. In the reader, the DLMS protocol provides communication in the client-server architecture, where the server has a counter. The server is a logical device defined as a measuring device.

Results

TestArmy pentester specialists conducted the following security tests in their own lab in August 2017:

  • Communication tests between the electric meter and the reader
  • Communication eavesdropping tests
  • Brute-force access code tests

All of the tests mentioned above were successfully passed and after auditing the reports our experts concluded that the device is not vulnerable to any attacks in the mentioned areas.

Do you need a free quote?

Write to us about your product
and we will take care of the rest.

QUOTE A PROJECT