EE26N
Home
Course Info
Course Outline
Instructor
Amateur Radio
Materials
Assignments and Labs
Lecture Notes
Exams
Final Project


Assignment 6: Utility Meters

Overview

The rapidly coming Internet of Things (IoT) will connect all sorts of sensors and actuators all around us. This has the potential to make our lives easier, more efficient, and give us better control. One area is home automation, where you can use your iphone to control your thermostat, all your light switches, your locks, as well as cameras, and monitor the state of all your doors and windows. Usually these connect wirelessly.

One area of home automation that has already occurred is continuous monitoring of your utility meters. This is your gas, water, and electricity. These all use wireless connections. The meter has a radio, and it periodically transmits your meter readings. Originally this was done to eliminate the need to pay meter readers, who would have to walk each neighborhood once a month. Instead, they would drive a truck down the street transmitting a query packet to wake up the meter, which would then transmit it's reading. This is much faster!

Now the utilities are interested in a much finer grained picture of your usage. Readings can acquired every 15 minutes or so. This lets the power company PG&E charge you different rates for different times of the day. The water company can tell when you turn your sprinklers on, and whether you are only watering on your designated days. They can also tell if you have a leak somewhere.

From our perspective, the data that is collected provides a very detailed look at your activity over time. Remarkably, all this data is transmitted over unencrypted packets that you can acquire and decode with your rtl-sdrs!

Signals from Utility Meters

There are a couple of different frequencies that are used. We will be looking meters that operate in the 900 MHz ISM band (902-928 MHz). There are other meters that operate at 433 MHz, but I haven't seen any of them around here.

The radios for water meters look like this:

You have probably seen then around campus. Mostly these are water meters for sprinklers.

If you take your rtl-sdr and tune it to the 900 MHz ISM band, this is what you see:

Each of the horizontal lines is a packet. There is a lot of packet traffic in this band since it is a very popular ISM band. Some of this traffic is utility meters talking to each other.

The data from one meter looks like this, downloaded from the PG&E web site

This is the electricity consumption for my house over a day. On this day, you can see that everyone got up at about 8 AM, no one was home all day, and that everyone came home about 7 PM. The evening is when most of the power is used. Someone was up until about 2 AM. This is a pretty detailed picture. Water and gas adds even more detail. If you were a door to door fund raiser, when would you want to show up? How about if you were a residential property relocation expert? Both would pay for this information!

A high level description of how the meters communicate is here

Smart Meter Connection

This is an interesting system. The meters self organize into a mesh network, and pass packets along to access points, where there are then sent over a secure wireless network.

The issue is that for the link from the meters to the access point the data packets are sent in the clear. This is probably a historical artifact. When the meters were first installed, the PG&E truck would only drive through and query them up once a month. Unless you knew exactly what you are looking for, you would never even find these signals. Now, they are transmitting every 15 minutes, and are easy to find.

The mesh network aspect is particularly interesting. The meters talk to adjacent meters, and try to find a path to an access point. From there data is transmitted via the cellular network. Packets get automatically forwarded from one meter to another. If one meter fails, the network adapts to route around it. This is a very simple and robust way to build a network.

There are a couple of implications. There has to be a high enough meter density, to make sure each meter can find a path. This is a problem in rural or suburban areas. Adding meters helps. That is one of the reasons PG&E would like everyone to use these. The other implication is that if you monitor your meter, you will also see all the traffic that passes through it. That significantly extends your range. I think that is why I see quite so many meters at my house.

Digital RF Packets

The packets again are OOK with Manchester encoding. Same story as before. There is a preamble, several fields that are defined, and then a checksum to allow bit error detection and correction. A description of the signal is here:

Meter Signals

A description of the different types of packets and the data fields is here:

Meter Packets

This was originally reverse engineered by Gregory Hancock of GridInsight (see his original posting here. Once the information was public (wikipedia page), Douglas Hall (Bemasher) wrote rtlamr, which is the software we will use to capture and decode the signals. This is very widely used. The pages we looked at above are part of his wiki rtlamr wiki

The output of rtlamr for about 8 minutes looks like this

The important fields are the time, the ID of the meter, the type of the meter, and the total consumption to date. There are other fields that rtlamr puts out, like the error correction CRC field. Also, several digits have been deleted from the meter numbers to protect my neighbors.

The key piece that is missing to make this truly problematic is the mapping from the meter ID to the actual meter. We won't go into that.

There are several different types of meters which can be identified from the “type” field. These are

  • Electric: 04, 05, 07, 08

  • Gas: 02, 09, 12

  • Water: 11, 13

The capture above shows almost all electric meters, with a couple of water meters. This makes sense, PG&E is much more concerned with fine grained reporting, so their meters report much more frequently.

Conclusion

The short range communication between the meters is easily decoded. This tells you a lot of personal information about each individual household. This would seem to be a problem! There are many questions. How did we get to this situation? Who benefits? Who is damaged, and do they even know how exposed they are? Your assignment this week is to look into these issues.

Assignment

You have several options for your assignment this week. For each topic, generate about 5 slides to describe your thoughts or results. The signup is here:

Week 6 signup

Upload your slides here:

Week 6 Slides

1. As you can imagine, there has been a lot of controversy over the installation of smart meters. PG&E's motivation is well summarized by this article

PG&E Goals

This story about Palo Alto describes some potential benefits for the city

Palo Alto Meters

Check out the comments for some of the local concerns. There has been lots of drama with people fighting to keep smart meters out. One example is Marin County, just north of us:

Community reaction

It is interesting to see the range of concerns. Which do you share? Also, it is interesting to see how nobody really seems to know how these things work.

You can choose any of these, and add your own search results. There are recent stories all over the US. Two are New Jersey and Massachussetts. Just search for “smart meters” in news stories.

2. Gregory Hancock pointed me to an interesting California law governing “advanced metering infrastructure” and security

California Assembly Bill 1274

What is your take on this? Do these meters comply?

3. One of the public's concerns about meters is the RF exposure. Some technical data about these meters is here

ARRL Smart Meter Page

Given the peak power cited here, and assuming the meter transmts for 50 microseconds every 15 minutes, what is the average power? How does that compare to your other devices?

Because of these concerns, there are products you can buy to protect yourself. If you search “EMF Shield” on Amazon, you will find these for utility meters, and other devices. Take a look and describe what you find. Are they useful?

There is lots of strong opinions about RF exposure on the web. Take a look and see what you find.

4. The one piece of information that is missing in the description above is, how do you figure out exactly where a meter is? That is what you'd need to know to make this information truly problematic. Some utilities would also like to know this, unfortuately for their users. This is described in this video

Utility Meter Location Data

Describe what you find, and how this works. You can search on the web for more sources.

5. Here is one day of data in excel format, collected at my house:

Meter Data

What can you find? How many unique meters are there? Choose one that has many entries and plot it. The data is the total consumption since the meter was first started. It is usually more interesting to look at the rate of consumption, which is just the change from one reading to the next. That was what the plot from my house showed above.

6. Install rtlamr, and run it to see what you get. You need to install the Go language support, but this all works pretty easily. You also need rtl_tcp. This is one of the binaries in the SDR# package. rtlamr will also install it for you for Windows and Linux. You will need to build it yourself for MacOS using macports, homebrew, or compliing directly from source. The code for rtlamr is on github, as usual

rtlamr

Around Stanford you'll mostly get water meters, but those of you who live elsewhere might hear a lot more. You can also take our laptop and rtl-sdr and go to a park somewhere in a residential area. I've never had anyone bother me while I was recording local RF signals.