The latest module for the Termineter Framework supports enumerating valid user IDs on smart meters as part of the C12.18 login process. This is particularly useful for certain smart meter vendors that allow the C12.19 general information tables #0 and #1 to be read with a valid user ID and but no password. Enumerating user IDs on smart meters can also identify accounts that can be targeted for brute-forcing passwords. Like many systems, the lowest valid user ID is generally the one with the most privileges.
As part of the login process, when a user authenticates to a smart meter, two requests are made: a logon request and a security request. The logon request is made containing a username and a numerical user ID. After the logon request, a security request is made containing the password to authenticate the previously specified user ID. By checking the response to the logon request before the security request, a user can determine if the user ID that was attempted is considered valid by the smart meter. Most smart meters only validate the numerical user ID field of the logon request and ignore the username field. The user ID field in the logon request is a two byte value, and as such, up to 0xffff possibilities are technically available, although usually the valid account IDs are below 10.
