Cyrill Brunschwiler reported several vulnerabilities of the Wireless M-Bus Security mode 5 at Black Hat USA 2013, see https://www.compass-security.com/fileadmin/Datein/Research/Praesentationen/blackhat_2013_wmbus_security_whitepaper.pdf (Section 4.4.2, 4.4.3).
Both Jam-and-Replay and Shield-and-Replay concern message replays. An attacker can intercept messages sent by Wireless M-Bus Security mode 5 devices at time T. The attacker can replay these messages during read outs at T + several months.
Although we lack technical documentation of the radio modules, we think that the meters send a timestamp:
Enbra EWM can compare the time reported by the meter and the system time and detect Replay attacks (of course Enbra EWM should accommodate errors due to clock shifts). Enbra EWM provides an export functionality to the CSV format. Exported data can be used for further processing, e.g. to provide billing details. However, exported CSV data does not contain the time observed at the meter but instead provide system time of the readout. Enbra EWM does not notify the user that a readout from the past appeared and it is not able to check exported data if the contain replayed read outs.
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base score 6.5 (Medium severity)
An adversary needs to be in a vicinity of the meters (tens of meters, with a good antenna probably more).
An adversary needs to replay previously captured messages. Enbra EWM seems to process only the first captured message of the meter. So the most difficult task of the adversaries is to arrange the attack in a way that their messages are captured before the messages from the meter. As the meters send messages about every 80 seconds, generally, there is enough time to be faster.
None. An adversary can correlate the position of the meters with the signal strength.
The meter identifier is sent in each message and it is readable on the front of the meter. A cooperating users can make the task for the adversary easier when they let the adversary see the meter or tell the meter number. Such cooperation is not necessary to carry an attack.
The adversary can spoof the consumption and decrease the billing amount.
CWE-345: Insufficient Verification of Data Authenticity
Until Enbra EWM is fixed, one can display information on each read and check the time before the export.