ON-Networks PL500 Powerline Adapters

Quite some time ago, I played around with some Computrend 902 Powerline adapters and found a number of different security issues - here and here

Those devices are long gone, but whilst the issues I found were relatively minor (if nothing else, proximity was required) it left me a little concerned about the security of any devices that might replace them. For quite some time, I didn't need to use any powerline adapters, but eventually the need arose again (no practical way to run CAT-5 to the location and the Wifi reception is too spotty).

So I bought 2 pairs of On-Networks' PL500S Powerline adapters. Depending where you buy them from, the model number may be PL500P, PL500-UKS, or even the Netgear part number - Netgear ON NETWORKS PL500-199UKS.

I've not got as far as giving them a serious hammering from a security perspective as yet, however there doesn't seem to be much information about these devices available on the net (and what is there is potentially misleading), so I thought I'd post the information I've pulled together from prodding the devices, as well as a few common sense facts that might be being missed. As I'd have found some of the information helpful had it been available prior to purchase, I suspect others might find it of use too.

 

Contents

 

Brand Name

Although the kit is branded On-Networks, be aware that it's Netgear kit (On-Networks being a Netgear brand). If you've any reason not to buy kit from Netgear, then the same logic should be applied here.

Unfortunately, having not done enough homework before buying the kit, I only found this out when looking up the manufacturer based on the device's MAC address.

 

Claimed Data Throughput

For anyone familiar with Powerline devices, the first bit of this section should be obvious. Some retailers (Currys, for example) will state something like

Capable of speeds of up to 500Mbps

or

Transfer Rate: 500Mbps

The first thing to note is that this is the transfer speed between the Powerline devices themselves, and not the transfer rate you'll see between two PC's using the devices.

In fact, you'll not even see 101Mbps, because the devices have a 10/100Mbps ethernet interface, so the absolute maximum theoretical throughput is 100Mbps.

Worse (and it may be that I got unlucky and got some duds), but the devices appear to have been defaulted to 10Mbps Half-duplex, so throughput is even worse than it could have been (see Ethernet Speeds).

 

Network Presence

Much like a lot of the more recent powerline adapters, the PL500 is a Layer 2 device. So it has a MAC address but no IP.

Management is achieved via MAC frames, you can either read up on HomePlug AV management frames and write a script, or use a pre-built utility.

The devices are (of course) completely transparent to the rest of the network.

 

Management

You can have a lot of fun once you've written a small script to generate the management frames, but for the purposes of brevity I'll use some pre-written management software in all examples.

There are two open source solutions available, I've used a mixture of both as they have different strengths

The latter also includes some very helpful documentation, and it's worth taking a read, if only for the sense of humour displayed in various places (I particularly like the habit of collectively referring to functions such as wait as procrastination functions).

 

Device Classes (Reference)

Especially when using open-plc-utils, you will see reference to 3 classes of device on the network, these are defined below for reference

Class Description
local A local device is one that can be reached without crossing a powerline network, and also isn't a foreign device
Foreign A foreign device is one that is not manufactured by Qualcomm under the Atheros brand (think chipset, not the overall unit). Based on some reading, the state of play is that if the device doesn't have an INT6x00 or an AR7x00 chipset it won't respond (at time of writing)
remote A remote device is one that is only accessible on the otherside of a powerline network

It should be obvious then that whether a device is local or remote is entirely dependant on where your PC is situated on the network in relation to the device.

 

MAC Addresses (Reference)

As a very quick side-note, in any examples below using open-plc-utils you may see some shortnames being used instead of MAC addresses. For reference, the utility translates them into the following MAC addresses

Short name MAC Address Notes
all FF:FF:FF:FF:FF:FF Directly equivalent to broadcast
broadcast FF:FF:FF:FF:FF:FF All devices, whether local, remote or foreign will respond to this address
local 00:B0:52:00:00:01 Only local devices will respond to this address. A local device is one that is not remote or foreign

 

Chipset

The PL500's use Qualcomm's Atheros chip, in this case the AR7420 (also referred to as the QCA7420). 

To get an overview of the manufacturer, you want to send 0xA054 to the device (using faifa) which will give the broad string

Manufacturer string: Qualcomm Atheros HomePlug AV Device

This string is what eventually led me onto the open-plc-utils that Qualcomm have released

For details of the chipset in use, I used Qualcomm's utilities

int6k -r 
eth0 00:B0:52:00:00:01 Request Version Information
eth0 44:94:FC:9C:C7:5C QCA7420 MAC-QCA7420-1.1.0.838-00-20120803-FINAL

Alternatively you can grab the chipset information from everything in the powerline network in one hit (useful if you're running slightly different devices)

ampstat local -t
 P/L NET TEI ------ MAC ------ ------ BDA ------  TX  RX CHIPSET FIRMWARE
 LOC STA 003 44:94:FC:9C:C7:5C 00:1A:A0:CF:87:18 n/a n/a QCA7420 MAC-QCA7420-1.1.0.838-00-20120803-FINAL
 REM CCO 002 44:94:FC:9C:C7:44 B8:27:EB:0B:EE:DB 094 130 QCA7420 MAC-QCA7420-1.1.0.838-00-20120803-FINAL

 

Flash Memory

The device uses NVRAM and you can grab the configuration with Qualcomm's utility

amptool -f -i eth0 local
eth0 00:B0:52:00:00:01 Fetch NVRAM Configuration
eth0 44:94:FC:9C:C7:5C TYPE=0x13 (M25P80) PAGE=0x0100 (256) BLOCK=0x10000 (65536) SIZE=0x100000 (1048576)

 

Ethernet Speeds

Whilst testing throughput, I was achieving some abysmally low speeds. Obviously the quality of wiring in the house always has an impact, but even then the speeds seemed to be far, far lower than they should have been.

Across a number of tests, the highest speed I got was 6Mbps, and even that was a very short blip, with most tests returning much lower than that.

Having checked/replaced cabling (and swapping in the redundant pair I had) I was still seeing the same.

It seems the devices (or at least the ones I have) shipped with the Ethernet set to 10Mbps Half-Duplex

int6keth -i eth0 -r all
eth0 00:1A:A0:CF:87:18 Speed=10 Duplex=Half LinkStatus=Off FlowControl=On
eth0 00:1A:A0:CF:87:18 Speed=10 Duplex=Half LinkStatus=Off FlowControl=On

It's important to note, however, that the int6k tools within open-plc are intended for use with devices using the INT6x00 chipsets (the Technical reference manual is a good indepth resource on those chipsets incidentally)

Faifa returned the same result (though it's sending the same management frame - 0xA06C - so it may still have been a false positive).

Dump:
Frame: Get Ethernet PHY Settings Confirm (A06D), HomePlug-AV Version: 1.0
Status: Success
Speed: Ethernet (10Mbits)
Duplex: Half duplex

 

The open-plc documentation suggests that only the INT6x00 chipsets support the frame used to set the ethernet speed (0xA06D), but I figured I'd give it a try anyway

int6keth -a 100Full -d Full -n On -s 100 -w all
eth0 00:1A:A0:CF:87:18 Speed=10 Duplex=Half LinkStatus=Off FlowControl=On
eth0 00:1A:A0:CF:87:18 Speed=10 Duplex=Half LinkStatus=Off FlowControl=On

So it seemed not to have worked, but when I re-ran the throughput tests, I was seeing 45-50Mbps across the link. It may have been completely coincidental timing (especially as the devices continue to report 10Mbps when queried), but the throughput has improved considerably

 

Powerline Throughput

Generally we're likely to be more concerned about the Ethernet speeds that we're seeing, but as the devices are sold with a headline rate of 500Mbps across the powerline network, it seems worth looking at what speed is actually being achieved

The wiring they were plugged into isn't terrible, but it's far from lab conditions as well. The cable run between the wall sockets is around 75 metres, though one was plugged into a short extension cable as well.

int6krate -n local
eth0 44:94:FC:9C:C7:5C 44:94:FC:9C:C7:44 TX 097 mbps
eth0 44:94:FC:9C:C7:5C 44:94:FC:9C:C7:44 RX 132 mbps

So the speeds aren't too shabby, but they're a 5th of the max-throughput. The conditions for testing/use aren't optimal, which will have negatively affected throughput, but they are a realistic representation of how I'll be using the devices.

 

Security

I've not got around to doing much security testing on the devices as yet. One thing that stands out though is that no authentication is required to make some pretty core changes (such as changing the encryption key used by the devices).

An attacker would need to generate management frames from a machine on your network to change the key, and then be able to connect their own powerline device to your mains supply to take advantage though, so key changes are probably of small concern.

Potentially of more concern, however, is that (again without authentication) it's possible to run the built in packet sniffer and capture the output. The open-plc-utils don't include the script for this, but it's evident the management frame is 0xA034.

 

Useful Resources

 

Conclusion

Aside from a few possible security questions that arise (I'll be digging into those later), they're not bad little devices for the money (around £30 a pair). The throughput issue I had was curious, but I've not managed to delve far enough in to ascertain the exact root cause. Nothing in the setup had changed between the change in speeds, so it may be that the devices always report incorrect Ethernet settings, but were in fact configured wrongly, or it could be that there was an extraneous variable that I've failed to factor in.

The only real issue I have with them so far, and it could have been avoided if I'd done a little more research before parting with my money is that they are Netgear kit. I've had firmware issues with Netgear kit in the past, so tend to try and avoid them as much as possible.