Forgot your password?
typodupeerror
Power Security Hardware

Security Holes Found In "Smart" Meters 224

Posted by timothy
from the intentional-bottleneck dept.
Hugh Pickens writes "In the US alone, more than 8 million smart meters, designed to help deliver electricity more efficiently and to measure power consumption in real time, have been deployed by electric utilities and nearly 60 million should be in place by 2020. Now the Associated Press reports that smart meters have security flaws that could let hackers tamper with the power grid, opening the door for attackers to jack up strangers' power bills, remotely turn someone else's power on and off, or even allow attackers to get into the utilities' computer networks to steal data or stage bigger attacks on the grid. Attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them, or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc, a vendor-independent consultant that performs penetration tests and security risk assessments."
"Wright says that his firm found 'egregious' errors, such as flaws in the meters and the technologies that utilities use to manage data (PDF) from meters. For example, smart meters encrypt their data but the digital 'keys' needed to unlock the encryption are stored on data-routing equipment known as access points that many meters relay data to so stealing the keys lets an attacker eavesdrop on all communication between meters and that access point (PDF). 'Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years,' says Wright."
This discussion has been archived. No new comments can be posted.

Security Holes Found In "Smart" Meters

Comments Filter:
  • by Tepshen (851674) on Sunday March 28, 2010 @08:23AM (#31646578)
    ...but there really should be a minimum security standard for infrastructure items like any city's power grid (or voting machines, or traffic systems, or water supplies, or any number of things you dont want folks monkeying with). Its really insane to hear about this considering how power stations and utilities are tightly regulated. It doesnt matter that the system is only open on the far end of the line because eventually someone will mess with it and show just why its a bad idea. Either make the system secure or dont make them so accessable.
  • by Sique (173459) on Sunday March 28, 2010 @08:27AM (#31646588) Homepage

    Where do you see the government involved here? As far as I understood the article those meters are to be distributed by the utilities, and those (at least in California) are privately owned.
    So I call that a cheap shot from someone who wants his prejudices confirmed.

  • by pnewhook (788591) on Sunday March 28, 2010 @09:37AM (#31646834)

    It's heavily regulated for a reason (essential service, safety, etc) just like medicine and nuclear. Some things should be regulated.

    In fact if it wasn't regulated, more screwups like this would happen.

  • by pnewhook (788591) on Sunday March 28, 2010 @09:58AM (#31646942)

    Regulation should be a last resort. The last thing I want is the government interfering with my right to make a living. And what I do on my own time is my own business.

    But regulation is a set of rules, and are there for safety. Utilities, nuclear, medical, all have the ability to kill someone if standards are not maintained. Regulation should exist in these areas. What part of that don't you agree with?

    And if you think heath care which is a social program, and socialism is the same thing, then you dont know the meanings of the words. Probably because you watch too much Fox news.

  • why? (Score:3, Insightful)

    by DaveGod (703167) on Sunday March 28, 2010 @10:33AM (#31647132)
    I'm confused, why is it physically possible for anyone to remotely turn power on and off? That doesn't have anything to do with "help deliver electricity more efficiently and to measure power consumption in real time". Surely the entire software and circuity surrounding those features should be able to fail completely with the core system (supply of electricity) completely unaffected and oblivious? I'm tempted to assume someone has other, less marketable objectives for the smart meters such as being able to cheaply disconnect people who aren't paying the bill, and therefore the root of the problem is those inherently risky objectives.
  • by commodore64_love (1445365) on Sunday March 28, 2010 @10:40AM (#31647184) Journal

    I consider electricity to be regulated because it's a monopoly. Ditto cable television. And natural gas providers.

    If they were not monoplies then there'd be no need to regulate them. If a company sucked customers would simply walk away, and thereby drive the company into bankrupcty (as they did to Circuit City).

  • by russotto (537200) on Sunday March 28, 2010 @11:06AM (#31647376) Journal

    The traditional problems utilities have had to deal with are of physical intrusion, either by customers or by neighbors, looking to bypass the meter, modify the readings, or steal electricity. They solve this (or at least reduce it to a manageable level) mostly with intrusion detection -- basically, seals so they know the meter has been tampered with. In this model, the only loss is money and so preventing it at high cost doesn't make sense; detecting and stopping it reasonably quickly is more important.

    With meters which do more than metering, that's just not good enough. Significant effort must be made to prevent malicious people from surreptitiously turning power off, otherwise assholes will do it just for lols. It's not like ripping a meter off the wall, which will have the same effect but carries high likelyhood of getting caught.

  • Re:i'm asthonished (Score:3, Insightful)

    by misexistentialist (1537887) on Sunday March 28, 2010 @12:44PM (#31648146)

    Of course, if there was a way gauge energy consumption truly remotely from a central location that would be better, and also negate the "need" for wireless...

    If only there were wires connected to the meters, maybe a battery could be added to transmit readings over them

  • by pnewhook (788591) on Sunday March 28, 2010 @02:07PM (#31648868)

    Is the police force socialism too? Or the justice system? Firefighters? All funded by taxpayers for the 'public good'. Same thing in your eyes apparently.

  • by gsarnold (52800) <[moc.liamg] [ta] [dlonrasg]> on Sunday March 28, 2010 @02:09PM (#31648888)

    Anyone found any similar useful hacks with them newfangled radio water meters?

    My city put 'em in last year and this dude comes out to the house to install it and I'm like, "...so this let you drive past the house and pick up the meter reading without coming to the side of the house, right?" And the dude is like, "No. This radios your water usage directly to the central office every twelve hours."

    Every twelve hours.

    I know slashdot makes you paranoid, but this bothers me. I simply cannot imagine how it could be useful to monitoring this frequently when they still bill my usage monthly. Plus, any dude with access to the database can hack together an SQL query to find out which houses have a total water usage under a gallon over the past three days and know who's not home.

  • by pnewhook (788591) on Sunday March 28, 2010 @02:11PM (#31648896)

    One of the strategies of someone who is about to lose an argument is to avoid the real issue by attacking the presenter on unrelated issues.

    So clearly you don't know the meanings of the words, and think they are equivalent. Must be the Fox news / fundamentalist education.

  • by Animats (122034) on Sunday March 28, 2010 @02:35PM (#31649108) Homepage

    The trouble with "smart meters" and the "smart grid" is that it's too easy to put in excess functionality that can cause trouble. The ability to do remote firmware upgrades is an example. The ability of meters to communicate with each other is another.

    The "smart grid" has way too much centralized control in it. All that's really needed is remote meter reading, plus some broadcast signals to indicate how scarce power is at the moment. The customer should have read-only access to their meter from their side of the meter. High-current appliances should be able to query the meter to find out if it's OK to draw heavy power right now. The power company should have no data path to appliances.

    Incidentally, some "smart meters" support pre-paid service, where customers have to pay in advance and are turned off automatically when their pre-payment runs out. There's also wattage-limited service, where the power turns off if a maximum load is exceeded. This can be used for collection purposes; if you get behind on your electric bill, your consumption is limited. There's a whole new range of ways for screwing poor people going in. It's like "check cashing" stores.

  • by pnewhook (788591) on Sunday March 28, 2010 @06:01PM (#31650776)

    Wow thats a great attitude. Lets completely deregulate everything. If I wanted to make my own nuclear power source and run it without shielding and bury the waste in the backyard, that would be ok with you. Genius.

Old programmers never die, they just become managers.

Working...