Security Holes Found In "Smart" Meters

Hugh Pickens writes "In the US alone, more than 8 million smart meters, designed to help deliver electricity more efficiently and to measure power consumption in real time, have been deployed by electric utilities and nearly 60 million should be in place by 2020. Now the Associated Press reports that smart meters have security flaws that could let hackers tamper with the power grid, opening the door for attackers to jack up strangers' power bills, remotely turn someone else's power on and off, or even allow attackers to get into the utilities' computer networks to steal data or stage bigger attacks on the grid. Attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them, or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc, a vendor-independent consultant that performs penetration tests and security risk assessments."

"Wright says that his firm found 'egregious' errors, such as flaws in the meters and the technologies that utilities use to manage data (PDF) from meters. For example, smart meters encrypt their data but the digital 'keys' needed to unlock the encryption are stored on data-routing equipment known as access points that many meters relay data to so stealing the keys lets an attacker eavesdrop on all communication between meters and that access point (PDF). 'Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years,' says Wright."

How to interface with a 'smart meter'

[knarf]

Let me take this opportunity to dig up my attempt at an 'Ask Slashdot' from more than 3 years ago:

How to monitor your electricity meter [slashdot.org]

This question was never published and thus never answered. Anyone out there with experience in this field? That IR-interface currently sits on front of the meter doing nothing at all while it would create the possibility to eg. create an accurate power use graph, power quality data - I'm on the far end of a long air cable so that is sometimes an issue - and more interesting things. I guess I'm not the only one interested in these things?

Re:i'm asthonished

[ascari]

There no absolute "need" but it greatly simplifies reading meters "on the fly", since the utility company personnel doesn't have to park, walk up to the house, get bitten by dogs etc. So in the end it's to save cost and presumably keep energy bills down.

Of course, if there was a way gauge energy consumption truly remotely from a central location that would be better, and also negate the "need" for wireles...

Hacking: expect lawsuits here in the US!

Re:How to interface with a 'smart meter'

[Minupla]

Not sure what things are like on your meter, a fellow at my local hacklab determined that the IR interfaces on the ones we have here strobe upon power usage much like the 'wheel' in old meters.

Also worth checking to see if your utility offers a website to interface to yours. My wife said "they should put up a web interface to so you can see how much electricity you're using" I agreed and looked at their website and lo and behold they had. Hadn't advertised it yet, maybe still in soft launch.

Min

Re:Why aren't these things read-only?

[Minupla]

Remote disconnect, and firmware upgrades - the latter being a messy one. Someone did a talk at Blackhat/Defcon last summer where they rooted a meter and installed a custom firmware that would spread worms to all other meters and give the blackhat total control over the network through remote firmware upgrades.

The firmware upgrades are a double edged sword. Meters need them in case someone finds a vulnerability (which can exist even in supposedly read only devices), but if they're not locked down enough, poof.

Min

Re:i'm asthonished

[TheLink]

Over here the meter readers use binoculars or a mini telescope. The meter has to be in a spot visible from outside though, so it doesn't work for all places.

But it's "wireless" too ;).

Here...

[Anonymous Coward]

My city-run utility company inadvertently drove itself into a political clusterf**k with smart meters. A large bunch of the smart meters were installed in January, then we had an extremely cold February that caused very high bills for some people, and the bills were blamed on the smart meters.

Re:How to interface with a 'smart meter'

[pnewhook]

My utility company gave me web access to my smartmeter, so I can check my daily consumption whenever I want, just like they can.

Is that the capability you are looking for?

Re:Same same but different

[jonpublic]

I find this whole thread amusing since I commented that I didn't like the idea of smart meters, that I was worried about them being hackable in a slashdot post last week and everyone commented in response to me that I shouldn't be worried about this kind of thing. That they couldn't be hacked and if they were, there was nothing they could do except get my power information.

I wonder what those folks are saying today in this thread.

Re:Same same but different

[budgenator]

My Grandfather swore by cow-magnets on the meter enclosure, and he worked for Detroit Edison. If the old fashioned cow-magnets worked imagine what the new niobium-rear-earth magnets of today would do. Personally I think it;s an old-wives tail, but I've never checked it empirically.

More FUD and shoddy security analysis

[tark.dom]

Great, first it was IOActive frothing non-stop about smart meters, now we have Inguardians turning the froth up to 11. This whole smart grid security issue never addresses the probability of an attacker actually being able to carry out a serious attack in real life. The PDF talks about theoretical attacks. It describes possible weaknesses. It does not assign any probability or likelihood to those attacks. As such, this is faulty and misleading security work. Its the kind of FUD "security gurus" resort to when they want to scare people into buying their services. Notice that the PDF makes sure to advise users to buy services like pentesting and code review - which of course an Inguardians sales representative can sell you. Any decent security analysis MUST include consideration of probability. Risk (the most basic measure of security) is comprised of both impact and probability. Sure, breaking into a smart meter could be a catastrophic thing, thus a very high "impact" rating. However, if the probability of doing that in the wild is enormously low. Something like 0.000000001%. Then the risk of this actually happening is therefore very low. Until one of these “researchers” shows the real risks involved here, and not a bunch of theoretical and conceptual data, I remain unconvinced that there are serious problems with smart meters.

Re:Why aren't these things read-only?

[sjames]

Actually, they DON'T need remote firmware upgradability, they need LOCAL firmware upgrades and a decent QA on the firmware. By making it remote, they raise the consequences of any security flaw by orders of magnitude.

It may seem strange in this day and age, but at one time we used to be very careful with firmware. It would be designed conservatively and then receive thorough QA. Then it would be burned into a write once PROM or even masked and run off as a purpose made ROM. And it worked! A firmware upgrade required replacing components and in some cases, a soldering iron.

I don't think we need to go that far to solve the problem, but requiring a local physical connection to update the firmware is a good way to keep a worm from spreading through the system like wildfire.

I Smell A Rat

[anorlunda]

I was an engineering consultant for 40 years. I'm well familiar with the politics and ethics of engineering studies. Something is fishy here.

The AP says that Wright's firm was hired by three utilities. The web material suggests that it was actually ucaiug.org (an association of both vendors and utilities) Presumably, they financed the security study to expose vulnerabilities so that they could fix them. They did it openly and allowed the report to be published. That's laudable and responsible behavior. It is the opposite of denial and secrecy.

Normally, Wright and his team write the report and the vendors and utilities fix the problems. However, Wright is going pubic in a big way. He, with cooperation from the media, is mongering fear and suggesting that the vendors and utilities don't care about security. He's acting in a way that brings maximum bad publicity to his financial sponsors. That is extraordinary behavior for a consultant. If it was I that hired him, I would feel betrayed.

I really can't tell if he's doing it for shameless and unethical purposes of self promotion, or whether there was a breakdown in relations between the consultant and the clients. Somewhere there is an enormous untold back story.

Re:Not what they're used to considering

[sjames]

If it can be done fully remotely, it might be done en-mass to destabilize the grid. Generators do NOT react well to suddenly having their load disconnected.

Re:Security holes found...

[shentino]

I'd say the government is at fault for allowing shoddy meters to get hooked up in the first place.

I thought utilities were supposed to be regulated.

similar in Italy

[Luke_22]

we had a similar problem in Italy. basically the new electricity meters were infrared-accessibile. password protected, of course. no need to hack anything trough, just use '0000', '1234' or '3635' ("enel as written with a cellphone, it's the company name). ta-da! full access. so what did we do? nothing. but we're in italy after all...

Re:More FUD and shoddy security analysis

[jeff4747]

You developed Assassin's Creed 2's DRM system, didn't you? [/snark]

You VASTLY underestimate the probability. Since the prize is so big, if it can be hacked, it will.