Forgot your password?
typodupeerror
Power Security Hardware

Security Holes Found In "Smart" Meters 224

Posted by timothy
from the intentional-bottleneck dept.
Hugh Pickens writes "In the US alone, more than 8 million smart meters, designed to help deliver electricity more efficiently and to measure power consumption in real time, have been deployed by electric utilities and nearly 60 million should be in place by 2020. Now the Associated Press reports that smart meters have security flaws that could let hackers tamper with the power grid, opening the door for attackers to jack up strangers' power bills, remotely turn someone else's power on and off, or even allow attackers to get into the utilities' computer networks to steal data or stage bigger attacks on the grid. Attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them, or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc, a vendor-independent consultant that performs penetration tests and security risk assessments."
"Wright says that his firm found 'egregious' errors, such as flaws in the meters and the technologies that utilities use to manage data (PDF) from meters. For example, smart meters encrypt their data but the digital 'keys' needed to unlock the encryption are stored on data-routing equipment known as access points that many meters relay data to so stealing the keys lets an attacker eavesdrop on all communication between meters and that access point (PDF). 'Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years,' says Wright."
This discussion has been archived. No new comments can be posted.

Security Holes Found In "Smart" Meters

Comments Filter:
  • And this is a big surprise?

    • by RAMMS+EIN (578166)

      I was about to write a similar post.

      Although this is certainly bad, it doesn't surprise me at all.

      And the fact that we've come to _expect_ such vulnerabilities in widely deployed systems is very, very sad.

    • by poetmatt (793785)

      Smart meters rely on (among other things) - FIPS. [wikipedia.org] Clearly the wrong level of it. Meanwhile, even FIPS isn't that reliable. /I just started to do work involving the stuff //FIPS is in basically everything in the US

  • by Tepshen (851674) on Sunday March 28, 2010 @08:23AM (#31646578)
    ...but there really should be a minimum security standard for infrastructure items like any city's power grid (or voting machines, or traffic systems, or water supplies, or any number of things you dont want folks monkeying with). Its really insane to hear about this considering how power stations and utilities are tightly regulated. It doesnt matter that the system is only open on the far end of the line because eventually someone will mess with it and show just why its a bad idea. Either make the system secure or dont make them so accessable.
  • by knarf (34928) on Sunday March 28, 2010 @08:26AM (#31646586) Homepage

    Let me take this opportunity to dig up my attempt at an 'Ask Slashdot' from more than 3 years ago:

    How to monitor your electricity meter [slashdot.org]

    This question was never published and thus never answered. Anyone out there with experience in this field? That IR-interface currently sits on front of the meter doing nothing at all while it would create the possibility to eg. create an accurate power use graph, power quality data - I'm on the far end of a long air cable so that is sometimes an issue - and more interesting things. I guess I'm not the only one interested in these things?

    • Not sure what things are like on your meter, a fellow at my local hacklab determined that the IR interfaces on the ones we have here strobe upon power usage much like the 'wheel' in old meters.

      Also worth checking to see if your utility offers a website to interface to yours. My wife said "they should put up a web interface to so you can see how much electricity you're using" I agreed and looked at their website and lo and behold they had. Hadn't advertised it yet, maybe still in soft launch.

      Min

      • Re: (Score:2, Informative)

        by broomer (209132)

        The IR is also using a simple RS232 interface (9600,8,n,1) with some fixed password XOR encryption.
        I did program(move program into device, set clock, set tarifs)/analyse(= read fault reports)/readout (check readings) these some years ago in a factory which made them for the european market.

        I did not have the time to break the encryption, but had some work on coupling these things to GPRS modems. wired connection used the same encryption back then.

        just using a breakoutbox and a second PC-port sniffing the se

        • I'm not sure about the wireless hacking from a laptop mentioned in TFS, but, as far as RF transmissions, these things can generate plenty of spread-spectrum modulation EMF when modulating the 240kHz signal carrier on wire.
          There's a good discussion about eliminating ground loops so as to avoid broadcasting the signal as a source of interference at the Technical Library [techlib.com]; I suppose one could always use an induction [techlib.com] receiver [techlib.com] to go the other direction, using a loop [techlib.com] antenna [hard-core-dx.com]. Obviously, modification of the above designs is needed for target frequency band. AM radio circuits might be a good place to start, too.
          Actually, there are tons of good MW box loop [brneurosci.org] designs that already go well below 240kHz; that page includes a calculator [brneurosci.org], and playing with some quick numbers suggests a 48cmX65cm frame [=56.5cm side length] for a 16-turn coil extending 21cm in length in parallel with four 470pF caps gives us resonance at 245kHz. Of course, with 20% tolerance ceramic discs, you may want to replace one of the 470's with a 4-40pF variable cap in parallel with anywhere from a 150pF to a 39pF paralleled with a 560pF, depending on how low or high the 470's are measuring.

          [Disclaimer: I am an RF amateur.]

      • by IonOtter (629215)

        My wife said "they should put up a web interface to so you can see how much electricity you're using"

        Wait...you're on Slashdot, yet you have a wife? And she's a geek too?

        That's awesome, but isn't that like, one of the signs of the Apocalypse?

        • Re: (Score:3, Informative)

          by jeff4747 (256583)

          Wait...you're on Slashdot, yet you have a wife? And she's a geek too?

          That's awesome, but isn't that like, one of the signs of the Apocalypse?

          No, a wife that's a geek and a gamer is a sign of the Apocalypse.

          So the Apocalypse will be happening sometime after my wedding in July.

    • Re: (Score:3, Interesting)

      by pnewhook (788591)

      My utility company gave me web access to my smartmeter, so I can check my daily consumption whenever I want, just like they can.

      Is that the capability you are looking for?

      • > My utility company gave me web access to my smartmeter...

        To the meter itself or to a Web page on their server presenting what they read from it? I'd object if my meter itself was on the Net at all.

        • by pnewhook (788591)

          My access goes to their server presenting what was read. The meter itself is on their own proprietary wireless network and not accessible from the web directly (thankfully).

    • by a_ghostwheel (699776) on Sunday March 28, 2010 @10:24AM (#31647066)
      Not really a direct answer to your question, but I use TED-5000 from http://www.theenergydetective.com/index.html [theenergydetective.com]. So far I found a rather precise correlation between data from it and bills from electric company.
  • by Securityemo (1407943) on Sunday March 28, 2010 @08:58AM (#31646704) Journal
    I've read through both PDFs, and they really go into a lot of detail on the experimental methodology. The main thing they seem to be concerned about (and the only vulnerability they detail) are extracting the encryption keys from the meter firmware ("some" meters) and reverse-engineering the command protocol. While this could be a threat, being able to turn off/manipulate individual home meters isn't going to have any far-ranging effects beyond that. It also, obviously, requires a lot of reverse-engineering skill. I'd be more concerned with someone packaging this into a bluebox-style solution for manipulating your own meter, giving you free power? Earlier in the methodology report they talk about IR ports and similar being unsecured due to the perceived unlikelihood of attacking them, but they don't detail anything about that in the presentation PDF. That would be easier to exploit, though, so they might be keeping a lid on the more critical vulns?
    • by feepness (543479)

      ...being able to turn off/manipulate individual home meters isn't going to have any far-ranging effects beyond that.

      It isn't until they turn off everyone's meters including those of the elderly, hospitals, military installations, and CTU.

      • All critical systems have emergency backup generators, and I doubt that major installations requiring bulk power use the same systems for supplying power as homes; the power company probably doesn't want or need the ability to cut power to places like that. Intuitively, it would be like comparing one of those ISP-provided DSL modems/routers to a Cisco backbone router.
        • by feepness (543479)

          All critical systems have emergency backup generators

          Then why do we hear every year of people dieing in heat waves in various places around the world.

          • I don't see how you make that connection? All cases of death from heat stroke I've heard about have been outside of hospitals, usually involving the very old or infants dying in isolation, and from Wikipedia it seems like none of the treatment methods but (in severe cases) hemodialysis require electricity. Not to say that things wouldn't go south quickly if all the hospitals in a region lost power and the supply routes of diesel where cut, of course.
            • by feepness (543479)
              I'm suggesting having the average homeowner's power subject to remote third-party shutoff is unacceptable from a life-threatening point-of-view. While hospitals have backups, households generally don't, even where it may be life-threatening.

              Think of the old people! Won't someone please think of the old people?!
    • by bbernard (930130)

      One of the beauties of finding a vulnerability and doing the reverse engineering is that, once it's been done once, you can create tools to take advantage of it. (Exhibit A: Metasploit) So the skill required to determine the vulnerabilities is quite high, while the skill to use them later is quite low.

      Beyond ease of exploitation, let's think about the possible uses. The goal of smart meters is two fold: providing both you and the utility real-time info about your electrical use. The second goal is to be

      • Yeah, I considered that. But who in hell would go to such lengths for harassment? I've researched the methodologies of thieves a bit, and it seems like the basic philosophy is "quick, quiet 'n brutal", even in premeditated home invasions. They don't pick the lock, they drill it open or break a window. And the kind of thieves that would do that don't stick to petty home invasion.
  • Smart meter (Score:2, Funny)

    by Anonymous Coward

    So would that be 39.37 smart inches?

  • why? (Score:3, Insightful)

    by DaveGod (703167) on Sunday March 28, 2010 @10:33AM (#31647132)
    I'm confused, why is it physically possible for anyone to remotely turn power on and off? That doesn't have anything to do with "help deliver electricity more efficiently and to measure power consumption in real time". Surely the entire software and circuity surrounding those features should be able to fail completely with the core system (supply of electricity) completely unaffected and oblivious? I'm tempted to assume someone has other, less marketable objectives for the smart meters such as being able to cheaply disconnect people who aren't paying the bill, and therefore the root of the problem is those inherently risky objectives.
    • by Animats (122034)

      why is it physically possible for anyone to remotely turn power on and off?

      To make customers pay their bill.

      (Remember Mr. Burns doing this on the Simpsons? Now it's real. Excellent!)

  • by russotto (537200) on Sunday March 28, 2010 @11:06AM (#31647376) Journal

    The traditional problems utilities have had to deal with are of physical intrusion, either by customers or by neighbors, looking to bypass the meter, modify the readings, or steal electricity. They solve this (or at least reduce it to a manageable level) mostly with intrusion detection -- basically, seals so they know the meter has been tampered with. In this model, the only loss is money and so preventing it at high cost doesn't make sense; detecting and stopping it reasonably quickly is more important.

    With meters which do more than metering, that's just not good enough. Significant effort must be made to prevent malicious people from surreptitiously turning power off, otherwise assholes will do it just for lols. It's not like ripping a meter off the wall, which will have the same effect but carries high likelyhood of getting caught.

    • Re: (Score:3, Interesting)

      by sjames (1099)

      If it can be done fully remotely, it might be done en-mass to destabilize the grid. Generators do NOT react well to suddenly having their load disconnected.

  • Great, first it was IOActive frothing non-stop about smart meters, now we have Inguardians turning the froth up to 11. This whole smart grid security issue never addresses the probability of an attacker actually being able to carry out a serious attack in real life. The PDF talks about theoretical attacks. It describes possible weaknesses. It does not assign any probability or likelihood to those attacks. As such, this is faulty and misleading security work. Its the kind of FUD "security gurus" resort to wh
    • Re: (Score:3, Interesting)

      by jeff4747 (256583)

      You developed Assassin's Creed 2's DRM system, didn't you? [/snark]

      You VASTLY underestimate the probability. Since the prize is so big, if it can be hacked, it will.

  • I Smell A Rat (Score:5, Interesting)

    by anorlunda (311253) on Sunday March 28, 2010 @12:07PM (#31647844) Homepage

    I was an engineering consultant for 40 years. I'm well familiar with the politics and ethics of engineering studies. Something is fishy here.

    The AP says that Wright's firm was hired by three utilities. The web material suggests that it was actually ucaiug.org (an association of both vendors and utilities) Presumably, they financed the security study to expose vulnerabilities so that they could fix them. They did it openly and allowed the report to be published. That's laudable and responsible behavior. It is the opposite of denial and secrecy.

    Normally, Wright and his team write the report and the vendors and utilities fix the problems. However, Wright is going pubic in a big way. He, with cooperation from the media, is mongering fear and suggesting that the vendors and utilities don't care about security. He's acting in a way that brings maximum bad publicity to his financial sponsors. That is extraordinary behavior for a consultant. If it was I that hired him, I would feel betrayed.

    I really can't tell if he's doing it for shameless and unethical purposes of self promotion, or whether there was a breakdown in relations between the consultant and the clients. Somewhere there is an enormous untold back story.

  • by gsarnold (52800) <gsarnold.gmail@com> on Sunday March 28, 2010 @02:09PM (#31648888)

    Anyone found any similar useful hacks with them newfangled radio water meters?

    My city put 'em in last year and this dude comes out to the house to install it and I'm like, "...so this let you drive past the house and pick up the meter reading without coming to the side of the house, right?" And the dude is like, "No. This radios your water usage directly to the central office every twelve hours."

    Every twelve hours.

    I know slashdot makes you paranoid, but this bothers me. I simply cannot imagine how it could be useful to monitoring this frequently when they still bill my usage monthly. Plus, any dude with access to the database can hack together an SQL query to find out which houses have a total water usage under a gallon over the past three days and know who's not home.

    • by osgeek (239988)

      Water and gas meter technologies lag behind electric meters because of the simple fact that water and gas meters aren't hooked up to power... so they require long-life batteries to be functional. Since they're on battery, lots of frills are eliminated, like the ability to receive transmissions.

      Most deployed water and gas meters these days are transmit only. There are some coming to market that will listen too, but the corresponding limited functionality will make hacking into them much harder.

  • by Animats (122034) on Sunday March 28, 2010 @02:35PM (#31649108) Homepage

    The trouble with "smart meters" and the "smart grid" is that it's too easy to put in excess functionality that can cause trouble. The ability to do remote firmware upgrades is an example. The ability of meters to communicate with each other is another.

    The "smart grid" has way too much centralized control in it. All that's really needed is remote meter reading, plus some broadcast signals to indicate how scarce power is at the moment. The customer should have read-only access to their meter from their side of the meter. High-current appliances should be able to query the meter to find out if it's OK to draw heavy power right now. The power company should have no data path to appliances.

    Incidentally, some "smart meters" support pre-paid service, where customers have to pay in advance and are turned off automatically when their pre-payment runs out. There's also wattage-limited service, where the power turns off if a maximum load is exceeded. This can be used for collection purposes; if you get behind on your electric bill, your consumption is limited. There's a whole new range of ways for screwing poor people going in. It's like "check cashing" stores.

  • This place is from the 70s, so I assume it is a not a smart type?

  • similar in Italy (Score:2, Interesting)

    by Luke_22 (1296823)
    we had a similar problem in Italy. basically the new electricity meters were infrared-accessibile. password protected, of course. no need to hack anything trough, just use '0000', '1234' or '3635' ("enel as written with a cellphone, it's the company name). ta-da! full access. so what did we do? nothing. but we're in italy after all...
  • by davek (18465) on Sunday March 28, 2010 @07:39PM (#31651590) Homepage Journal

    we have a new vector, victor!

1 Mole = 25 Cagey Bees

Working...