Security Holes Found In "Smart" Meters

Hugh Pickens writes "In the US alone, more than 8 million smart meters, designed to help deliver electricity more efficiently and to measure power consumption in real time, have been deployed by electric utilities and nearly 60 million should be in place by 2020. Now the Associated Press reports that smart meters have security flaws that could let hackers tamper with the power grid, opening the door for attackers to jack up strangers' power bills, remotely turn someone else's power on and off, or even allow attackers to get into the utilities' computer networks to steal data or stage bigger attacks on the grid. Attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them, or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc, a vendor-independent consultant that performs penetration tests and security risk assessments." "Wright says that his firm found 'egregious' errors, such as flaws in the meters and the technologies that utilities use to manage data (PDF) from meters. For example, smart meters encrypt their data but the digital 'keys' needed to unlock the encryption are stored on data-routing equipment known as access points that many meters relay data to so stealing the keys lets an attacker eavesdrop on all communication between meters and that access point (PDF). 'Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years,' says Wright."

Re:Same same but different

[peragrin]

um no. with the old meters you can't jack up someone's power bill without shattering the glass globe which surrounds it. and you can't use a laptop to shut off their power. you have to physically cut the cables which leaves marks.

So it isn't the same situation. breaking a physical lock leaves traces. using a laptop to hack the meter and kill power to each house. doesn't leave a lot of marks that can be traced.

Very meticulous methodology report...

[Securityemo]

I've read through both PDFs, and they really go into a lot of detail on the experimental methodology. The main thing they seem to be concerned about (and the only vulnerability they detail) are extracting the encryption keys from the meter firmware ("some" meters) and reverse-engineering the command protocol. While this could be a threat, being able to turn off/manipulate individual home meters isn't going to have any far-ranging effects beyond that. It also, obviously, requires a lot of reverse-engineering skill. I'd be more concerned with someone packaging this into a bluebox-style solution for manipulating your own meter, giving you free power? Earlier in the methodology report they talk about IR ports and similar being unsecured due to the perceived unlikelihood of attacking them, but they don't detail anything about that in the presentation PDF. That would be easier to exploit, though, so they might be keeping a lid on the more critical vulns?

Re:How to interface with a 'smart meter'

[a_ghostwheel]

Not really a direct answer to your question, but I use TED-5000 from http://www.theenergydetective.com/index.html. So far I found a rather precise correlation between data from it and bills from electric company.

Re:How to interface with a 'smart meter'

[orangesquid]

I'm not sure about the wireless hacking from a laptop mentioned in TFS, but, as far as RF transmissions, these things can generate plenty of spread-spectrum modulation EMF when modulating the 240kHz signal carrier on wire.
There's a good discussion about eliminating ground loops so as to avoid broadcasting the signal as a source of interference at the Technical Library; I suppose one could always use an induction receiver to go the other direction, using a loop antenna. Obviously, modification of the above designs is needed for target frequency band. AM radio circuits might be a good place to start, too.
Actually, there are tons of good MW box loop designs that already go well below 240kHz; that page includes a calculator, and playing with some quick numbers suggests a 48cmX65cm frame [=56.5cm side length] for a 16-turn coil extending 21cm in length in parallel with four 470pF caps gives us resonance at 245kHz. Of course, with 20% tolerance ceramic discs, you may want to replace one of the 470's with a 4-40pF variable cap in parallel with anywhere from a 150pF to a 39pF paralleled with a 560pF, depending on how low or high the 470's are measuring.

[Disclaimer: I am an RF amateur.]