Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Holes Found In "Smart" Meters

Posted by timothy on from the intentional-bottleneck dept.

Hugh Pickens writes "In the US alone, more than 8 million smart meters, designed to help deliver electricity more efficiently and to measure power consumption in real time, have been deployed by electric utilities and nearly 60 million should be in place by 2020. Now the Associated Press reports that smart meters have security flaws that could let hackers tamper with the power grid, opening the door for attackers to jack up strangers' power bills, remotely turn someone else's power on and off, or even allow attackers to get into the utilities' computer networks to steal data or stage bigger attacks on the grid. Attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them, or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc, a vendor-independent consultant that performs penetration tests and security risk assessments." "Wright says that his firm found 'egregious' errors, such as flaws in the meters and the technologies that utilities use to manage data (PDF) from meters. For example, smart meters encrypt their data but the digital 'keys' needed to unlock the encryption are stored on data-routing equipment known as access points that many meters relay data to so stealing the keys lets an attacker eavesdrop on all communication between meters and that access point (PDF). 'Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years,' says Wright."

4 of 224 comments (clear)

  1. How to interface with a 'smart meter' by knarf · · Score: 4, Interesting

    Let me take this opportunity to dig up my attempt at an 'Ask Slashdot' from more than 3 years ago:

    How to monitor your electricity meter

    This question was never published and thus never answered. Anyone out there with experience in this field? That IR-interface currently sits on front of the meter doing nothing at all while it would create the possibility to eg. create an accurate power use graph, power quality data - I'm on the far end of a long air cable so that is sometimes an issue - and more interesting things. I guess I'm not the only one interested in these things?

    --
    --frank[at]unternet.org
    1. Re:How to interface with a 'smart meter' by Minupla · · Score: 4, Interesting

      Not sure what things are like on your meter, a fellow at my local hacklab determined that the IR interfaces on the ones we have here strobe upon power usage much like the 'wheel' in old meters.

      Also worth checking to see if your utility offers a website to interface to yours. My wife said "they should put up a web interface to so you can see how much electricity you're using" I agreed and looked at their website and lo and behold they had. Hadn't advertised it yet, maybe still in soft launch.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  2. Re:i'm asthonished by ascari · · Score: 5, Interesting

    There no absolute "need" but it greatly simplifies reading meters "on the fly", since the utility company personnel doesn't have to park, walk up to the house, get bitten by dogs etc. So in the end it's to save cost and presumably keep energy bills down.

    Of course, if there was a way gauge energy consumption truly remotely from a central location that would be better, and also negate the "need" for wireles...

    Hacking: expect lawsuits here in the US!

  3. I Smell A Rat by anorlunda · · Score: 5, Interesting

    I was an engineering consultant for 40 years. I'm well familiar with the politics and ethics of engineering studies. Something is fishy here.

    The AP says that Wright's firm was hired by three utilities. The web material suggests that it was actually ucaiug.org (an association of both vendors and utilities) Presumably, they financed the security study to expose vulnerabilities so that they could fix them. They did it openly and allowed the report to be published. That's laudable and responsible behavior. It is the opposite of denial and secrecy.

    Normally, Wright and his team write the report and the vendors and utilities fix the problems. However, Wright is going pubic in a big way. He, with cooperation from the media, is mongering fear and suggesting that the vendors and utilities don't care about security. He's acting in a way that brings maximum bad publicity to his financial sponsors. That is extraordinary behavior for a consultant. If it was I that hired him, I would feel betrayed.

    I really can't tell if he's doing it for shameless and unethical purposes of self promotion, or whether there was a breakdown in relations between the consultant and the clients. Somewhere there is an enormous untold back story.