Slashdot Mirror
Security Holes Found In "Smart" Meters
Hugh Pickens writes "In the US alone, more than 8 million smart meters, designed to help deliver electricity more efficiently and to measure power consumption in real time, have been deployed by electric utilities and nearly 60 million should be in place by 2020. Now the Associated Press reports that smart meters have security flaws that could let hackers tamper with the power grid, opening the door for attackers to jack up strangers' power bills, remotely turn someone else's power on and off, or even allow attackers to get into the utilities' computer networks to steal data or stage bigger attacks on the grid. Attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them, or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc, a vendor-independent consultant that performs penetration tests and security risk assessments."
"Wright says that his firm found 'egregious' errors, such as flaws in the meters and the technologies that utilities use to manage data (PDF) from meters. For example, smart meters encrypt their data but the digital 'keys' needed to unlock the encryption are stored on data-routing equipment known as access points that many meters relay data to so stealing the keys lets an attacker eavesdrop on all communication between meters and that access point (PDF). 'Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years,' says Wright."
...but there really should be a minimum security standard for infrastructure items like any city's power grid (or voting machines, or traffic systems, or water supplies, or any number of things you dont want folks monkeying with). Its really insane to hear about this considering how power stations and utilities are tightly regulated. It doesnt matter that the system is only open on the far end of the line because eventually someone will mess with it and show just why its a bad idea. Either make the system secure or dont make them so accessable.
Let me take this opportunity to dig up my attempt at an 'Ask Slashdot' from more than 3 years ago:
How to monitor your electricity meter
This question was never published and thus never answered. Anyone out there with experience in this field? That IR-interface currently sits on front of the meter doing nothing at all while it would create the possibility to eg. create an accurate power use graph, power quality data - I'm on the far end of a long air cable so that is sometimes an issue - and more interesting things. I guess I'm not the only one interested in these things?
--frank[at]unternet.org
Where do you see the government involved here? As far as I understood the article those meters are to be distributed by the utilities, and those (at least in California) are privately owned.
So I call that a cheap shot from someone who wants his prejudices confirmed.
Typical slashdot comment I suppose? Don't RTFA and post assumptions? I dunno :)
The magical number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
um no. with the old meters you can't jack up someone's power bill without shattering the glass globe which surrounds it. and you can't use a laptop to shut off their power. you have to physically cut the cables which leaves marks.
So it isn't the same situation. breaking a physical lock leaves traces. using a laptop to hack the meter and kill power to each house. doesn't leave a lot of marks that can be traced.
i thought once I was found, but it was only a dream.
There no absolute "need" but it greatly simplifies reading meters "on the fly", since the utility company personnel doesn't have to park, walk up to the house, get bitten by dogs etc. So in the end it's to save cost and presumably keep energy bills down.
Of course, if there was a way gauge energy consumption truly remotely from a central location that would be better, and also negate the "need" for wireles...
Hacking: expect lawsuits here in the US!
Uhh, it is pretty obvious. These meters are very screwed up, so the government has to be behind it. Government always screws things up, private industry is perfect. This is a well known fact, with centuries of experience to prove it.
Don't believe me? Check this out! "Government always screws things up, private industry is perfect" -- Ronald Reagan
I bet you feel stupid now that you know that God disagrees with you!
is why electricity costs money. It is just electrons, which are everywhere.
Electricity is free, it's the packaging and delivery that costs money. Just like water that comes out of the faucet, or comes in a plastic bottle, it's the getting it to you part that is expensive. Yes, yes, I know it's an inaccurate oversimplification ... just think of it as a metaphor.
Feel free to use all the free electricity (or water) that you can grab and take home. Heck, you can take mine too, if you can carry it.
Locally they brought time of day usage, so if I do my laundry at night, I pay less then half what I do if I run it in prime time. Arguably this is a benefit all around:
* Consumers win with the option of lower pricing
* The Power generators win because their loads are more balanced, and they need to build fewer power plants (locally we have 3 nukes that only run for 3 days of the year for peaks)
* The environment wins as an offshot of point #2
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
I've read through both PDFs, and they really go into a lot of detail on the experimental methodology. The main thing they seem to be concerned about (and the only vulnerability they detail) are extracting the encryption keys from the meter firmware ("some" meters) and reverse-engineering the command protocol. While this could be a threat, being able to turn off/manipulate individual home meters isn't going to have any far-ranging effects beyond that. It also, obviously, requires a lot of reverse-engineering skill. I'd be more concerned with someone packaging this into a bluebox-style solution for manipulating your own meter, giving you free power? Earlier in the methodology report they talk about IR ports and similar being unsecured due to the perceived unlikelihood of attacking them, but they don't detail anything about that in the presentation PDF. That would be easier to exploit, though, so they might be keeping a lid on the more critical vulns?
Emotions! In your brain!
Remote disconnect, and firmware upgrades - the latter being a messy one. Someone did a talk at Blackhat/Defcon last summer where they rooted a meter and installed a custom firmware that would spread worms to all other meters and give the blackhat total control over the network through remote firmware upgrades.
The firmware upgrades are a double edged sword. Meters need them in case someone finds a vulnerability (which can exist even in supposedly read only devices), but if they're not locked down enough, poof.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Over here the meter readers use binoculars or a mini telescope. The meter has to be in a spot visible from outside though, so it doesn't work for all places.
;).
But it's "wireless" too
So would that be 39.37 smart inches?
It's heavily regulated for a reason (essential service, safety, etc) just like medicine and nuclear. Some things should be regulated.
In fact if it wasn't regulated, more screwups like this would happen.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
Authentication is still needed, otherwise some funny guys can pump up your bills.
Regulation should be a last resort. The last thing I want is the government interfering with my right to make a living. And what I do on my own time is my own business.
But regulation is a set of rules, and are there for safety. Utilities, nuclear, medical, all have the ability to kill someone if standards are not maintained. Regulation should exist in these areas. What part of that don't you agree with?
And if you think heath care which is a social program, and socialism is the same thing, then you dont know the meanings of the words. Probably because you watch too much Fox news.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
I find this whole thread amusing since I commented that I didn't like the idea of smart meters, that I was worried about them being hackable in a slashdot post last week and everyone commented in response to me that I shouldn't be worried about this kind of thing. That they couldn't be hacked and if they were, there was nothing they could do except get my power information.
I wonder what those folks are saying today in this thread.
I'm confused, why is it physically possible for anyone to remotely turn power on and off? That doesn't have anything to do with "help deliver electricity more efficiently and to measure power consumption in real time". Surely the entire software and circuity surrounding those features should be able to fail completely with the core system (supply of electricity) completely unaffected and oblivious? I'm tempted to assume someone has other, less marketable objectives for the smart meters such as being able to cheaply disconnect people who aren't paying the bill, and therefore the root of the problem is those inherently risky objectives.
I consider electricity to be regulated because it's a monopoly. Ditto cable television. And natural gas providers.
If they were not monoplies then there'd be no need to regulate them. If a company sucked customers would simply walk away, and thereby drive the company into bankrupcty (as they did to Circuit City).
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Which begs the question, why are they not gettin up off their ass's and building more power generation plants as opposed to whining and crying which eventually leads to these stupid hair brained ideas in the first place.
Save money by cycling your AC indeed. The MONEY *IS* the incentive, not the SAVING.
The problem we have is our leaders have sold us out, instead of pre-planning ahead, and taking actions to prevent destruction, they scam the system, their lives revolve around re-election finance, the ONLY time they take action is when it's forced because something breaks (because they had NO PLAN AT ALL) and we have another disaster which has to be fixed with another fucking OVER budget debt.
Then they get out there and say they didn't know. They KNOW, they are ENCOURAGING this crap.
The traditional problems utilities have had to deal with are of physical intrusion, either by customers or by neighbors, looking to bypass the meter, modify the readings, or steal electricity. They solve this (or at least reduce it to a manageable level) mostly with intrusion detection -- basically, seals so they know the meter has been tampered with. In this model, the only loss is money and so preventing it at high cost doesn't make sense; detecting and stopping it reasonably quickly is more important.
With meters which do more than metering, that's just not good enough. Significant effort must be made to prevent malicious people from surreptitiously turning power off, otherwise assholes will do it just for lols. It's not like ripping a meter off the wall, which will have the same effect but carries high likelyhood of getting caught.
My Grandfather swore by cow-magnets on the meter enclosure, and he worked for Detroit Edison. If the old fashioned cow-magnets worked imagine what the new niobium-rear-earth magnets of today would do. Personally I think it;s an old-wives tail, but I've never checked it empirically.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Well, technically once it's hacked it "turns on you"...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Great, first it was IOActive frothing non-stop about smart meters, now we have Inguardians turning the froth up to 11. This whole smart grid security issue never addresses the probability of an attacker actually being able to carry out a serious attack in real life. The PDF talks about theoretical attacks. It describes possible weaknesses. It does not assign any probability or likelihood to those attacks. As such, this is faulty and misleading security work. Its the kind of FUD "security gurus" resort to when they want to scare people into buying their services. Notice that the PDF makes sure to advise users to buy services like pentesting and code review - which of course an Inguardians sales representative can sell you. Any decent security analysis MUST include consideration of probability. Risk (the most basic measure of security) is comprised of both impact and probability. Sure, breaking into a smart meter could be a catastrophic thing, thus a very high "impact" rating. However, if the probability of doing that in the wild is enormously low. Something like 0.000000001%. Then the risk of this actually happening is therefore very low. Until one of these “researchers” shows the real risks involved here, and not a bunch of theoretical and conceptual data, I remain unconvinced that there are serious problems with smart meters.
Actually, they DON'T need remote firmware upgradability, they need LOCAL firmware upgrades and a decent QA on the firmware. By making it remote, they raise the consequences of any security flaw by orders of magnitude.
It may seem strange in this day and age, but at one time we used to be very careful with firmware. It would be designed conservatively and then receive thorough QA. Then it would be burned into a write once PROM or even masked and run off as a purpose made ROM. And it worked! A firmware upgrade required replacing components and in some cases, a soldering iron.
I don't think we need to go that far to solve the problem, but requiring a local physical connection to update the firmware is a good way to keep a worm from spreading through the system like wildfire.
I was an engineering consultant for 40 years. I'm well familiar with the politics and ethics of engineering studies. Something is fishy here.
The AP says that Wright's firm was hired by three utilities. The web material suggests that it was actually ucaiug.org (an association of both vendors and utilities) Presumably, they financed the security study to expose vulnerabilities so that they could fix them. They did it openly and allowed the report to be published. That's laudable and responsible behavior. It is the opposite of denial and secrecy.
Normally, Wright and his team write the report and the vendors and utilities fix the problems. However, Wright is going pubic in a big way. He, with cooperation from the media, is mongering fear and suggesting that the vendors and utilities don't care about security. He's acting in a way that brings maximum bad publicity to his financial sponsors. That is extraordinary behavior for a consultant. If it was I that hired him, I would feel betrayed.
I really can't tell if he's doing it for shameless and unethical purposes of self promotion, or whether there was a breakdown in relations between the consultant and the clients. Somewhere there is an enormous untold back story.
I'd say the government is at fault for allowing shoddy meters to get hooked up in the first place.
I thought utilities were supposed to be regulated.
Of course, if there was a way gauge energy consumption truly remotely from a central location that would be better, and also negate the "need" for wireless...
If only there were wires connected to the meters, maybe a battery could be added to transmit readings over them
Is the police force socialism too? Or the justice system? Firefighters? All funded by taxpayers for the 'public good'. Same thing in your eyes apparently.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
Anyone found any similar useful hacks with them newfangled radio water meters?
My city put 'em in last year and this dude comes out to the house to install it and I'm like, "...so this let you drive past the house and pick up the meter reading without coming to the side of the house, right?" And the dude is like, "No. This radios your water usage directly to the central office every twelve hours."
Every twelve hours.
I know slashdot makes you paranoid, but this bothers me. I simply cannot imagine how it could be useful to monitoring this frequently when they still bill my usage monthly. Plus, any dude with access to the database can hack together an SQL query to find out which houses have a total water usage under a gallon over the past three days and know who's not home.
One of the strategies of someone who is about to lose an argument is to avoid the real issue by attacking the presenter on unrelated issues.
So clearly you don't know the meanings of the words, and think they are equivalent. Must be the Fox news / fundamentalist education.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
Thats good that you dont listen to Fox. Because Roger Ailes (chief of Fox news) has publicly stated that he's not interested in accuracy, only ratings. This results in things like with the heath care debate, where Fox creates the controversy to create a story for ratings.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
The trouble with "smart meters" and the "smart grid" is that it's too easy to put in excess functionality that can cause trouble. The ability to do remote firmware upgrades is an example. The ability of meters to communicate with each other is another.
The "smart grid" has way too much centralized control in it. All that's really needed is remote meter reading, plus some broadcast signals to indicate how scarce power is at the moment. The customer should have read-only access to their meter from their side of the meter. High-current appliances should be able to query the meter to find out if it's OK to draw heavy power right now. The power company should have no data path to appliances.
Incidentally, some "smart meters" support pre-paid service, where customers have to pay in advance and are turned off automatically when their pre-payment runs out. There's also wattage-limited service, where the power turns off if a maximum load is exceeded. This can be used for collection purposes; if you get behind on your electric bill, your consumption is limited. There's a whole new range of ways for screwing poor people going in. It's like "check cashing" stores.
we had a similar problem in Italy. basically the new electricity meters were infrared-accessibile. password protected, of course. no need to hack anything trough, just use '0000', '1234' or '3635' ("enel as written with a cellphone, it's the company name). ta-da! full access. so what did we do? nothing. but we're in italy after all...
"I was gratified to be able to answer promptly, and I did. I said I didn't know." -- Mark Twain
Those were only effective on meters that use a spinning disc. All the new ones are digital and either the magnetism won't do shit or mess them up completely.
People replying to my sig annoy me. That's why I change it all the time.
You are close as 20% of power plants are only used 10 days a year, however I can assure you that nukes aren't being used as you describe. Nuclear power plants are base load generating plants and will always run along with hydro plants. Most peaking plants are natural gas fired as they can be turned off and on easily. Nuclear plants take better than a day just to get up to full power as do coal plants.
Wow thats a great attitude. Lets completely deregulate everything. If I wanted to make my own nuclear power source and run it without shielding and bury the waste in the backyard, that would be ok with you. Genius.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
we have a new vector, victor!
6th Street Radio @ddombrowsky