Open Source Smart Meter Hacking Framework Released

wiredmikey writes "A researcher specializing in smart grids has released an open-source tool designed to assess the security of smart meters. Dubbed 'Termineter,' the framework would allow users, such as grid operators and administrators, to test smart meters for vulnerabilities. Termineter uses the serial port connection that interacts with the meter's optical infrared interface to give the user access to the smart meter's inner workings. The user interface is much like the interface used by the Metasploit penetration testing framework. It relies on modules to extend its testing capabilities. Spencer McIntyre, a member of SecureState's Research and Innovation Team, is scheduled to demonstrate Termineter in a session 'How I Learned to Stop Worrying and Love the Smart Meter,' at Security B-Sides Vegas on July 25. The Termineter Framework can be downloaded here." As the recent lucky winner of a smart meter from the local gas company, I wish householder access to this data was easy and expected.

Not surprising.

[inasity_rules]

As someone who writes drivers for various smart meters to do AMR, I am surprised it took this long. Most protocols are childishly simple with little in the way of encryption or authentication. Often the passwords are sent in plain text. Check metering might be a simpler way to secure your meters. Catch them at it rather than get into an arms race...

Re:Not surprising.

[inasity_rules]

Never. Our product is designed to save clients money. Basically the supply utility implements TOU tariffs and we provide data capture and analysis tools to optimize when and how they use their power. I see no moral issue with this. Besides, how is being asked to pay for your power a moral issue?

Re:Not surprising.

I don't think the other AC mentioned anything about paying for power being a moral issue. Peripherally it is--as in, we build huge centralized fossil fuel power plants and can't seem to make solar power work right because it works best in a decentralized (read "local purchased hardware, non metered use) kind of way, which would totally be disruptive to the large megacorps' government and military backed business plans, but that's another story and not totally relevant here.

What is relevant is that there are tons of moral issues with deploying these things. First off, they do in fact enable different rates to be applied at different times. That would be a problem--since when is a profit-driven corporation going to actually save anybody any money? As in, when does metering anything (say, Internet usage) actually provide a better deal for customers? In this case, you're already metering things, but you're adding the ability to tune the metering to a level of detail that people just don't want. I don't really want to have to figure out what time of day to wash my clothes or do my dishes just because some jackass in a suit decided it would be best for me to have a "smart meter".

Second problem: usage analysis in aggregate is a good thing. Figuring out how much power to throw on a grid is not easy and if you get it wrong it can be wasteful or even damaging. I get that. However, in order to aggregate data you have to have data in the first place. Such data can be and has been used to try to look for "criminal anomalies" like people growing certain plants and stuff, and can be used to put together a pretty good dossier on how you live your life--when you wake up, go to work, come home, do laundry, cook dinner, etc. Cops and other nefarious agencies are already salivating over this because control freaks love personalized data.

If you have a job as a smart meter developer, here's how to get fired from it. Go in and tell your bosses that you want to develop code for the meters and their associated back end systems that completely anonymizes personally identifiable information from your statistics. Nobody, not even the power company, could see peoples' electrical usage details other than quantities used for billing purposes, but they'd still have their usage stats for running the grid more efficiently. In other words, give people the alleged benefits of these devices while retaining the relative privacy of the older meters. Watch as the guy in the room who cut a secret deal with the DEA or whoever and didn't tell you turns purple, or how the marketing team that was going to sell this data to advertisers breaks out in a cold sweat, and see how quickly you'll be out the door for "job performance issues" as soon as somebody has a hushed word with your boss.

Still think there are no moral issues here?

Re:Not surprising.

[ukemike]

Besides, how is being asked to pay for your power a moral issue?

The moral issue is that you helped install a system that you stated very clearly is "childishly simple with little in the way of encryption or authentication" and these meters are responsible for a critical and potentially very expensive bill being sent to every person every month. Now a hacking framework is available, it is only a matter of time before smart meters will be hacked and people will get incorrect bills for far more than what they owed. It doesn't take a very good imagination to figure out even worse outcomes of having an easy to hack critical infrastructure. Someone could write a virus that could propagate through the smart meter network and then shut off power over a very wide area. When there are big power outages, sometimes people die.

So perhaps now the moral issue is a bit more clear? It is immoral to make critical infrastructure that is deliberately insecure.

Our product is designed to save clients money.

I can't imagine what utility you work for but it couldn't possibly be PG&E. The smart meters we have here are most decidedly NOT designed to save customers money. They were used as a backdoor way to implement "time of use" metering, so they can charge extra during peak hours. Many people I know with a smart meter have had their bill go up while their usage stayed the same. I often work from home so my bill went up fairly substantially. The other reason for the smart meters is that PG&E get to charge a percent markup for profit on "capital upgrades" so they decided "hey if we install a fancy expensive new meter on every single customer in the state we can make a huge extra pile of money!!!" So you can sell your "save the customer money" to a more gullible audience, but we aren't going to buy it here.

Re:Hack the planet for ransom!

[reboot246]

One of the main reasons for installing smart gas meters is to not have to deal with customers like you. The meters are accurate and can be read from a distance. Meter readers who used to read 200 to 300 meters a day can now read 3000 a day, and they don't have to deal with your fences, holly bushes, mean dogs, and bad attitude.

Doesn't help me on my job because I have to physically walk over your service line and be able to touch the meter. I check for leaks, and if I can't do my job because of the bloody obstacle course you've made your yard into, then I just write it down as uncheckable and you're on your own.

Nobody is out to cheat you. The gas company gets cheated way more often than the customer does.

Smart enough

[JustOK]

Soon, the meters will be smart enough to connect to your bank account.

The Old Broom Straw Trick

[rmdingler]

I witnessed an old electrician use a fragment of a standard household item to mitigate his monthly payment to the electricity provider. This was 20 years ago and obviously on a dumber meter. The new meters will not stop theft, though they will change the perp's resume` from HS dropout to 'sum book larnin'.

Warning to those who want to try it out

The meter is not your property and hacking it without authorization is illegal. You don't use Metasploit on other people's systems and you shouldn't use this on the utility's meter either. Buy your own meter if you want to run some experiments.

Re:Warning to those who want to try it out

[inasity_rules]

All the meters I code software for log "incidents"..... You'll most likely get caught unless you can rewrite the log. More I can not say for legal reasons, but, that being said, it is not impossible to get around that. Mod parent up, he is correct.

Re:Warning to those who want to try it out

[inasity_rules]

I am not with a utility. Utilities use logs to prove stuff. The company I work for installs separate check meters. We do not read the utilities' meters. The only people who may do that (in any country as far as I am aware) are the utilities themselves. The meters belong to them. You need a check meter approved by them to audit them. That's the breaks I'm afraid. Side note: you would not believe how often 3 phase meters are wired wrong, giving false readings which look right but over or under read 10%...

Re:Hack the planet for ransom!

[BlueStrat]

One of the main reasons for installing smart gas meters is to not have to deal with customers like you. The meters are accurate and can be read from a distance. Meter readers who used to read 200 to 300 meters a day can now read 3000 a day, and they don't have to deal with your fences, holly bushes, mean dogs, and bad attitude.

Doesn't help me on my job because I have to physically walk over your service line and be able to touch the meter. I check for leaks, and if I can't do my job because of the bloody obstacle course you've made your yard into, then I just write it down as uncheckable and you're on your own.

Nobody is out to cheat you. The gas company gets cheated way more often than the customer does.

The problem I have with smart meters for gas & electricity isn't a worry about the utility company somehow "cheating" me.

It's a number of things.

First, it allows real-time rationing on an individual level, allowing for all kinds of possible discrimination and other shenanigans. For instance, you get identified at a protest against your utility company, a politician your utility company supports, or some piece of legislation, and then suddenly, and completely coincidentally of course, all sorts of bad things happen to your service and your billing.

Second, it also provides a pool of very granular and detailed data that I don't particularly care to to have in the hands of either the utility or the government/LEAs, especially without strict rules that we as citizens and consumers get to vote on. How about a spouse using the data in a divorce to prove another person was there? Or a LEA using that blip in usage when you pulled out that old broken toaster-oven/microwave/etc to try to fix it as evidence of criminal activity.

Third, it's another set of data points that allow a more thorough profiling of individual habits, schedules, and activities. It's data that's also sure to be stolen/hacked at some point, either directly from the meters or from the utility database. Hack the smart meter of somebody you don't like and get them raided by a paramilitary SWAT team looking for a grow operation, maybe even getting them or their family members killed.

Sorry that your job is difficult. However, I'm not about to allow myself to be put into the above scenarios just to make your job easier. Get another job if it's that bad.

Strat