Open Source Smart Meter Hacking Framework Released

← Back to Stories (view on slashdot.org)

Open Source Smart Meter Hacking Framework Released

Posted by timothy on Saturday July 21, 2012 @11:19PM from the granular-snapshots dept.

wiredmikey writes "A researcher specializing in smart grids has released an open-source tool designed to assess the security of smart meters. Dubbed 'Termineter,' the framework would allow users, such as grid operators and administrators, to test smart meters for vulnerabilities. Termineter uses the serial port connection that interacts with the meter's optical infrared interface to give the user access to the smart meter's inner workings. The user interface is much like the interface used by the Metasploit penetration testing framework. It relies on modules to extend its testing capabilities. Spencer McIntyre, a member of SecureState's Research and Innovation Team, is scheduled to demonstrate Termineter in a session 'How I Learned to Stop Worrying and Love the Smart Meter,' at Security B-Sides Vegas on July 25. The Termineter Framework can be downloaded here." As the recent lucky winner of a smart meter from the local gas company, I wish householder access to this data was easy and expected.

5 of 74 comments (clear)

Min score:

Reason:

Sort:

Not surprising. by inasity_rules · 2012-07-21 23:28 · Score: 4, Insightful

As someone who writes drivers for various smart meters to do AMR, I am surprised it took this long. Most protocols are childishly simple with little in the way of encryption or authentication. Often the passwords are sent in plain text. Check metering might be a simpler way to secure your meters. Catch them at it rather than get into an arms race...

--
I have determined that my sig is indeterminate.
1. Re:Not surprising. by inasity_rules · 2012-07-22 00:39 · Score: 4, Informative
  
  Never. Our product is designed to save clients money. Basically the supply utility implements TOU tariffs and we provide data capture and analysis tools to optimize when and how they use their power. I see no moral issue with this. Besides, how is being asked to pay for your power a moral issue?
  
  --
  I have determined that my sig is indeterminate.
2. Re:Not surprising. by ukemike · 2012-07-22 03:23 · Score: 4, Informative
  
  Besides, how is being asked to pay for your power a moral issue?
  The moral issue is that you helped install a system that you stated very clearly is "childishly simple with little in the way of encryption or authentication" and these meters are responsible for a critical and potentially very expensive bill being sent to every person every month. Now a hacking framework is available, it is only a matter of time before smart meters will be hacked and people will get incorrect bills for far more than what they owed. It doesn't take a very good imagination to figure out even worse outcomes of having an easy to hack critical infrastructure. Someone could write a virus that could propagate through the smart meter network and then shut off power over a very wide area. When there are big power outages, sometimes people die.
  
  So perhaps now the moral issue is a bit more clear? It is immoral to make critical infrastructure that is deliberately insecure.
  
  Our product is designed to save clients money.
  
  I can't imagine what utility you work for but it couldn't possibly be PG&E. The smart meters we have here are most decidedly NOT designed to save customers money. They were used as a backdoor way to implement "time of use" metering, so they can charge extra during peak hours. Many people I know with a smart meter have had their bill go up while their usage stayed the same. I often work from home so my bill went up fairly substantially. The other reason for the smart meters is that PG&E get to charge a percent markup for profit on "capital upgrades" so they decided "hey if we install a fancy expensive new meter on every single customer in the state we can make a huge extra pile of money!!!" So you can sell your "save the customer money" to a more gullible audience, but we aren't going to buy it here.
  
  --
  -- QED
Re:Hack the planet for ransom! by reboot246 · 2012-07-22 00:16 · Score: 4, Interesting

One of the main reasons for installing smart gas meters is to not have to deal with customers like you. The meters are accurate and can be read from a distance. Meter readers who used to read 200 to 300 meters a day can now read 3000 a day, and they don't have to deal with your fences, holly bushes, mean dogs, and bad attitude.

Doesn't help me on my job because I have to physically walk over your service line and be able to touch the meter. I check for leaks, and if I can't do my job because of the bloody obstacle course you've made your yard into, then I just write it down as uncheckable and you're on your own.

Nobody is out to cheat you. The gas company gets cheated way more often than the customer does.
Warning to those who want to try it out by Anonymous Coward · 2012-07-22 00:57 · Score: 5, Insightful

The meter is not your property and hacking it without authorization is illegal. You don't use Metasploit on other people's systems and you shouldn't use this on the utility's meter either. Buy your own meter if you want to run some experiments.