Slashdot Mirror
Poor, Homegrown Encryption Threatens Open Smart Grid Protocol
An anonymous reader writes: Millions of smart meters, solar panels, and other grid-based devices rely on the Open smart grid protocol for communication and control — it's similar to SCADA's role for industrial systems. But new research shows that its creators made the common mistake of rolling their own encryption, and doing a poor job of it. The researchers believe this threatens the entire system. They say, "This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever." Security analyst Adam Crain added, "Protocol designers should stick to known good algorithms or even the 'NIST-approved' short list. In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials."
Damn those eco-friendly nuts always trying to grow things at home!
hack my meter to only count once for every 10 or 100 kwh actually used?
Hasn't "Don't roll your own crypto, dumbass" been one of the cardinal rules of security since sometime before WEP violated it?
The least you can do is implement a real algorithm; but screw it up somehow (key handling is always a good place for that); but just making it up? How did they sneak this past a standards body?
They want you to use a pre-cracked one which saves time even putting it in front of a human cryptoanalyst.
In the days of pre-broken encryption (that NIST recommends like Eliptic curves which was just found to be backdoored)
Come on we're in 2015, there are plenty of widely available not publicly broken primitives.
DO NOT ROLL YOUR OWN GOD DAMNED CRYPTO. Unless you're a cryptographer planning to have it reviewed and attacked long before even considering using it.
Let me quote Schneier's law again: "any person can invent a security system so clever that she or he can't think of how to break it."
This is a blatant example of Dunning-Kruger. Again.
"We use a custom-made encryption algorithm with organic S-boxes and artisanal feistels. You probably have never heard of it."
In Soviet Russia, Jesus asks: "What Would You Do?"
If you are going to implement your own crypto, you will screw it up, so at least make it entertaining:
https://xkcd.com/153/
isn't it more work to make your own shitty encryption? are these people retarded?
If you roll your own encryption, you'll probably screw up in some way and your software will end up with security flaws.
If you use popular libraries (like, say, OpenSSL), developed by "experts", they'll probably screw up in some way and your software will end up with security flaws.
Go with a less popular library, and you'll experience not only the authors' flaws, but also the ones you'll introduce when adding missing functionality.
So a developer wishing to use encryption in a product will end up screwed no matter which path is taken.
If there is one thing we should have learned from the various SSL/TLS flaws lately, it's that security systems developed by so-called "experts" can be just as vulnerable as systems developed by non-experts.
"Protocol designers should stick to known good algorithms or even the 'NIST-approved' short list. In this instance,
"NIST-approved".
Don't make me laugh. Better to use home-brewed MIGHT be secure crypto than broken-by-design crypto which was DESIGNED TO BE BROKEN.
What a joke.
We have found the first FBI-compliant system!!!
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Read this - pay attention to the interpretive dance requirement:
http://www.moserware.com/2009/...
K/Tnx/Bai,
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
NIST algos are subject to NSA backdoors, recall the random number generator that isn't random at all, but rather the output of a encryption algo to which they held the key? Likewise certificates are regularly backdoored by the NSA and others, simply because its a third party (rogue NSA agent) verifying a key. 12 million TLS sessions intercepted daily with a big expansion (see Snowden leaks) that could be billions of sessions by now. The certificate system is worthless.
So the issue here is that the "approved" encryption schemes have been sabotaged or cracked.
One time pad is still valid, you can use a key bigger than the total data to ever be sent and and it is secure. S-Boxes and multiple rounds are really no match for the basic one time pad
Folks, this is the worst comment stream ever, or at least in a long while.
None of you made any suggestions that make sense for a deep embedded device that will be deployed for, oh, 50 years or more, may not be remotely updatable (new certificates? Revoking? Software?), and probably does not have the cpu to run an entire Java or bsd stack.
Please respect the actual product requirements before making suggestions.
I was an embedded developer for many years. It is just a totally different way of thinking. Embedded guys are always writing the same thing again from scratch. They also are obsessed with knowing exactly what is going on. Before I got into high level software development, the idea of dumping someone else's library into my carefully constructed embedded code made me cringe.
The other issue is that embedded guys can think they know it all, because they normally understand how a line of code they write affects things right down to the electrons and holes in the chip's transistors. This narrow over-confidence totally sets them up to fail at something like crypto, where you can write the safest, neatest to-spec code in the world, and then someone just walks right around the problem. A good example was the whole BMW connected drive thing where the researchers just spoofed a 'trusted' cell station.
The other thing to keep in mind is that 'security' has become a consultant fest since Y2K (possibly before that). There are plenty of snake oil salesmen out there who will talk endless BS, charging you $500/hr to do so, and then leave you with a half finished piece of bug-ridden rubbish. I don't blame many companies for just trusting the internal dev who at least has delivered on other projects before, rather than a suit wearing chatter monkey.
It is easy to sneak a back door into a complicated mathematical algorithm. Most people do not understand how it works anyway. And as we know it does happen on an epic scale, from many sides.
But there are impregnable physical laws, which all people understand. Still this type of security is neglected by hardware producers. For example, why there is no a light physical plastic lid, which can be used to close web-camera on a ultra-book physicaly? Why the web-camera lenses are always open? Why people shall use a messy scotch tape to close it? Or rely just on a dubious software security.
Why where is no a similar lid to close a microphone and a web-camera on a smart-phone? If a web-camera is closed by a physical lid it is closed. This is it. And it is not difficult to make a convenient design so that it is opened and closed easily.
People called me a luddite when I refused a smartmeter. Then they started overcharging people, actually overreporting power consumption where when the old mechanical meters fail, they underreport it. Next the power meters literally started exploding, yes exploding, not just burning. Now it turns out anyone good at crypto, or any skript kiddie, can read your smartmeter in the near future.
I'm not worried about RF interfering with my brain, even if I thought that was a concern with these frequencies they only chirp occasionally, they don't broadcast nonstop. I just thought they were a bad idea. Every month I photograph my meter and email the result to my meter readers from my phone.
Since they can't switch power on and off to my house, and the only thing they can switch remotely is at the substation level, they don't need to know what I'm doing when. They can measure my whole branch circuit, and cut it off if they have to, like always.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I work for a smart grid consulting company...before that, a major (nearly a century old, and widely-recognized) civil engineering firm, again in the power industry. Before that I was the official smart grid security spokesman for a large IT company, and briefed Gartner, Ponemon, Forrester, etc. I've been deep into the guts of generation, T&D, energy marketing, and smart metering infrastructure at dozens of power companies over the past decade.
I've never seen OSGP in the field, not once. The OP talks about "millions of smart meters" using it, but damned if I can figure out which meters those are. Landis+Gyr? Nope. GE? Uh uh. Itron? Hell no; they have their own end-to-end architecture (and it works really, really well, which is why Itron is now the 800-pound gorilla of the smart metering world) Sensus? Nope, they bought FlexNet from Motorola and use that, and it has its own (decent) encryption. Elster? Definitely not...I've seen Elster's architecture up super-close, and this protocol is nowhere to be found.
In fact, if you look up OSGP, you'll see all kinds of announcements from the alliance behind it, but not a lot of actual success. Sounds to me like someone found vulnerabilities in an also-ran protocol, but the security issues aren't the only thing wrong with it...which is why nobody seems to actually USE it.
For your security, this post has been encrypted with ROT-13, twice.
GSM rolled their own crypto. They depended on Obscurity to protect their algorithm. Somebody handed a copy to Ian Goldberg, then a grad student at Berkeley, and the reason it took him three whole hours to break it was that the Chinese restaurant near campus was having the good lunch special that day.
It was a weak enough algorithm (designed in electrical-engineer-math style, which is fine if you want checksums for reliability) that I'll give them credit for incompetence, though the fact that 10 bits of the already-too-short key were always set to 0 looks much more like malice (with a slight possibility that an early hardware implementation didn't have enough spare bits on some part of the chip.)
Ron Rivest can sometimes get away with rolling his own algorithms - but RC4 and MD5 are looking pretty weak these days, even if you don't count the (documented from the beginning) rules about making sure to never ever use the same RC4 key twice, which was ignored several different ways in PPTP and in a number of other protocols implemented by people who were rolling their own implementations without understanding the algorithms.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks