Slashdot Mirror
Smart Electricity Meters Can Be Dangerously Insecure, Warns Expert (theguardian.com)
An anonymous reader quotes a report from The Guardian: Smart electricity meters, of which there are more than 100 million installed around the world, are frequently "dangerously insecure," a security expert has said. The lack of security in the smart utilities raises the prospect of a single line of malicious code cutting power to a home or even causing a catastrophic overload leading to exploding meters or house fires, according to Netanel Rubin, co-founder of the security firm Vaultra. If a hacker took control of a smart meter they would be able to know "exactly when and how much electricity you're using," Rubin told the 33rd Chaos Communications Congress in Hamburg. An attacker could also see whether a home had any expensive electronics. "He can do billing fraud, setting your bill to whatever he likes [...] The scary thing is if you think about the power they have over your electricity. He will have power over all of your smart devices connected to the electricity. This will have more severe consequences: imagine you woke up to find you'd been robbed by a burglar who didn't have to break in. "But even if you don't have smart devices, you are still at risk. An attacker who controls the meter also controls the meter's software, allowing him to cause it to literally explode." The problems at the heart of the insecurity stem from outdated protocols, half-hearted implementations and weak design principles. To communicate with the utility company, most smart meters use GSM, the 2G mobile standard. That has a fairly well-known weakness whereby an attacker with a fake mobile tower can cause devices to "hand over" to the fake version from the real tower, simply by providing a strong signal. In GSM, devices have to authenticate with towers, but not the other way round, allowing the fake mast to send its own commands to the meter. Worse still, said Rubin, all the meters from one utility used the same hardcoded credentials. "If an attacker gains access to one meter, it gains access to them all. It is the one key to rule them all."
So, a house fire traced back to a faulty meter means that they can be 'hacked to literally explode'. Excellent extrapolation there guys.
Smart meters may - or may not - have a relay to control loads on a different tariff than the usual "always on 24/7" one. They may possibly be hacked to turn this relay on - or off, making them a bit of a nuisance.
But explosions? Or house fires even? A bit hard to believe.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
An attacker could also see whether a home had any expensive electronics.
He will have power over all of your smart devices connected to the electricity.
An attacker who controls the meter also controls the meter's software, allowing him to cause it to literally explode.
How did this kind of chicken-little the-sky-is-falling FUD make its way onto Slashdot?
You should be ashamed for posting this "article".
is a load of crap. These are state machines, typically written in embedded C. There are typically current transformers that have a large winding ratio, even if the electronics/firmware screws up there is no back driving the power line. And no relays. This guy has been watching too much Hollywood.
Insanity: doing the same thing over and over again and expecting different results. Albert Einstein
They HAVE been addressed. They were addressed before he brought up the issues. There is more than one maker of smart meters out there, you don't judge all autos based on the Yugo, so why brand all smart meters based upon the worst ones?
I've been in this industry for 7 years, and the way the uses "most" in every other paragraph is silly. But then you could count cheap Chinese mobile phones sold by the bucket to claim that most smart phones were poorly made, unreliable, and liable to catch fire.
We have security penetration testers sniffing through our source code and coming up with very obscure bugs which we're required to fix before release. We've had to cajole customers into turning on security (there's a bit of fear of being locked out). Yes good security is expensive but it brings in revenue also as it's a major selling feature. It's may be easier to hack the utility's back office than to hack the meters.
This is not to say that security is good enough. Of course, we need to do better. We need to do better at everything as far as security goes.