During a talk at 33rd Chaos Communications Congress Netanel Rubin, a senior vulnerability researcher presented his findings on the failings in the security of commonly deployed smart meters which can be misused by hackers who can cause fraud, explosions and house fires.
The utility companies need to do protect consumers against the ‘dangerously insecure’ smart electricity meters which are installed everywhere around the world accounting to around 100mn installation.
The meters are designed to treat their owners as attackers as a result of which the physical security of smart meters is very good. If the owner could control it, they could use it to defraud the power company about their electricity usage but if an attacker gains control over it, they can cut power to a home or even cause catastrophic overload leading to exploding meters, they can even jack up one’s bills and that fantastic physical security means one can’t readily reprogram the meter to tell it to ignore the remote instructions that seem to be emanating from a privileged user at the power company. If you can override the power company’s instructions, the power company is vulnerable to your shenanigans, and since power companies are the primary customers for smart meters, the meters are designed to protect them at your expense.
Addressing the conference in Hamburg, Rubin warned that the attackers could also see whether a home has expensive electronics and can have power over all the smart devices in the home connected to the electricity which means they have also control over the software and that they can rob someone without even stepping into a house.The network security model of smart meters starts from the inherently flawed Zigbee protocol, long understood to be difficult to secure, and goes downhill from there, with half-hearted and sloppy implementations of Zigbee’s second-rate security. Smart meters rely on the insecure GSM protocol, incorporate hard coded administrative passwords and use keys derived from six-character device names.
The UK department of Business, Energy and Industrial Strategy said: “Robust security controls are in place across the end to end smart metering system and all devices must be independently assessed by an expert security organisation, irrespective of their country of origin.”
Rubin is almost certainly not the first person to discover these vulnerabilities but the security researchers who uncover these security bugs are routinely silenced by their in-house counsel, because laws like Section 1201 of the DMCA — and EU laws that implement Article 6 of the EUCD — allow companies to sue (and even jail) anyone who reveals a flaw in their digital locks.
Rubin warned that in the future sharp increase in hacking attempts will take place. Adding, “Utilities have to understand that with great power comes great responsibility.”
Rubin said many of the warnings were not hypothetical. In 2009 Puerto Rican smart meters were hacked en masse, leading to widespread billing fraud, and in 2015 a house fire in Ontario was traced back to a faulty smart meter, although hacking was not implicated in that.
Smart meters come with benefits, allowing utilities to more efficiently allocate energy production, and enabling micro-generation that can boost the uptake of renewable energy. For those reasons and more, the European Union has a goal of replacing 80% of meters with smart meters by 2020.