Security flaw found in mandatory smart meters
Hackers could “turn the lights off in a city or neighborhood”
By Jennifer Abel
Anything connected to the Internet has the potential to be hacked (which is why anybody who keeps up with the news hears a new “protect yourself and your confidential information after this latest database hacking” warning every week or so).
This is to be expected, once you remember that the Internet – also known as the “World Wide Web,” formerly the “information superhighway” – was built specifically to make it easier for computers or computerized devices to share information, whereas computer or online “security” tries to do the exact opposite: keep information secret.
You can make it easier to share something, or you can make that something harder to steal – but using the same tool for both, simultaneously, doesn’t work too well.
So it’s no surprise that home-based Internet-connected “smart” devices are vulnerable to hacking as well. There have already been real-life incidents of hackers taking remote control of wireless baby monitors – sometimes to yell at the baby, othertimes to secretly spy on the family.
The same potential holds for Internet-connected or wi-fi-controlled smoke alarms and thermostats – you enjoy the convenience of being able to control those devices from afar, but run the risk that a hacker might do the same.
And later this month, at the 2014 Black Hat Europe security conference in Amsterdam, researchers Javier Vazquez Vidal and Alberto Garcia Illera plan to demonstrate crippling security weaknesses they found in a still-unnamed brand of smart meter: Vidal and Illera reverse-engineered the meter and discovered they could remotely hijack control of one, even to the point of completely shutting it down.
The flaw Vidal and Illera found in their reverse-engineered meter (which, according to the Dark Reading security blog, is widely believed to be a brand in common use in Spain) is in a microchip found in each device. That microchip, in turn, holds a pair of symmetric AES-128 encryption keys.
A knowledgeable attacker who lifted those keys could then send commands to the smart meter, and do anything from “steal” electric power to shutting down the power altogether. The keys are also easy to spoof — a hacker could, for example, spoof his own meter so that his power consumption appeared to be coming from his neighbor’s house, and his neighbor gets the resulting huge electric bill.
Very scary things
Illera said that after he and Vidal discovered how easily they could crack into the smart meters, “There were very scary things we found. You can practically turn the lights off in a city or neighborhood” with them.
What’s worse is that the smart meters are installed by [presumably Spanish] local electric companies, not by electrical customers themselves, which means people who have these super-hackable smart meters in their homes are legally helpless to fix the problem, Vidal said. “The only ones able to solve this situation are the electrical companies who are placing them. Since we do not own the meters that we have at home — they are rented — we cannot do anything about it… Besides, it could be considered [by the power company] as manipulation” of the meters.