Australia’ Smart meter leaders lag in securing devices
Centre for Internet Safety calls for consumer safeguards
Default passwords, unpatched firmware, unencrypted traffic: according to a report from a Canberra University research organisation, Australia’s smart electricity meter rollouts are characterised by n00b-level security gaffes.
The warning comes from the University’s Centre for Internet Safety, which published its Smart Meters: What does a connected house really mean? report earlier this week (PDF).
In particular, the report highlights two-way communication as a risk for consumers: meters that only send upstream metering data to the retailer have a much smaller useful attack surface, the report says.
The Register spoke to Nigel Phair of the Centre for Internet Safety at Canberra University about the findings.
Phair’s biggest complaint is about the lack of information available about the progress of smart metering in the Australian electricity sector, a problem he attributes to fragmented retail markets.
Only Victoria documents the smart meter rollout at the state level, he explained, because that state mandated their installation (the program was the subject of a critical auditor-general’s report in 2015 and available here (PDF).
In other states, a plethora of competing retailers made it hard to collate figures for smart meter rollouts. Phair also said with multiple retailers between distributors and customers, smart meters are more likely to be exposed to the Internet, simply because those different players need a ubiquitous communications platform.
The next step from installing smart meters, he said, will be smart home integration, and “that’s when we’ll get into really spooky stuff – ultra-targeted information based on your family make-up, what you do, and when you do it.”
That makes better security even more of an imperative, Phair said, and in the report, he called for “robust” consumer protection frameworks to be put in place.
He warns that the combination of unencrypted communications from smart meters and weak password protection raises the risk that attackers could fingerprint households’ electricity use – for example, exposing them to the risk of burglary when a home’s occupants are absent.
The only possible bright spot is that a meter using electricity infrastructure as its communications channel might not be exposed to the Internet, thereby reducing the risk of intrusion.
Phair told The Register he’d like utilities to clean up their act before widespread deployments spread to water and gas utilities.
In Australia, electricity metering comfortably the pack in terms of adopting smarter technology, simply because those meters are easiest to power.
Water and household gas utilities are a long way behind (the report only cites one Australian case study in these sectors, that of Mackay Regional Council’s low-power WAN from Taggle Systems, designed to cut demand and avoid building a new AU$100 million water treatment plant).
Both the water and gas sectors tend to stick with one-way smart meters, to preserve the devices’ 15-year battery life. ®