Your smart meter is very secure (against you) and very insecure (against hackers)

In On Smart Cities, Smart Energy, And Dumb Security -- Netanel Rubin's talk at this year's Chaos Communications Congress -- Rubin presents his findings on the failings in the security of commonly deployed smart meters.

It's not pretty.

The meters are designed to treat their owners as attackers: you are your smart meter's adversary, because if you could control it, you could use it to defraud the power company about your electricity usage. As a result, the physical security of smart meters is very good.

But the corollary of this adversarial relationship is that your meter's networked insecurities are, by design, impossible for you to remedy or override. If an attacker gains control of your meter, they can jack up your bills, shut down your power (compromising both your physical safety during periods of extreme heat or cold; and your network security by powering down devices like burglar alarms and cameras), and spy on your electricity usage, etc -- and that fantastic physical security means you can't readily reprogram your meter to tell it to ignore the remote instructions that seem to be emanating from a privileged user at the power company. If you can override the power company's instructions, the power company is vulnerable to your shenanigans, and since power companies are the primary customers for smart meters, the meters are designed to protect them at your expense.

This would be a lot less worrisome if the network security of smart meters was perfect (though you'd still be vulnerable to unscrupulous power company employees and repressive government orders -- imagine how Turkey's government could use this power against its enemies list in its current purge), but all security is imperfect, and in the case of smart meters, "imperfect" is an awfully charitable characterisation.

The network security model of smart meters starts from the inherently flawed Zigbee protocol, long understood to be difficult to secure, and goes downhill from there, with halfhearted and sloppy implementations of Zigbee's second-rate security. Smart meters rely on the insecure GSM protocol, incorporate hardcoded administrative passwords, and use keys derived from six-character device names.

The Guardian's Alex Hearn asked the UK department of Business, Energy and Industrial Strategy for their response to this, and they said "Robust security controls are in place across the end to end smart metering system and all devices must be independently assessed by an expert security organisation, irrespective of their country of origin."

Translation: we will do nothing about this until it is too late.

As bad as all this seems, it's actually worse. Rubin is almost certainly not the first person to discover these vulnerabilities, but as we learned during the US Copyright Office's 2015 proceedings on the DMCA, security researchers who uncover these security bugs are routinely silenced by their in-house counsel, because laws like Section 1201 of the DMCA -- and EU laws that implement Article 6 of the EUCD -- allow companies to sue (and even jail) anyone who reveals a flaw in their digital locks.

“These security problems are not going to just go away,” Rubin said. “On the contrary, we are going to see a sharp increase in hacking attempts. Yet most utilities are not even monitoring their network, let alone the smart meters. Utilities have to understand that with great power comes great responsibility.”

Smart meters come with benefits, allowing utilities to more efficiently allocate energy production, and enabling micro-generation that can boost the uptake of renewable energy. For those reasons and more, the European Union has a goal of replacing 80% of meters with smart meters by 2020.

Smart electricity meters can be dangerously insecure, warns expert [Alex Hern/The Guardian]

Notable Replies

  1. SaskPower installed 100,000 itron smart meters in 2014 and immediately several burned. They didn't know why they burned and no report was ever made public. All the meters have been removed at cost of $40 million. Same meters had been installed elsewhere with same problem.

    SaskPower to remove 105,000 smart meters following fires

  2. It doesn't make sense to call me the "owner" of the electric meter in my house. It's the property, and the responsibility, of the utility.

    That doesn't excuse the utility from their responsibility to secure the device. But the common, and persuasive, argument that "I bought and paid for this (car / computer / thermostat / toothbrush) and therefore have a right to see and modify its software" does not apply. Unless you're an electric utility.

  3. KXKVI says:

    Not surprised. Customers are the enemies of corporations, not hackers.

    There are meters that turn off your air conditioner's compressor when electricity gets scarce in the summer. I've often thought about securing the cabling with 5/8" stainless steel barriers that will prevent the contractors from around mucking with the wiring (often without asking permission).

  4. Wouldn't it be possible to install your own meter (smart or otherwise) between the circuit breaker and the power company's meter? I could think of several advantages to this, first being that the power company couldn't regulate how you use your power. From their perspective, it would be either on or off. Secondly, you'd have a way to dispute any irregularities that arise with their meters.

    It doesn't even seem like it would cost all that much. But then, I'm not a home owner. I could be missing something.

  5. I had a helldesk job for the power company once. They did indeed, and with depressing regularity, turn off the power to people with o2 concentrators, dyalasys machines and the like, despite multiple warnings on those accounts not to. I once completely reset someone's account and zeroed their debt on a manager-free night shift, just because they'd had so much shit. Never got caught for it either.

Continue the discussion

24 more replies