Smart electricity meters can be dangerously insecure, warns expert

["Dave Farber" <dave () farber net>]

---------- Forwarded message ---------
From: Henry Baker <hbaker1 () pipeline com>
Date: Sat, Dec 31, 2016 at 1:29 PM
Subject: [Cryptography] Smart electricity meters can be dangerously
insecure, warns expert
To: <cryptography () metzdowd com>


FYI --



https://www.theguardian.com/technology/2016/dec/29/smart-electricity-meters-dangerously-insecure-hackers



Smart electricity meters can be dangerously insecure, warns expert



Hackers can cause fraud, explosions and house fires, and utility companies
should do more to protect consumers, conference told



Alex Hern in Hamburg



Thursday 29 December 2016 14.51 GMT



Last modified on Friday 30 December 2016 13.35 GMT



Smart electricity meters, of which there are more than 100m installed
around the world, are frequently "dangerously insecure", a security expert
has said.



The lack of security in the smart utilities raises the prospect of a single
line of malicious code cutting power to a home or even causing a
catastrophic overload leading to exploding meters or house fires, according
to Netanel Rubin, co-founder of the security firm Vaultra.



"Reclaim your home," Rubin told a conference of hackers and security
experts, "or someone else will."



If a hacker took control of a smart meter they would be able to know
"exactly when and how much electricity you're using", Rubin told the 33rd
Chaos Communications Congress in Hamburg.  An attacker could also see
whether a home had any expensive electronics.



"He can do billing fraud, setting your bill to whatever he likes ...  The
scary thing is if you think about the power they have over your
electricity.  He will have power over all of your smart devices connected
to the electricity.  This will have more severe consequences: imagine you
woke up to find you'd been robbed by a burglar who didn't have to break in.



"But even if you don't have smart devices, you are still at risk.  An
attacker who controls the meter also controls the meter's software,
allowing him to cause it to literally explode."



Rubin said many of the warnings were not hypothetical.  In 2009 Puerto
Rican smart meters were hacked en masse, leading to widespread billing
fraud, and in 2015 a house fire in Ontario was traced back to a faulty
smart meter, although hacking was not implicated in that.



The problems at the heart of the insecurity stem from outdated protocols,
half-hearted implementations and weak design principles.  While the
physical security of smart meters is strong -- "trust me, I tried" to hack
in that way, Rubin said -- the wireless protocols many of them use are
problematic.



To communicate with the utility company, most smart meters use GSM, the 2G
mobile standard.  That has a fairly well-known weakness whereby an attacker
with a fake mobile tower can cause devices to "hand over" to the fake
version from the real tower, simply by providing a strong signal.  In GSM,
devices have to authenticate with towers, but not the other way round,
allowing the fake mast to send its own commands to the meter.



Worse still, said Rubin, all the meters from one utility used the same
hardcoded credentials.  "If an attacker gains access to one meter, it gains
access to them all.  It is the one key to rule them all."



Inside the home, too, the communications are rendered insecure by outdated
standards and bad implementation.  Almost all smart meters use the Zigbee
standard to speak to other smart devices in the home.



Zigbee, which dates from 2003, is a popular home automation standard, used
for controlling everything from lightbulbs to air conditioners.  But it is
so convoluted, due to the vast array of devices supported, that it is
almost better to think of it as 15 different standards, each of which
vendors can choose to implement as they see fit.



"This unique situation is so difficult to implement, venders actually
choose what they want to implement.  And when they choose what to support,
they more often than not skip security," Rubin said.



Other weak security decisions made by vendors include:



* Encryption keys derived from short (often just six-character) device
names.

* Pairing standards with no authentication required, allowing an attacker
to simply ask the smart meter to join the network and receive keys in
return.

* Hardcoded credentials, allowing administrator access with passwords as
simple and guessable as the vendor's name.

* Code simplified to work on low-power devices skipping important checks,
allowing nothing more than a long communication to crash the device.



"These security problems are not going to just go away," Rubin said.  "On
the contrary, we are going to see a sharp increase in hacking attempts.
Yet most utilities are not even monitoring their network, let alone the
smart meters.  Utilities have to understand that with great power comes
great responsibility."



Smart meters come with benefits, allowing utilities to more efficiently
allocate energy production, and enabling micro-generation that can boost
the uptake of renewable energy.  For those reasons and more, the European
Union has a goal of replacing 80% of meters with smart meters by 2020.



A spokesperson for the UK government's department of Business, Energy and
Industrial Strategy said: "Robust security controls are in place across the
end to end smart metering system and all devices must be independently
assessed by an expert security organisation, irrespective of their country
of origin."



-----

frauds, explosions and fires, Oh No!



Why on Earth must everything be "smart" -- aka "spying" -- aka "hackable" ?



What really galls me is the fact that the Public Utilities Commissions
(PUC's) can force use all to pay for this crap, so these idiots at the
electric utilities can put another notch in their resume belts (i.e.,
something else that I have failed at: "cybersecurity").



_______________________________________________

The cryptography mailing list

cryptography () metzdowd com

http://www.metzdowd.com/mailman/listinfo/cryptography



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170114184153:051CDD62-DAB3-11E6-8819-DEFA257393E6
Powered by Listbox: http://www.listbox.com