News Advanced Threats
The 5 Coolest Hacks Of 2012
Nothing was sacred -- the nation's airspace, home power meters, videoconferences, and, in an ironic twist, popular cybercrime tools
3. Infiltrating The Smart Meter
All eyes have been on the smart grid, with its state-of-the-art technology and potentially more secure infrastructure than legacy critical infrastructure systems. But like any new technology, it has its flaws security-wise, and in one case, in the infrared "eye" in the smart meter itself.
Researchers at InGuardians this summer finally demonstrated their OptiGuard tool for helping vendors and utilities assess just how the bad guys can or can't get into their networks and systems, after having to put it on hold amid vendor concerns. The Python-based tool basically demonstrates ways the infrared port on a smart meter can be penetrated, looking for vulnerabilities and possible attacks. "There's no third-party software to interact with individual meters [today]. There wasn't a way for utilities to test the implementation of their meters or for vendors to see what others are going to throw at their meters," says Don Weber, the researcher with InGuardians who built the tool.
More Security Insights
- Information Protection: The Impact Of Big Data
- Cloud-based data backup: A buyer's guide - How to choose a third-party provider for development, management of your data backup solution
- Informed CIO: SDN and Server Virtualization on a Collision Course
- InformationWeek 2013 IT Spending Priorities Survey
- The Untapped Potential of Mobile Apps for Commercial Customers
- Using InfoSphere Information Server to Integrate and Manage Big Data
Weber and his team found some major vulnerabilities in the devices; the tool is aimed at helping a utility spot those holes, such as being prone to a brute-force password attack on the infrared smart meter. An attacker then could grab configuration data and shut off the device or perform other sabotage. "Once you can talk to the meters, you can program them to do anything you want," Weber says.
The good news is that for now, these attacks would be on a single meter at a time, not the overall grid. The Python-based tool plugs into a laptop and includes a serial port client that interacts with the optical infrared functionality.
InGuardians wasn't the only firm looking at these issues. Spencer McIntyre, a member of SecureState's Research & Innovation Team, unleashed an open source smart meter hacking tool this summer. The so-called "Termineter" also tests for vulnerabilities via the device's infrared port, uses a Metasploit Framework interface, and is open-source. InGuardians' tool has its own interface, is meant for the smart grid industry, and is not open-source.
SecureState's McIntyre says authentication is a big problem with the meters. "Being able to write and read from a meter while being authenticated as an underprivileged user or to not have to authenticate at all," he says, "that could be used for fraud, which is a large concern for power companies."