Perimeter
10/1/2014
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Smart Meter Hack Shuts Off The Lights

European researchers will reveal major security weaknesses in smart meters that could allow an attacker to order a power blackout.

A widely deployed smart meter device can be programmed to cause a power blackout or commit power usage fraud.

Researchers Javier Vazquez Vidal and Alberto Garcia Illera will reveal this month at Black Hat Europe in Amsterdam how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network. The researchers aren't disclosing the specific smart meter manufacturer at this time -- they haven't yet disclosed anything to the vendor in question, either. They have hinted heavily that it's a brand installed broadly in Spain.

The smart meter device Vazquez Vidal and Garcia Illera tested stores the same pair of symmetric AES-128 encryption keys inside every such device. An attacker who lifted these keys would be able to send commands -- including an order to shut down power -- directly to the smart meter. The microchip inside the device contains the readable keys, the researchers say.

"The device is not properly secured," Vazquez Vidal says. "Once you've got the [encryption] keys and know the hardware, you can have full control of the network in a really big area… to turn off and on the lights remotely, and you could know power consumption in a house [to determine] if someone is in the house" at that time.

With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices, he says. "You didn't need any tools to trigger the vulnerabilities we found."

Garcia Illera says he and Vazquez Vidal basically cracked open a couple of the smart meter devices and reverse engineered the hardware. "There were very scary things we found. You can practically turn the lights off in a city or neighborhood" with these flaws.

They also discovered it was simple to spoof the identifier code on each device. So a malicious customer could spoof the identifier code of a neighbor's smart meter so that his power consumption would appear to be coming from his neighbor's meter. The neighbor then would be billed for that power usage.

"You just need to scan [or ping] the network for meters that are close to yours, and once you find a valid response, you just use that ID," says Vazquez Vidal.

There are two ways an attacker could control power delivery within a one-kilometer radius. "One would be to access one meter and use it as an entry point for the network," Vazquez Vidal says. "The second one would be to build a custom device that could be plugged anywhere, as long as the wires would not be too far from a meter, and use it to inject the commands in the network."

The researchers emphasize that they used their own internal network of smart meters, not the smart grid, for their testing. They used four meters to recreate a power grid network without touching the real one. "We are 99% sure [these attacks] would work in the real world," Garcia Illera says.

The really bad news is that there's nothing smart meter customers can do to defend against an attack.

"They cannot even choose not to have them at their homes. The only ones able to solve this situation are the electrical companies who are placing them," Vazquez Vidal says. "Since we do not own the meters that we have at home -- they are rented -- we cannot do anything about it… Besides, it could be considered [by the power company] as manipulation" of the devices.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/16/2014 | 2:13:39 PM
Re: Solution?
Incenting the smart meter manufacturers to do more about security would definitely be a step in the right direction, and the utilities certainly could play a role, similar to how they promote energy efficiency by promoting appliances certified by the EPA's  Energy Star program. A similar program could be developed for security in the IoT. 
LongevityRescuer
50%
50%
LongevityRescuer,
User Rank: Apprentice
11/16/2014 | 9:37:40 AM
Security is only one of the many concerns
Aside from the sercurity, financial, and privacy issues, according to independent scientists smart meters add to our overexposure to EMF radiation. See what the experts decribe as the BIGGEST health crisis humanity has ever faced at EMFsummit


TeresaStevens
50%
50%
TeresaStevens,
User Rank: Apprentice
11/13/2014 | 2:24:14 PM
Solution?
Do you believe that the only solution is for the energy utilities to incent the smart meter manufacturers to build in security?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/2/2014 | 3:17:22 PM
Re: Configuration Management FAIL
Unfortunately, it's a common theme among so many networked consumer devices today--poor encryption key practices, built-in backdoors, default passwords. You name it. Until these manufacturers start addressing security, it will only get worse.
DGtlRift
50%
50%
DGtlRift,
User Rank: Apprentice
10/2/2014 | 10:02:01 AM
Configuration Management FAIL
I hate the way symetric keys are used in HLS-DLMS, but the assumption of this vulnerablity is that the utility would use the same semetric key-pair amongst all the population of their meters.  That's just bad practice, and is basically inviting trouble.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.