Perimeter
10/1/2014
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Smart Meter Hack Shuts Off The Lights

European researchers will reveal major security weaknesses in smart meters that could allow an attacker to order a power blackout.

A widely deployed smart meter device can be programmed to cause a power blackout or commit power usage fraud.

Researchers Javier Vazquez Vidal and Alberto Garcia Illera will reveal this month at Black Hat Europe in Amsterdam how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network. The researchers aren't disclosing the specific smart meter manufacturer at this time -- they haven't yet disclosed anything to the vendor in question, either. They have hinted heavily that it's a brand installed broadly in Spain.

The smart meter device Vazquez Vidal and Garcia Illera tested stores the same pair of symmetric AES-128 encryption keys inside every such device. An attacker who lifted these keys would be able to send commands -- including an order to shut down power -- directly to the smart meter. The microchip inside the device contains the readable keys, the researchers say.

"The device is not properly secured," Vazquez Vidal says. "Once you've got the [encryption] keys and know the hardware, you can have full control of the network in a really big area… to turn off and on the lights remotely, and you could know power consumption in a house [to determine] if someone is in the house" at that time.

With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices, he says. "You didn't need any tools to trigger the vulnerabilities we found."

Garcia Illera says he and Vazquez Vidal basically cracked open a couple of the smart meter devices and reverse engineered the hardware. "There were very scary things we found. You can practically turn the lights off in a city or neighborhood" with these flaws.

They also discovered it was simple to spoof the identifier code on each device. So a malicious customer could spoof the identifier code of a neighbor's smart meter so that his power consumption would appear to be coming from his neighbor's meter. The neighbor then would be billed for that power usage.

"You just need to scan [or ping] the network for meters that are close to yours, and once you find a valid response, you just use that ID," says Vazquez Vidal.

There are two ways an attacker could control power delivery within a one-kilometer radius. "One would be to access one meter and use it as an entry point for the network," Vazquez Vidal says. "The second one would be to build a custom device that could be plugged anywhere, as long as the wires would not be too far from a meter, and use it to inject the commands in the network."

The researchers emphasize that they used their own internal network of smart meters, not the smart grid, for their testing. They used four meters to recreate a power grid network without touching the real one. "We are 99% sure [these attacks] would work in the real world," Garcia Illera says.

The really bad news is that there's nothing smart meter customers can do to defend against an attack.

"They cannot even choose not to have them at their homes. The only ones able to solve this situation are the electrical companies who are placing them," Vazquez Vidal says. "Since we do not own the meters that we have at home -- they are rented -- we cannot do anything about it… Besides, it could be considered [by the power company] as manipulation" of the devices.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/16/2014 | 2:13:39 PM
Re: Solution?
Incenting the smart meter manufacturers to do more about security would definitely be a step in the right direction, and the utilities certainly could play a role, similar to how they promote energy efficiency by promoting appliances certified by the EPA's  Energy Star program. A similar program could be developed for security in the IoT. 
LongevityRescuer
50%
50%
LongevityRescuer,
User Rank: Apprentice
11/16/2014 | 9:37:40 AM
Security is only one of the many concerns
Aside from the sercurity, financial, and privacy issues, according to independent scientists smart meters add to our overexposure to EMF radiation. See what the experts decribe as the BIGGEST health crisis humanity has ever faced at EMFsummit


TeresaStevens
50%
50%
TeresaStevens,
User Rank: Apprentice
11/13/2014 | 2:24:14 PM
Solution?
Do you believe that the only solution is for the energy utilities to incent the smart meter manufacturers to build in security?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/2/2014 | 3:17:22 PM
Re: Configuration Management FAIL
Unfortunately, it's a common theme among so many networked consumer devices today--poor encryption key practices, built-in backdoors, default passwords. You name it. Until these manufacturers start addressing security, it will only get worse.
DGtlRift
50%
50%
DGtlRift,
User Rank: Apprentice
10/2/2014 | 10:02:01 AM
Configuration Management FAIL
I hate the way symetric keys are used in HLS-DLMS, but the assumption of this vulnerablity is that the utility would use the same semetric key-pair amongst all the population of their meters.  That's just bad practice, and is basically inviting trouble.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.