Risk
7/28/2009
06:57 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Smart Meter Worm Attack Planned

IOActive's Mike Davis intends to unleash a worm on a smart meter at the Black Hat security conference on Thursday.

The smart grid, the emerging power distribution infrastructure upgrade, may not be the bright idea its name suggests. In the rush to modernize the way electricity moves, security appears to be an afterthought.

At Black Hat on Thursday, Mike Davis, a senior security consultant with IOActive, plans to conduct a worm attack on a smart meter, a part of the smart grid that's being installed at consumers' homes around the country.

The worm, Davis claims, can copy itself from one smart meter to the next in a neighborhood, ultimately causing power outages and rendering the smart meter inoperable.

"Many of the security vulnerabilities we found are pretty frightening and most smart meters don't even use encryption or ask for authentication before carrying out sensitive functions like running software updates and severing customers from the power grid," said Davis in a statement.

IOActive president and CEO Joshua Pennell said much the same thing in March when he testified before the Committee of Homeland Security and the Department of Homeland Security.

"Based on our research and the ability to easily introduce serious threats, IOActive believes that the relative security immaturity of the smart grid and AMI markets warrants the adoption of proven industry best practices including the requirement of independent third-party security assessments of all smart grid technologies that are being proposed for deployment in the nation's critical infrastructure," he said.

Last year, a CIA analyst revealed that "cyberattacks have been used to disrupt power equipment in several regions outside the United States." Such attacks have been rare due to the complexity and obscurity of the SCADA systems that govern electrical infrastructure. With the smart grid transition, the technical barriers to an attack of this sort are likely to be lower, at least initially.

Google and Microsoft are both developing smart meter services that aim to provide greater insight into home energy usage. Google has its PowerMeter project, and Microsoft in June introduced Hohm.

Davis is scheduled to make his presentation on Thursday, July 30 from 4:45-6:00 P.M. in the Milano Ballroom at Ceasar's Palace in Las Vegas, where Black Hat is being held.

Black Hat is owned by TechWeb, which publishes InformationWeek.

InformationWeek has published an in-depth report on Google's upcoming Chrome OS. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.