Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/1/2014
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Smart Meter Hack Shuts Off The Lights

European researchers will reveal major security weaknesses in smart meters that could allow an attacker to order a power blackout.

A widely deployed smart meter device can be programmed to cause a power blackout or commit power usage fraud.

Researchers Javier Vazquez Vidal and Alberto Garcia Illera will reveal this month at Black Hat Europe in Amsterdam how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network. The researchers aren't disclosing the specific smart meter manufacturer at this time -- they haven't yet disclosed anything to the vendor in question, either. They have hinted heavily that it's a brand installed broadly in Spain.

The smart meter device Vazquez Vidal and Garcia Illera tested stores the same pair of symmetric AES-128 encryption keys inside every such device. An attacker who lifted these keys would be able to send commands -- including an order to shut down power -- directly to the smart meter. The microchip inside the device contains the readable keys, the researchers say.

"The device is not properly secured," Vazquez Vidal says. "Once you've got the [encryption] keys and know the hardware, you can have full control of the network in a really big area… to turn off and on the lights remotely, and you could know power consumption in a house [to determine] if someone is in the house" at that time.

With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices, he says. "You didn't need any tools to trigger the vulnerabilities we found."

Garcia Illera says he and Vazquez Vidal basically cracked open a couple of the smart meter devices and reverse engineered the hardware. "There were very scary things we found. You can practically turn the lights off in a city or neighborhood" with these flaws.

They also discovered it was simple to spoof the identifier code on each device. So a malicious customer could spoof the identifier code of a neighbor's smart meter so that his power consumption would appear to be coming from his neighbor's meter. The neighbor then would be billed for that power usage.

"You just need to scan [or ping] the network for meters that are close to yours, and once you find a valid response, you just use that ID," says Vazquez Vidal.

There are two ways an attacker could control power delivery within a one-kilometer radius. "One would be to access one meter and use it as an entry point for the network," Vazquez Vidal says. "The second one would be to build a custom device that could be plugged anywhere, as long as the wires would not be too far from a meter, and use it to inject the commands in the network."

The researchers emphasize that they used their own internal network of smart meters, not the smart grid, for their testing. They used four meters to recreate a power grid network without touching the real one. "We are 99% sure [these attacks] would work in the real world," Garcia Illera says.

The really bad news is that there's nothing smart meter customers can do to defend against an attack.

"They cannot even choose not to have them at their homes. The only ones able to solve this situation are the electrical companies who are placing them," Vazquez Vidal says. "Since we do not own the meters that we have at home -- they are rented -- we cannot do anything about it… Besides, it could be considered [by the power company] as manipulation" of the devices.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/16/2014 | 2:13:39 PM
Re: Solution?
Incenting the smart meter manufacturers to do more about security would definitely be a step in the right direction, and the utilities certainly could play a role, similar to how they promote energy efficiency by promoting appliances certified by the EPA's  Energy Star program. A similar program could be developed for security in the IoT. 
LongevityRescuer
50%
50%
LongevityRescuer,
User Rank: Apprentice
11/16/2014 | 9:37:40 AM
Security is only one of the many concerns
Aside from the sercurity, financial, and privacy issues, according to independent scientists smart meters add to our overexposure to EMF radiation. See what the experts decribe as the BIGGEST health crisis humanity has ever faced at EMFsummit


TeresaStevens
50%
50%
TeresaStevens,
User Rank: Apprentice
11/13/2014 | 2:24:14 PM
Solution?
Do you believe that the only solution is for the energy utilities to incent the smart meter manufacturers to build in security?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/2/2014 | 3:17:22 PM
Re: Configuration Management FAIL
Unfortunately, it's a common theme among so many networked consumer devices today--poor encryption key practices, built-in backdoors, default passwords. You name it. Until these manufacturers start addressing security, it will only get worse.
DGtlRift
50%
50%
DGtlRift,
User Rank: Apprentice
10/2/2014 | 10:02:01 AM
Configuration Management FAIL
I hate the way symetric keys are used in HLS-DLMS, but the assumption of this vulnerablity is that the utility would use the same semetric key-pair amongst all the population of their meters.  That's just bad practice, and is basically inviting trouble.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.