Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/1/2014
04:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Smart Meter Hack Shuts Off The Lights

European researchers will reveal major security weaknesses in smart meters that could allow an attacker to order a power blackout.

A widely deployed smart meter device can be programmed to cause a power blackout or commit power usage fraud.

Researchers Javier Vazquez Vidal and Alberto Garcia Illera will reveal this month at Black Hat Europe in Amsterdam how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network. The researchers aren't disclosing the specific smart meter manufacturer at this time -- they haven't yet disclosed anything to the vendor in question, either. They have hinted heavily that it's a brand installed broadly in Spain.

The smart meter device Vazquez Vidal and Garcia Illera tested stores the same pair of symmetric AES-128 encryption keys inside every such device. An attacker who lifted these keys would be able to send commands -- including an order to shut down power -- directly to the smart meter. The microchip inside the device contains the readable keys, the researchers say.

"The device is not properly secured," Vazquez Vidal says. "Once you've got the [encryption] keys and know the hardware, you can have full control of the network in a really big area… to turn off and on the lights remotely, and you could know power consumption in a house [to determine] if someone is in the house" at that time.

With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices, he says. "You didn't need any tools to trigger the vulnerabilities we found."

Garcia Illera says he and Vazquez Vidal basically cracked open a couple of the smart meter devices and reverse engineered the hardware. "There were very scary things we found. You can practically turn the lights off in a city or neighborhood" with these flaws.

They also discovered it was simple to spoof the identifier code on each device. So a malicious customer could spoof the identifier code of a neighbor's smart meter so that his power consumption would appear to be coming from his neighbor's meter. The neighbor then would be billed for that power usage.

"You just need to scan [or ping] the network for meters that are close to yours, and once you find a valid response, you just use that ID," says Vazquez Vidal.

There are two ways an attacker could control power delivery within a one-kilometer radius. "One would be to access one meter and use it as an entry point for the network," Vazquez Vidal says. "The second one would be to build a custom device that could be plugged anywhere, as long as the wires would not be too far from a meter, and use it to inject the commands in the network."

The researchers emphasize that they used their own internal network of smart meters, not the smart grid, for their testing. They used four meters to recreate a power grid network without touching the real one. "We are 99% sure [these attacks] would work in the real world," Garcia Illera says.

The really bad news is that there's nothing smart meter customers can do to defend against an attack.

"They cannot even choose not to have them at their homes. The only ones able to solve this situation are the electrical companies who are placing them," Vazquez Vidal says. "Since we do not own the meters that we have at home -- they are rented -- we cannot do anything about it… Besides, it could be considered [by the power company] as manipulation" of the devices.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/16/2014 | 2:13:39 PM
Re: Solution?
Incenting the smart meter manufacturers to do more about security would definitely be a step in the right direction, and the utilities certainly could play a role, similar to how they promote energy efficiency by promoting appliances certified by the EPA's  Energy Star program. A similar program could be developed for security in the IoT. 
LongevityRescuer
50%
50%
LongevityRescuer,
User Rank: Apprentice
11/16/2014 | 9:37:40 AM
Security is only one of the many concerns
Aside from the sercurity, financial, and privacy issues, according to independent scientists smart meters add to our overexposure to EMF radiation. See what the experts decribe as the BIGGEST health crisis humanity has ever faced at EMFsummit


TeresaStevens
50%
50%
TeresaStevens,
User Rank: Apprentice
11/13/2014 | 2:24:14 PM
Solution?
Do you believe that the only solution is for the energy utilities to incent the smart meter manufacturers to build in security?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/2/2014 | 3:17:22 PM
Re: Configuration Management FAIL
Unfortunately, it's a common theme among so many networked consumer devices today--poor encryption key practices, built-in backdoors, default passwords. You name it. Until these manufacturers start addressing security, it will only get worse.
DGtlRift
50%
50%
DGtlRift,
User Rank: Apprentice
10/2/2014 | 10:02:01 AM
Configuration Management FAIL
I hate the way symetric keys are used in HLS-DLMS, but the assumption of this vulnerablity is that the utility would use the same semetric key-pair amongst all the population of their meters.  That's just bad practice, and is basically inviting trouble.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31793
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
CVE-2021-31916
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...
CVE-2021-31918
PUBLISHED: 2021-05-06
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.
CVE-2019-25043
PUBLISHED: 2021-05-06
ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
CVE-2020-18889
PUBLISHED: 2021-05-06
Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.