back to article Smart meter SSL screw-up exposes punters' TV habits

White-hat hackers have exposed the privacy shortcomings of smart meter technology. The researchers said German firm Discovergy apparently allowed information gathered by its smart meters to travel over an insecure link to its servers. The information – which could be intercepted – apparently could be interpreted to reveal not …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Thumb Up

Class Act

"Nikolaus Starzacher, chief exec of Discovergy, was among those who attended the presentation. He thanked the researchers for their work and promised to adapt Discovergy's technology so as to minimise potential security and privacy concerns."

23
0
Thumb Up

Given that 90% of execs who heard about this would have tried to sue them to stop them presenting, this is a remarkable outbreak of common sense... Can we clone him and put the clones in charge of some other companies, please?

19
0
Rob
Bronze badge
Go

Why stop there...

... we have a whole government that needs replacing.

10
0
Anonymous Coward

Re: Class Act

Exactly my thoughts. Adobe et al. could learn a thing or two.

1
0
Silver badge
Go

He's not an American.

'Nuff said

5
2
Anonymous Coward

What about the Governator?

0
0
Silver badge

Sir

So, even with all the hand-wringing that was done when these meters were announced they didn't bother to perform even the most basic of diligence regarding the security of the data.

That's FAIL 2.0 in my book.

Never liked these things, and as for a 2 second granularity - wtf!?

As for running lights 12 hours on, 12 off - well, sheeeeit.

2
0
Silver badge

Security is fine

The customer's details and systems are 100% protected 100% of the time.

"Customer" in this case being the utility company who owns the meter.

The consumers security is of no corporate or regulatory concern. :-(

7
0
Silver badge

Sir

Unfortunately even that isn't true, since they were able to intercept the traffic and inject their own readings before sending it back to the utility company.

3
0
Black Helicopters

...coral, one presumes...

...one wonders if it would be possible to install some form of 'scrambler' device between the meter and the fuse board. I'm guessing we're talking about some form of intelligent capacitor. My main concern would then be the efficiency of the system, as whatever% inefficiency would then manifest as whatever% increase in energy consumption. Oh yeah, and then there's inevitable delay between 'turn on' and 'power arrives', unless the 'scrambler' has some pretty hefty constant capacity in reserve, or a bloody great battery (same thing?). All of which are gonna do nothing to improve efficiency or lower build costs.

I suppose it might almost be easier to have your devices individually scrambled, to avoid having to juggle the current from the whole house. Just scramble the ones you feel sensitive about. Like the lights above your, um, aquarium, say... (*cough)

0
0
Anonymous Coward

TEMPEST

These interception methods have been around for about 40 years ... that's just about long enough that all the engineers who actually understand the problems to retire. The only thing new here is that the smart meters were built and designed by some wet behind the ears engineers.

1
3
C-N
Mushroom

all the engineers who actually understand the problems...

"wet behind the ears engineers."

Cool story bro. Let me tell you how things work in the real world.

Every time any company gets a choice of properly vs cheaply what do you think they choose?

Until the decision makers at the top are taken to task over crap like this, expect the worker bees to do as they're asked / told. This isn't your father's job market so don't expect engineers to resign in protest over a failure to do some job right vs just-good-enough-to-remain-employed.

You may not like it, I certainly don't, but that's the way it is.

11
0
Thumb Down

"These interception methods have been around for about 40 years ... that's just about long enough that all the engineers who actually understand the problems to retire. The only thing new here is that the smart meters were built and designed by some wet behind the ears engineers."

Nice rant, but what you miss here is that TEMPEST (shielding of all emissions to avoid interception) is hardly the answer when information has to travel quiet some distance from the appliance to the central server. That's what encryption is for. And I would bet that very few of these now retired engineers that worked on TEMPEST 40 years ago know about modern encryption technology.

3
0
Silver badge

"Suppliers want to introduce the technology not only because it simplifies the process of collecting meter reading, but also because it makes it easier to control supply at times of peak demand. The technology also makes it easier to switch late or unreliable payers onto higher tariffs."

Don't forget the savings from sacking all those fleshy meter readers. The return from selling off the vehicles they use and the savings from not fueling those vehicles. I dare say that despite these savings the consumer will not see a reduction in the cost of electricity and maybe even see an increase in costs to pay for the technology.

8
0
Silver badge

If it makes...

...readers harder to steal, that's a good thing (I have been the victim of meter theft, the police don't regard it as a priority and the utility companies won't lift a figure without a police response; if it happens to you, you are in for at least a week without power/gas).

Umm...I think that's about the only benefit I can see with the things.

2
1
Terminator

lights out

You could eschew the usage of electricity, fooling everyone into thinking you aren't home, effectively shutting off the meter.

Ever notice you never hear about "billing systems" malfunctioning?

2
0
WTF?

What the heck...

...do they do with the meter when they've nicked it? Surely the scar value can't be that high and I am presuming that it'd be pretty hard to sell as it is. Am I perchance missing something here?

1
0
Silver badge

@sabba

Simple. They swap it for their meter, use power/gas for a while, then swap it back before the meter reader comes; makes them look like they've used less power/gas. Scrap has nothing to do with it.

Trust me, I was as shocked/puzzled as you were. TransCo told me it was pretty common. The scum will even break-in to get the meter!

However, rather than bare my private to a utility company I installed a decent security light.

4
0
Silver badge
WTF?

Really?

Why don't they just bypass their own meter without swapping yours in? Simpler, and less risk of being caught.

I initially thought you had a pay-as-you-go meter, and they were stealing the coins (probably wouldn't work with a card meter, though).

2
0

Meter theft

That maybe one of the reasons why most homes in mainland Europe have their utility meters inside.

But then most of these houses also have basements.

3
0
Silver badge

@Allan George Dyer

I asked that too - the meters apparently use non-standard connectors and as one doesn't really want to pass the regulator (mains pressure in domestic pipes? Yikes!) it is actually easier/safer to steal the meter.

There's a rash of thefts around this way at the moment.

@Davidoff

Yes a basement would be nice, but they will break-in to steal the meter.

And one cannot secure the meter for obvious reasons (access may be required in an emergency). Although I did consider fitting a light-sensitive diode inside the cabinet connected to an alarm inside the house.

1
0

No benefit for the consumer and we have to surrender all energy privacy to the energy company and are under their total control.

...And we get swamped in yet more wi-fi signals (which may or may not be harmful)

Great.

I dont want a smart meter and I'm going to do anything I can not to have one (whatever that is).

3
1
Anonymous Coward

Faraday cage around the meter cupboard?

1
0
C-N
Pirate

Naw

Fancy load-leveling or load-randomizing UPS like device. They'll think I watch looney toons and eat microwave popcorn 24 hours per day.

2
0
Silver badge
Happy

On the other hand...

...an enterprising person could rig up a PIC to randomly switch a couple of 60W bulbs on and off randomly to add plenty of "noise" to the recorded consumption levels. There you go, privacy back again.

0
0
Gold badge

Why bother with a PIC? You've been able to buy "Pretend I'm at home" light switches and timer-controlled sockets for yonks.

Of course, in these "enlightened" days, you might not be able to buy a 60W light bulb anymore.

3
1
Silver badge

@ Ken

Bother with a PIC because if the thing is going to read the fluctuations in consumption from a large LCD telly, you will need to modulate a lightbulb fairly rapidly (several times a second) in order to mask these fluctuations, and at random intervals. A "I'm here, see?" gadget will have no more effect than turning on a lamp - namely, none. The consumption will alter, but the fluctuation pattern will remain, and can still be detected.

Good point on the "enlightened days", I'm not sure how a stupid eco bulb will take to being switched at 10-20Hz? You can get compromise bulbs (halogen projector bulb inside) which might fare better?

0
0
Pirate

If the security is this crap...

If the security is this abysmal, then we can cheerfully expect the meter to have absolutely no protection whatsoever from man-in-the-middle attacks. This would mean that with a suitable hardware black box tacked onto the thing, a meter could be seeming to give a completely normal household read-out, whilst the power was being leeched at a truly staggering rate.

If this is possible, I would expect that the drug farmers would find this quicker and safer to do then the current method of bypassing the meter altogether, or tying in to the streetlamp circuits for power.

6
0
Anonymous Coward

You don't suppose

You don't suppose the domestic energy consumption changes if you put the kettle on? Or put the bathroom light on? Or the heating/hot water thermostat changes state? Or any of the many other things which would make the power consumption changes due to the film itself maybe literally "disappear in the noise".

I mean, there's plenty of real threat stuff to talk about here. But then they're probably right, without the unnecessary and barely believable/relevant "we know what you've been watching (assuming it's a film we've profiled)" comments they may not have got this article.

1
0

Actually it's just as likely to reinforce what you're doing as hide it: classic scenario (long since known in the electricity industry), Eastenders/Coro/whatever finishes, a couple of million households put the kettle on (in the same way that lots of dogs in my 'hood seem to get walked by blokes between 19.30-20.00). If you've got a house with several people doing different things at once, then it would be more difficult, but with a big enough sample a statistical analysis will pull an awful lot of trends out. Someone would have to put a lot of effort into it, but it's probably more accurate than the old TV detector vans.

1
0
Anonymous Coward

Yep, the surge in grid demand when the Queen's Speech (or the commercials in Corrie or whatever) comes on is a well known phenomenon, although its importance is decreasing somewhat now there are fifty seven channels with nothing on, rather than just three.

"with a big enough sample a statistical analysis will pull an awful lot of trends out."

No it won't, adding dissimilar signals (different punters watching different things) does *not* reinforce the ability to work out the underlying pattern(s), unless a *lot* of them are watching the same thing (see above).

"more accurate than the old TV detector vans."

Probably more accurate than the new ones too, given that modern TVs no longer have line output transformers and that kind of thing (and there are computers that know which addresses don't have TV licenses).

0
0
Stop

Great, you can spy on me...

Unless there's no mobile signal.

They came to fit one of the gas smart meters in my in-laws the other week.

Poor bloke turned up 3 hours late after problems fitting the one at the previous job, stuck his head in the cupboard under the stairs where the meter is and took out a signal meter.

Two minutes later, he was on his way as there was not enough signal on either of BGs preferred mobile provider networks.

It isn't as if they are in the middle of nowhere like a lot of our country, there on the edge of a large town. Until the mobile providers have a 100% coverage obligation, the current meters are doomed, especially if you live in an old house with thick walls.

2
0
C-N
Trollface

Is it April First?

chief exec...attended the presentation... thanked the researchers... promised to fix...

You guys are pulling my leg. You almost had me.

5
0
Pirate

Kaboom

And the next step for any terrorist org is to hijack a city or two of meters, switch them off, wait a bit till everyone switches x, y and z on wondering why there is no 'leccy then turn the whole lot back on at the same time. Nice big power surge should take out the local grid...

3
0
Silver badge
Big Brother

Well, there goes the environmental benefit of smart meters!!

Now I have to set my second TV to play Citizen Kane, Casblanca, On the Waterfront, 2001 A Space Odyssey, public affairs programs and other high-brow entertainment while I am not at home, and I have to run my big TV off a portable generator so that I can watch my usual trashy series, sports and occasional soft core while still maintaining my sophisticated, urbane public persona!!

So while big brother is watching me expanding my horizons, I will be watching "Bikini Babes of Brazil", or some such uplifting entertainment!

Curse you, progress!!!

3
0
Anonymous Coward

Designed by Indians(just graduated in bombay!)...

installed by Cowboys,

Instigated under a green flag by Greedy Idiots for votes

the worst part of this kit is the fact its permanently ON and broadcasting via 3G 24/7 at full power!

never mind the Wifi smart grid electro-smog,

combining these together and you really are looking at the perfect storm of ELECTO-SMOG which will cause even more health issues for consumers across the world.

the only hope is screening the kit either before by fitting a steep box to fully enclose the entire unit (with room to spare for the larger sized meter) or covering it in very expensive silver shielding cloth once its fitted.

and has anyone actually scientifically proved that these devices are completly safe for consumers..... i dont think so.!!!!

1
11
WTF?

electo-smog(tm)

i think you need to lay off the drugs

seriously you're sitting infront of a pc, no doubt own a phone, and you aren't on an island in a faraday cage.

because you can only blame yourself for these problems you casually disregard them to whine about a meter that sits in cell standby like your phone and beams out some data at some scheduled interval.

and a silver shielding cloth? copper will work just fine. use lead if you want something more hazardous than the meter around...

3
0

"has anyone actually scientifically proved that these devices are completly safe for consumers"

Umm.... Yes.

Thanks for the plug opportunity: http://www.soronlin.org.uk/mobile-phones

That's for mobile phone masts, but the maths are there to disprove your point: Using a mobile phone for 15 minutes a day has three thousand times the effect of it's regular polling of the cell for five seconds every ten minutes. Make that that five times larger for the smart meter polling interval, and it's still 600 times less than making a 15 min. phone call. The figures are for 8 hours, so we should make it three times larger, or a mere 200 times less than a 15 minute mobile phone call.

Assuming you are an average of five metres from the meter, you should reduce that by another factor of 25, since the numbers are worked out for a distance of one metre.

So having the smart meter active is 5,000 times less damaging than a 15 minute mobile phone call per day, or 333 times less than a one minute call per day.

You may not use a mobile phone for one minute or fifteen minutes a day, but many, many people use one for much longer than that. If smart meters caused any damage, then many, many people would be seriously damaged by their mobile phones. Mobile phone users are the canary that would warn of possible injury from smart meters. There is no discernible injury to mobile phone users, and therefore smart meters are safe.

3
0
Anonymous Coward

Electrosensitive?

JREF or STFU! :)

0
0
FAIL

@rurwin

"has anyone actually scientifically proved that these devices are completly safe for consumers"

"Umm.... Yes."

Ummmm...... *NO*

What they, whoever 'they' are, have shown that there is no evidence that low levels of exposure to radio transmissions is harmful to health"

That is not the same as saying low levels of exposure to radio transmissions is safe.

I can imagine the Wright brothers saying the same thing, "we've no evidence that powered aircraft crash causing fatalities..... Who? Otto Lilienthal! No he was killed in a glider crash, totally different thing".

0
1
Silver badge
Boffin

@Field Marshal Von Krakenfart

Has anyone scientifically proved that posting to El Reg is completely safe...??

0
0
Silver badge

@Field Marshal Von Krakenfart

Very hard to prove a negative, no evidence of risk is as close as one will ever get.

All this talk of "electrosensitivity" is utter bollocks. There has simply been no evidence of it and what tests have been done (putting an "electrosensitive" in room where wiring was switched on/off) simply showed they had no sensitivity.

1
0
Silver badge
Big Brother

It isn't a bug

it's a feature. Why else would you sample every couple of seconds unless you were looking for signatures?

I'm pretty sure that there are plenty of people who would like to know what you are doing and when. Apart from the marketing opportunities of knowing what people are watching. I would imagine that all those computer-controlled washing-machine programmes also have fairly unique signatures. You can probably tell when a coffee machine kicks in (shorter than a kettle, but equally high power).

Mine the data after a couple of years and you can probably tell who's is going to need to replace various appliances and when. Also, who might be be annoyed with their current appliance vendor and be ready to move.

Pick out who is watching what and you might get a good idea of how they might vote too.

I look into my crystal ball and see Google getting into the energy generation business...

8
0
Black Helicopters

Don't Tell Chris Huhne!

This sounds mighty dangerous. If Chris Huhne gets to know about it he'll be getting the techies to rearranged the digital plumbing so that his missus gets his bill.

2
0
Stop

Proper Name for Smart Meter is Burgle me indicator

Drive round posh housing area, use radio to intercept and triangulate signals, bit of traffic analisys later, you know which house to go and rob.

Thats without breaking the security (if implemented)

Given encryption is a time and resource based security methodology, how frequently will the vendors be rotating the encryption keys, who will have access to them to flog off to their criminal friends.

Smart Meters are all about the utilities companies making more money by getting rid of the costs of data collection, customer crime victim figures do not appear on their balance sheet..

4
0
Silver badge
Thumb Down

Burglars already know when you're out. It's called 'Office hours'. The only people still in their homes during office hours probably can't afford to buy anything worth stealing.

0
0
Happy

Assumption is you work for "Stone Age" employer, the minions must be seen sat in front of manager's desk to make him look important (the "presentism" culture of UK management)

However home working is a popular move, your staff work better when not p*s**ed off at BR/Failtrack, you can cut circa 25% of your expensive office space, and the staff get a better work/life balance, by ditching comute hours.

Thus burglar is increasingly likely to encounter large angry bloke working from home.

3
0
Coat

"Drive round posh housing area, use radio to intercept and triangulate signals, bit of traffic analisys later, you know which house to go and rob."

Then case the house using street view...

Program ASIMO to break in...

Icon: burgler searching your coat for the car keys.

2
0
Gold badge
Boffin

So how difficult is it to configure an SSL certificate server *correctly*

Is it a task requiring many years of study and wearing of sandals?

Or just a case of RTFM?

You can teach knowledge, but you can't teach thoroughness.

BTW Sampling *every* meter every 2 secs. Note that's not switching tariffs every 2 secs.

How often are they planning to bill customers?

1
0

Billing customers

I guess they'll bill the customers every 2 seconds as well. But you'll get about £1800 off per month if you opt out of paper billing...

Okay - I'll get back to work.

0
0

Page:

This topic is closed for new posts.

Forums