back to article Smart meters pose hacker kill-switch risk, warn boffins

A leading computer scientist has warned of the security risks of using smart meters in controlling utility supplies. A programme is underway to replace Britain’s 47 million meters with smart meters that can be turned off remotely. Utilities welcome the move because it will greatly simplify the process of collecting meter …

COMMENTS

This topic is closed for new posts.

Page:

  1. Campbell
    WTF?

    Refuse

    Can we legally refuse these new meters?

    1. Anonymous Coward
      Anonymous Coward

      No

      The meter is the property of the electricity distributor, it isn't your property so they can pretty much do with it as they choose. Excepting that they are required to give you notice of disruption to your supply.

      Furthermore they are legally required to replace your meter every few years. So even if you did manage to hold out for a short while you would be legally required to let them change the meter when it got to the end of it's life.

      You'll probably find a clause in your contract saying they have the right to cut you off should you refuse access to the meter. You'd certainly find that clause if I were supplying your electricity. ;)

      1. william henderson 1
        Happy

        every few years?!!

        I've lived in my house for 49 years,i am on my third meter, so i can hold out for a bit then.

    2. Anonymous Coward
      Anonymous Coward

      Re: Refuse

      Sure, but you'll have to live "off grid" then. :)

    3. Anonymous Coward
      Anonymous Coward

      no need

      I plan on "never being in" when they get rolled out to my area. pretty sure they aren't allowed to break in to install them.

      1. Anonymous Coward
        Stop

        Re: Not allowed to break-in...

        Actually yes they are. So are the gas people. Funny ol' world innit?

  2. Lionel Baden

    well

    I cant get a signal for shit where i live

    But even if i could get a signal i wouldnt want one of these near my fucking supply

    Case in point

    Switch to new provider they mix up day night rates the first quarter = £1700 (normal £350)

    They demand the money i say Fuck off

    they threaten to cut me off i state you cannot i have small children and you are not following up the case i have argued you have ignored it and still demand the money

    They then have the cheek to ask me to pay the bill and then when it gets resolved they will pay it back (like Fuck)

    resolved and it turns out that i owed them around £220

    With smart meter they would of just demanded the money and just cut me off without

  3. TWB

    @Andy Mc

    I don't see why it has to be wireless and even if it was why one of the current standards - it could be a closed proprietary system.

    Also if it is all done in the electricity meter, why not contain everything in there like is currently done with the rolling dials - provide no way into the device except via the power line or those allowed to do so - tampering with an electricity meter you'll end up in jail (I know an idiot who did) - who is going to have a powerline-data interface in their kitbag and why would it use IP or other well know network protocols?

    I suspect I am still naive but I also think it is not impossible to make a secure-enough system - semtexing (sp?) a substation would be much easier thank a hack shurely?...

    1. hplasm
      Boffin

      Well-

      In my kitbag I would have a similar meter, hacked up with a 13Aplug on one end and a USB socket sticking out of a hole in the back.

      If I was in that line of er, work.

      I would also know all about the protocols etc, as I would probably have been involved with the internals of such meters at some point.

      It's not Rocket Science- unless you get across two phases...

    2. John Smith 19 Gold badge
      Coat

      @TWB

      "I don't see why it has to be wireless and even if it was why one of the current standards - it could be a closed proprietary system."

      Cost. As to *your* approach Google the phrase "Security by obscurity."

      "who is going to have a powerline-data interface in their kitbag and why would it use IP or other well know network protocols?""They will *almost* certainly have a GSM receiver and Wireshark or similar to handle the protocol dissection. If they are *that* interested they *will* have a power line interface. BTW the "interface" can be as simple as a 1M Ohm resistor wired into a pin of a microcontroller. A lot of power electronics work consists of making *very* sure you fingers cannot *ever* touch one of the bits at full mains.

      "why would it use IP or other well know network protocols?"

      Cost and time to market. Which is why the UK roll out will *probably* use most of the same (demonstrated insecure) meters rolled out in the US.

      "I suspect I am still naive"

      You are.

      " but I also think it is not impossible to make a secure-enough system - s"

      Impossible. No. Difficult and involving a lot more hard work than the makers have so far shown themselves *willing* to do so, yes.

      Mine will have the copy of the PIC application notes in the oversize side pocket.

  4. Anonymous Coward
    Anonymous Coward

    no more meter readers then?

    so in the future some people of lesser means will simply bypass the meter knowing that no one will ever come around and see the electricity being stolen.

    no doubt the bills will go up to compensate, so the number of thefts go up etc etc

    I wonder if there's a way you can inject static into the wires to disrupt the comms? When I was doing city and guild electronics in the 80s we were switching the streets lights on and off over the mains, so the technology has been around for ages

  5. Anonymous Coward
    Welcome

    Not again

    Great, new meters again. I look forward to another £800 bill because some twat can't type the previous meter reading into the right box.

  6. This post has been deleted by its author

  7. Anonymous Coward
    Alert

    This ain't a new threat

    back in the day (about 8 years ago) I heard a horror story of a fairly big UK utility using SNMP to control their grid switches. Default Public Private community strings using real routable IP addresses and firewall acls set to any any.

    Things have improved a little since then, least not cisco's new range of hardened routers and switches that can cope with 11kVsurges.

    Anyway WTF has this got to do with smart meters?

  8. Anonymous Coward
    Anonymous Coward

    I do love an unfounded security scare

    I don't suppose the unhackable security system exists, but assuming that something is not secure simply because it is an electronic system is a complete nonsense. He doesn't even know yet what standard is going to be adopted, but he's already rubbishing it. Here's a man looking for publicity and a few radio talk show fees, he's a shoo in for the Jeremy Vine show and I'm sure the Daily Fail will pay him for an interview. Or maybe he was turned down for a job on the project?

    Anyhoo it's not like our electrical distribution system isn't particularly secure anyway. The usual outdoor meter in a wall box is particularly insecure, but then substations aren't secure either. All you need is an old bike, just so long as you remember you're only supposed to blow the bloody doors off. Ahem.

    The current system of putting the meter in a box outside your house is particularly prone to interference. The official line is that they put them there so they can read your meter without having to bother you. However it's really so they can cut off your supply without having to get into your house. This is prone to tampering, I know plenty of people who have had their electricity supply switched off for a prank. It was a common mischief night and trick or treat prank a few years ago. OK so it's fairly easy to spot what's happened, but it can be done to your gas meter almost invisibly. In order to cut off your supply the supplier shuts off the tap, unscrews the pipe on the property side and inserts a cap (a metal disk) and screws the pipe back on. Vandals have been known to pull the same trick, but flicking the tap back on afterwards so it looks like the supply is on.

    It would be nice to think they would move meters back into houses when they introduce smart meters, but they probably won't.

    1. Captain Thyratron

      It's not that it's electronic.

      The problem isn't that it's electronic. The problem is that it's on a network that is necessarily no further than a few meters from the fingers of tens of millions of people, and that it creates a /massive/ incentive for somebody to figure out a way to break into that network.

      It is a ubiquitous, physically indefensible, extremely high-value target. Is it not wiser to avoid this situation altogether than to try to solve an expensive and ultimately insoluble problem that doesn't need to exist?

  9. Paul 139
    Thumb Up

    One step closer ...

    .. to being able to send a surge of power through the keyboard of that 'tard who truly deserves it.

  10. Anonymous John

    Title

    Will I be able to hack my own meter? And get paid for the 50Mw/H I feed into the National Grid?

  11. Dork Lard
    WTF?

    Why can't meters just meter?

    Surely most of the gains from remote metering will be had just from the metering/billing part of the program.

    Unless the idea is to run the country with power cuts as a normal part of the service there should be little need to cut off anyone's energy supply; don't they currently need a court order of some kind to do this at the moment?

    The solution has to be that Parliament acts to clearly legislate what remote metering can do (i.e. say they can't have the capability to remotely disconnect users). The national security aspects of this should be reason enough to act (or maybe the government likes the idea of a remote kill-switch - hypothermia is one way of cutting the pensions deficit).

  12. Robert Carnegie Silver badge

    I think this must be mainly about meters on the infrastructure?

    Not meters in homes - which, as some are saying, are unlikely to be able to disable the domestic supply.

    The infrastructure, however, needs to be able to switch around where electricity is coming from, and to pay for it. There is an argument for both of those functions to be remote controlled.

  13. Anonymous Coward
    Grenade

    utilities typically have legal right of access

    "pretty sure they aren't allowed to break in to install them."

    Betcha they either are already or will be by the time it happens.

  14. JaitcH
    Pint

    All it takes are three ferrite toroids

    Ontario, Canada has switched to these interactive meters.

    Toroids placed around each feed, including the neutral, should happily isolate your meter. Some systems are using a Wimax system, bit shielding will defeat these weak signals.

    The upside is they will have to keep on employing meter readers!

    1. Anonymous Coward
      Anonymous Coward

      Although

      The down side is you can get sent to prison for tampering with a public utility.

  15. GettinSadda
    Alert

    It seems quite possible!

    These devices seem to be less secure than the average PC - so things need to be sorted!

    http://www.smartmeters.com/the-news/893-security-firm-reveals-smart-meters-vulnerability.html

    What would happen if someone gained access to the system via some sort of hack, and instead of making a nuisance of themselves and drawing attention, they simply set off a script to turn off every meter, one-by-one as fast as they can. How long do you think it would take before enough load had been removed that the oversupply would cause serious long-term damage to the network? I would guess between 5 and 15 minutes.

  16. Anonymous Coward
    Thumb Up

    for what it's worth at least one of these meters is well secured.

    I worked on one of these smart meters for a previous employer.

    The smart meter hardware was not accessible from outside the fusebox (inductively powered).

    The meter encrypted all data with 256-AES as a block cypher (i won't disclose the stream cypher built around it, but suffice to say it's an encrypted-authenticated protocol) prior to broadcasting to a USB dongle attached to

    the user's pc.

    This encypted data was passed to the electric company servers, decrypted there and

    the data used for graph generation and peak usage analysis.

    The cypto protocols were designed by a proper cryptographer at a truly eye watering daily rate.

    Key points.

    1) you can't shut the thing off remotely as you can't communicate with the meter directly.

    2) all data is encrypted between meter -> dongle -> server

    3) the key on the meter's only help you with that meter and don't help you touch any other meters.

    4) no keys are stored on the dongle and the meter key is burned in at manufacture time.

    5) the protocol between the server and the meter had some nice safeguards built in so someone trying to hijack an established connection would fail, hard causing that meter to be flagged.

    6) the meter itself is an embedded board(no external connections), so in short unless you remove your own meter, reverse engineer it to derive the key *AND* somehow break into the server with the master keys, all you have is a really rather useless meter that will be spotted next time you try to connect to the server.

    @AC 15:55

    Professor Anderson is quite well known in crypto circles, I suggest you google him prior to gobbing off about him trying to get publicity.

    1. Jellied Eel Silver badge
      FAIL

      Rental?

      Cool. so how much can we charge the utility for use of our PC's or USB port rental, and by relying on customer's PC's, what risks/vulnerabilities does that add? Presumably there are PC, Mac, Linux, PS3, Xbox versions of any dongle->net code as well?

      Pretty neat if installation requirements for a new leccy meter include a PC and 'net connection.

      1. Anonymous Coward
        Anonymous Coward

        Re Rental

        Not quite, nominally the idea is that the meter is supposed to help you workout if you can save electric, but really the thing is just a method for working out that a particular electric signal is a fridge and not a telly, so you can more accurately model the usage profile of different times of day and adjust accordingly (you as a punter, not so much the electric company).

        As a punter, your bill will be more accurate but other then that, I couldn't really see any huge benefit to the punter for having one, no downside either really).

        The Net and PC combo is only if you want the pretty graphs as a user, the meter itself doesn't require an active connection, it just broadcasts encrypted data when ever a suitable dongle is in range.

        Sed

        Meter reading becomes, as simple as turn up to premises with laptop and 3gdongle with spare usb port.

        Insert dongle, wait a couple of seconds to grab the usage data and off you go, not much different from just looking at the numbers on screen.

        Given I wrote the code myself, I'm quite sure that the code only exists in my former employers git repo.

        About the only thing from that board that is available to anyone other then the manufacture is the AES implementation and fat lot of good that will do you.

        As for Mac/Nix etc version of the dongle code, no you have to log on to the website and *choose* to upload the data.

        Of course there are many versions of low power short range comms over usb out on the market but, it doesn't matter as the dongle itself doesn't forward the data, its just a passive consumer bit like a oyster card reader.

  17. karl 15
    Unhappy

    Greed greed and more greed

    "the technology also makes it easier to switch subscribers to new (higher) tariffs if they persistently fail to pay their bill on time."

    So low income families who struggle to pay the bill on time have to pay more in the end.

    This is just a way for the greedy bastards to make more money from people who can't afford to live.

    The well off get a tummy rub, the poor get a kicking

    1. John Smith 19 Gold badge
      Happy

      @karl 15

      "So low income families who struggle to pay the bill on time have to pay more in the end."

      In the UK this *already* happens if they use a card payment meter. The card tariff is *roughly* 100% higher per unit than bank payment accounts. Electricity companies explain this is because of the higher logistics costs and "Risk" of non payment.

      It is potentially a *very* good deal for electricity companies with very *unclear* benefits to the UK consumer.

  18. redtek

    Too late for us

    It just so happens that I talked to one of the fine people from SDG&E (our local utility company) who is installing the meters in our area. The utility has not done any testing that I am aware of but if you refuse installation of the new meter they will just cut your old meter and take it away leaving you without any juice.

    There is of course the upside for the utility company. The old analog meters tend to not report correctly in some cases since the motors get sluggish after a certain number of years. The customer gets a nice shock when there higher power bill shows up in the mail.

  19. Wile E. Veteran
    Thumb Up

    No problem so far here

    I have a split supply, one branch for my air conditioning unit and the other for the rest of the house. The meter for the A/C is a so called "smart" meter and my contract with the power company gives me a nice discount in exchange for permission to shut off my A/C for 10 minutes (maximum) per hour when the total system load on the grid exceeds some threshold. Who gets shut off is done on a round-robin basis.

    I've had this set-up for 12 years with no problems.

  20. Anonymous Coward
    Alert

    sleep tight

    Hopefully this is just for the electric - turning the gas supply off & on again, by accident or intent, is not quite the same thing...

    1. John Smith 19 Gold badge
      Thumb Down

      AC@06:59

      "Hopefully this is just for the electric "

      Go on hoping.

      It's true electronic gas meters are *less* accurate than their mechanical counterparts and despite running at least 5 years companies are phasing them out due to having to send a guy around every 5 years to replace the battery.

      Meanwhile in the UK utility companies are installing remote reading *water* meters. they seem to use an outside plate which acts as either an aerial or power connector.

      Logic says gas companies *will* want to find some way to do this. My guess would be some kine of absolute reading passive accumulating sensor which can be periodically powered up like an RFID tag or a miniature fuel cell (gas safety issues I know, needing to keep the air supply *absolutely* separate from the gas while venting the wast products).

      Note the water meter does not AFAIK have a remote cut off feature. Likewise a remote gas cut-off would need some muscle in the power supply to drive a valve shut or open it again *unless* it was a one shot, needs-a-gas-fitter-to-come-out-and-reset-it deal.

      Looks like whatever the utility lobbyists bunged that Labor peer to get this included in the bill was money *very* well spent.

  21. peter_dtm
    Pirate

    Oh !

    All those nice anti-capitlists will no doubt set the tarif to FREE !

    No, they'll never work that out,

  22. GKLR

    Nice for people who want to nick power

    Some in Australia are playing with these meters too. Generally if you get a smart meter you get a higher power bill. You see you get charged more during 'peak' periods. Apparently whenever the average family are getting a hot meal is a peak period..

    Still if you have a meter reporting power consumption via a separate data channel and you want to steal power hacking the meter or spoofing its data channel might be easier (and a lot safer) than hardwiring around an old meter...

    As to securing the system from remote - i.e. via the Internet - attack. Why would you connect a presumably closed network of electricity meters to the general Internet unless you were a total idiot?

  23. david 12 Silver badge

    Not so modern as you think

    My elderly mother has a Smart Meter here in Melbourne Vic, Aus. So perhaps London isn't so far in advance of the rest of the world as you would like to imagine.

  24. Tigra 07
    Welcome

    What next?

    We've had warnings about hacking implants, cars and now smart meters...

    Maybe vacuum cleaners will be next?

    I for one welcome our shiny, height impared, noodle-eating chinese hacker overlords

  25. A J Stiles
    FAIL

    And it's not even what would really be the best option

    Smart meters are solving the wrong problem anyway.

    Many people could generate a portion of their electricity requirement themselves from solar panels, wind turbines or micro-CHP (if an engine turns 3/4 of the fuel into heat and 1/4 into electricity, then why not use it as a boiler?) However, the present system actively discourages this.

    "Feed-in tariffs" mean that if you have a big enough home generation installation including an expensive grid-tied inverter, you can sell any surplus electricity you generate.

    But if you were to install something more modest -- perhaps covering just 50% of your needs, which would still represent a worthwhile reduction in the amount of fossil fuel consumed -- you would still have to pay a standing charge for the privilege of maintaining the wires to your home, just so you could fall back on the public grid when your own storage batteries were flat, or if you needed to run a more powerful appliance than your inverter could cope with.

    The electricity companies need to be made (because they're hardly likely to cut off a revenue stream of their own accord) to offer a tariff with no standing charge to consumers who generate some of their own.

    1. John Smith 19 Gold badge
      Thumb Up

      @A.J. Stiles

      "The electricity companies need to be made (because they're hardly likely to cut off a revenue stream of their own accord) to offer a tariff with no standing charge to consumers who generate some of their own."

      Excellent point. UK Electricity and gas are *highly* regulated markets. A fairly modest change in T&C's could have a *huge* impact on the overall viability of *lots* of schemes.

      More to the point they would start developers thinking about designing in some features from the *start*. Ground and air source heat pumps, solar cells, shared facilities like anaerobic digesters and wind turbines of a decent size are *all* better installed wholesale

      The devil is in the detail.

  26. Anonymous Coward
    Anonymous Coward

    IOactive: Zero Credibility

    Sorry, but I see IOactive attached to far too many stories where they are screaming "the sky is falling, only IOActive can help!" This smart meter issue has been way blown out of proportion. The hacks are all just proofs of concept. There is no evidence whatsoever that these attacks are happening in the wild or even could. NONE of these reports has done a test in a real environment. It is all lab testing with controlled conditions.

    In other words, its just FUD.

    1. John Smith 19 Gold badge
      Troll

      AC@15:57

      Well it's good to hear the voice of authority on this matter. I had no idea...

      And you are?

  27. Alan Lewis 1

    is it really about metering?

    Perhaps the devil is in the detail, the comment about "managing demand at peak times". A couple of years ago there were news stories that projections suggested that the UK would face an energy shortage around 2015, when a number of nuclear power stations would be decommissioned.

    As a country, we haven't addressed that yet. And it would appear that the utility companies are not prepared to crash build several new fossil powered stations, and neither administration was/is prepared to invest in nuclear (Labour ran down and then disbanded our expertise in nuclear technology, iirc, in 2005?).

    It would not suprise me if the real driver behind remote meters is to micro-manage the supply to consumers and/or areas. For example, rather then cut all power to a given post code are (or sub-station footprint), to 'throttle' the power available to consumers in a given area, to throttle/cut-off power to a given consumer profile, or to throttle/cut-off power to residential customers only.

Page:

This topic is closed for new posts.