back to article Smart grid security WORSE than we thought

Don't try crypto at home, kids: the Open Smart Grid Protocol project rolled its own crypto and ended up with something horribly insecure. This paper at the International Association for Cryptologic Research explains big issues with the OSGP crypto protocol deployed in as many as four million smart meters and devices. The …

  1. Ole Juul

    Just the beginning

    This is talking about attacks from the "bad guys". In this day and age where the "good guys" are equally suspect we can expect to see a whole new world of surveillance from our utility companies collaborating with government organizations of dubious intent.

  2. Anonymous Coward
    Anonymous Coward

    So The Enemy wants to see you to conquer you, the State wants to see you to control, and Private Enterprise wants to see you to mine you. How do you survive in a world where EVERYONE is out to get you?

    1. This post has been deleted by its author

      1. Charles 9

        Except that's very inefficient and power-hungry. Look at Freenet. How can you achieve something like this in a world where power may not be readily available and efficiency is a critical metric?

      2. Bogle

        poison the well

        Random and incomplete information has been working for me since the days of the Poll Tax (confusion trumps denial any day). However, I now struggle to remember my real birthday ...

        1. Tranzcoder

          Re: poison the well

          Yep works for me too....all smoke and mirrors...barely remember how to spell my name.....

      3. Anonymous Coward
        Anonymous Coward

        "irrelevant, inaccurate data and encouraging others to do the same"

        Hmm .. well, that's the Daily Mail explained ..

    2. Oninoshiko

      I would say paranoia

      but it's not paranoia when they are really out to get you!

  3. TeeCee Gold badge
    Coat

    the OSGP has announced it's working on an update to its security standards.

    So they're shit and they know they are?

    1. Anonymous Coward
      Anonymous Coward

      So they're shit and they know they are?

      So very much better than being shit and refusing to admit it, which is the usual approach.

      1. VinceH

        Re: So they're shit and they know they are?

        Read the linked announcement. They don't admit it - this update isn't because of the reported flaws, per se, but because "the overall security ... is dynamic" etc. This is a planned update - and it's "motivated by the latest recommended international cybersecurity standards" rather than because "the existing security has been shown to crap."

        1. Anonymous Coward
          Anonymous Coward

          Re: So they're shit and they know they are?

          "Read the linked announcement. They don't admit it"

          I really don't expect any industry body PR to allow out a release that says "Our security sucks, we're fixing it." As with Pravda - or for that matter the Times Court Circular - in the good old days, there's a language you need to decode.

          e.g. with Pravda "Full and frank discussions" meant "we threatened to send in the tanks", and with the TCC "XYZ was indisposed" meant "XYZ was too blotto to strand upright reliably".

      2. Michael Wojcik Silver badge

        Re: So they're shit and they know they are?

        So very much better than being shit and refusing to admit it

        No. Only a little better, unless they fix the problem - which is letting non-experts design their cryptographic algorithms, primitives, and protocols. And then fixing the organizational mess that let this disaster happen in the first place.

        I doubt that will happen. What we've seen over and over again is that industry groups like this refuse to hire the expertise they need, and generally refuse even to find out what expertise they need. That sort of willful ignorance gave us Netscape's original CPRNG and WEP and A5/1.

        Security is an externality for these groups unless and until it becomes a significant impediment to sales, or someone manages to establish liability (which is very unlikely). And between the economic benefits to utility companies and the like on one hand, and the market of home-automation fanboys and other IoT cheerleaders on the other, it'll be a long time before it hits sales, either.

  4. John Smith 19 Gold badge
    FAIL

    Oh great. Over-the-air updating of the devices in situ?

    What could possibly go wrong with that

    Unless the same group of inept motherf**kers did that software as well.

    Which they probably did.

  5. chris 17 Silver badge

    they likely designed the system at a time when compute to encrypt was expensive and defined a custom low cpu encryption system to save on cost. Now compute is vastly cheaper, what started as a good idea is now exposed as a false economy. Instead of strengthening the custom encryption they should just admit defeat and use industry standard encryption, infact, just install a lightweight bsd or redhat build with facility for ota updates, then when the industry standard is proven broken, they can apply the open source fixes accordingly (they would get proper support with redhat too- and someone to blame). the meter should have a normal display as backup too so we can continue to manually update teh utility with the reading.

    1. Metrognome

      One honest question: How do you square your recommendations with the need (more like dictat but let's stay with need) for a meter to last in excess of 10-15 years?

    2. Anonymous Coward
      Anonymous Coward

      Thing is, continual security is an ever-fleeing target. Especially in hardware. Sure, today's tech can do today's encryption reasonably, but can this be expected to continue down the line? Or, just like last time, will a hardware refresh be needed in any event to stay current with security?

    3. PNGuinn
      Mushroom

      @ chris 17

      ... redhat build...

      Systemd on a smartmeter. What could possibly go wrong?

    4. Michael Wojcik Silver badge

      they likely designed the system at a time when compute to encrypt was expensive

      What, in 1980? How old do you think this particular group is?

      And their half-assed MAC already uses MD5, so using a proper HMAC with, say, SHA-256 would be only marginally more expensive.

  6. Anonymous Coward
    Anonymous Coward

    There was never...

    ...anything smarrt about smart meters or phones. Now you know the reason why hackers are in control.

  7. All names Taken
    Paris Hilton

    Wot a meter?

    My water meter looks like any other water meter but it is capable of sending info once pinged locally.

    That way the meter reader can drive around slowly gaining info from pinged meters.

    Shame the technology costs peanuts innit?

    1. PNGuinn
      Go

      Re: Wot a meter?

      I think your wotameter needs wrapping in a nice thick foil blanket. For frost protection, of course.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like