back to article Buggy 'smart meters' open door to power-grid botnet

New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month. The so-called smart meters for the first time provide two-way …

COMMENTS

This topic is closed for new posts.
  1. Herby

    I guess this is Friday, so it is OK

    This development has BOFH written ALL over it.

    Clicky clicky Lights off, Clicky clicky lights on. What fun. Can we light up the houses in an obscene pattern? Clicky clicky clicky...

  2. Disco-Legend-Zeke
    Paris Hilton

    congrats to davis

    while the concept of smart meters is an important milestone in improving the power grid... the manufacturers need to start building security measures into them from the ground up.

    kudos to davis for bringing this problem into the light.

    paris cause i still love her.

  3. John Smith 19 Gold badge
    Alert

    Security not built in.

    So open you can build a *worm* that propergates.

    WTF.

    How fast can you say "Security by obscurity is a major fail?"

  4. Bucky 2

    The More Interesting Hack

    If they can demonstrate a hack that mis-reports the amount of power actually used, then the power companies will sit up and take notice.

  5. Anonymous Coward
    Joke

    Hacked! Botnet?

    Can I have a copy of the hack that slows down recorded usage by some 75% therefore demonstrating beyond doubt that I have cut down usage by the same (the fact that the bill is also down by a considerable amount seems attractive too?)

  6. Tzael

    Scary prospect

    To quote from the article:

    [quote]In some scenarios, smart meters would respond to power shortages by telling smart appliances such as clothes driers and dish washers to shut off until more power is more plentiful.

    "This is something that's been on everyone's radar," said Ed Legge, a spokesman for Edison Electric. "I think we've reached that point of opportunity plus ability to do it."[/quote]

    This sounds like an opportunity for electricity suppliers to say "Sorry, you've exceeded acceptable usage limits for your power plan, you'll have to switch up to the premium package"...

  7. Anonymous Coward
    Anonymous Coward

    Thank You

    Thanks for posting this on a Friday, it's just the sort of article that permits, even forces me to go out and get blind drunk, kill off a few million brain cells and make sure I can see into the future no further than the blurred outline of the last drink morphing into an aspirin bottle the next day.

  8. AngrySup

    Big Magnets

    People are currently using big magnets to slow down their meters. So the technology changes, and hey! A big magnet may still do the job.

  9. Anonymous Coward
    Thumb Up

    meter hacking?

    Could I have some more details, then I can take the bent nail out of my meter bypass.....

    Sounds very good, will take a good while for the companies involved to find out what a crock of shit it probably is. Anarchy anyone.../

  10. Combat Wombat
    Pirate

    Mu hahahah !

    Oh the Tyler Durden in me is cackling with glee over the potential of this....

    1) Randomly flick power on and off 10 times/second, and destroy home theatre equip in rich areas

    2) Giant Penis, seen from space, created with houses, and google maps

    3) Turn off the power of various politican's, and other people I don't like.

    4) Take sides with Anon, and shut off power to every scientology site I can, and lock the meter. OR add a couple of zero's to their rate per KW hr.

    5) Spell out BOFH was ere !

    This list is endless..

    Pirate, because we don't have a Tyler icon

  11. NRT
    Coat

    Interrupt Hooking.

    The people who wrote the software really should have considered that.

    It's such a new technique I can remember playing around with it back in the days of CPM!

    Mine's the one hung over the Zimmer frame.

    Nick.

  12. Anonymous Coward
    Anonymous Coward

    And how

    does it communicate this data exactley? GSM? over a phone line?

    Im hoping it is gsm because if thats the case then my gsm jammer is going to be hardwired about 6 inches away from it.

    Read that you privacy invading bastards..

  13. Sureo

    noisy neighbors

    I'd like to power down the neighbor's noisy party.

  14. Anonymous Coward
    Dead Vulture

    Oh right....

    So it's only the US of A then. Pity you didn't see fit to narrow it down when it's the register.co.uk

  15. Aidan Thornton
    Unhappy

    @cornz 1: they use mesh networking

    The smart meters actually use mesh networking over radio - each meter forwards along data from the other meters. They don't use GSM at all (too expensive). This is probably why there's such a big security issue regarding updates.

  16. Tom Maddox Silver badge
    Flame

    @AC22:04

    Lighten up, Francis. Anyway, the same technology will be coming to Blighty just as soon as we formally make you our 51st state, so the news is still relevant to you.

  17. Anonymous Coward
    Paris Hilton

    great!

    <...Echoes of LxLabs boss...>

    what next? suicide of NPower boss? :)

    due to buffer overflow this time??? :D

    Paris, cause she knows here her meter is!!!

  18. Frumious Bandersnatch

    "plan to make the power grid more efficient"

    Well, they could always switch to 220v for local power lines ...should save quite a bit ...

  19. XVar
    Stop

    @Aidan Thornton

    Wrong (in the UK atleast), the smart meters they're rolling out all use GSM on the O2 and Vodafone networks.

  20. Anonymous Coward
    Flame

    Worst comment evar! @Tzael

    >"This sounds like an opportunity for electricity suppliers to say "Sorry, you've exceeded acceptable usage limits for your power plan, you'll have to switch up to the premium package"..."

    WTF are you talking about you nutjob? Some fantasy world where we all pay a fixed rate for electricity to companies that have promised us unlimited usage? Your copy-pasta spiel refers to the whole unmetered broadband and capping issue, but we're talking about electricity here. Have you not noticed that we all already pay for electricity by usage? You utter clown.

  21. Anonymous Coward
    Thumb Down

    Smart meters indeed.

    The meters may be smart and be deserved to labled as smart but it looks like the designers of the smart meter are anything but.

  22. Chris C

    Legal?

    "...That would eliminate the need for meter readers to visit each customer to know how much electricity has been consumed, for instance."

    In that case, I'll expect my monthly "Customer charge" to decrease since they're admitting they'll be doing less work and using less labor.

    "...Technicians envision a system that raises or lowers rates hour by hour depending on the supply of power available, which would be measured based on the reports of millions of individual meters."

    Is this legal? It doesn't sound like it to me. What that says is that you will have absolutely no idea how much the power will cost as you use it. You will only know how much it cost once you receive your bill, and even then, it will probably only show the month's or days' total cost instead of showing a breakdown of each rate period. I can't think of any other product or service for which we're expected to pay without knowing the cost up-front.

    Lastly, the complete lack of security should be illegal as well. It probably isn't, but it should be. After all, if it's using a mesh network with no encryption, then it's broadcasting your personal information (power usage and possibly other data) and personally-identifiable information (the meter's ID and possibly other data) to anybody who wants to listen. That should be a violation of various data protection laws.

  23. Darryl

    @AC - Oh right...

    "Their counterparts throughout Europe are also spending heavily on the new technology."

    Seriously, it's at the end of the second paragraph. Most people skim at least a few paragraphs before jumping to the comments page.

  24. John Smith 19 Gold badge
    Happy

    AC@22:04

    It may have escaped your notice but the UK Govt. is currently pushing full speed ahead for smart meters for both gas and electricity by 2015 at the latest.

    Want to guess how they will source the roughly 22 million meters (in a hurry) at "reasonable" prices?

    There plan is that *your* meter will be reporting back to them soone rather than later.

  25. Big Al
    Boffin

    'THE' grid?

    ""New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid""

    I know this is horribly technical, but countries outside the Continental USA also use electricity, and even have power grids!

    Come on folks, this is an international site. At least make it clear to which country/countries you are referring when you throw out scary (sorry, attention grabbing) opening lines.

  26. Anonymous Coward
    Pirate

    @ AC: "Worst comment evar! @Tzael "

    Aside from pointing out you cannot spell "ev*E*r" (and you can't serioulsy try to blame *that* on a typo!), you really should read properly before commenting.

    Tzael was responding to the idea that the utility companies would be allowed to tell "smart" gadgets like dishwashers and washing machines to switch off for a while when demand was high (ie when Coronation Street or Eastenders finishes). He's (?) suggesting it won't be long before the idea that we can use as much electricity as we want and pay for it afterwards will be replaced by a rationing scheme where you get an allowance instead - like many "unlimited" broadband accounts ended up having limits on how much data you could move and how fast it would go...

    Piracy, cos that's what you get when you let the supply companies determine how to regulate themsleves. The [EXPLETIVE DELETED] kept sending me estimated bills even though I'd ring 'em every time and give them the readings; finally they have agreed to send someone to read the meters (and yes, part of the charges I pay is suppsed to cover someone doing that anyway, but they never gave me a rebate when I did their job for them).

  27. PPPie
    Thumb Down

    Low standard of living in UK and USA

    Jesus, such a low standard of living you guys are having these days, having to penny pinch tiny bits of power from your meters.

    Sounds pathetic. They'll be giving you rations of 3 peas a day for your food next. What else are they planning on rationing the people in the West?

  28. Lionel Baden

    great oh yeah

    Q:why was the electricity cut off ??

    A: oh its all automated now, there was a error in accounting.

    Q:What about all my food in the fridge and freezer?

    A:oh if you have a contract with us it states "your fucked"

  29. Anonymous Coward
    Gates Halo

    Enough with the Microsoft kool-aid

    "insecure programming functions, such as memcpy() and strcpy()"

    Those functions are not insecure. Code to do exactly what they do today will sit underneath the allegedly "safe" Microsoft-promoted versions which when abused can be just as unsafe as the MS-promoted ones. But that's Microsoft for you; they just redefine safety to mean "Microsoft-specific".

    As for smart meters in general and in the UK in particular: in the next few years, electricity demand will far outstrip electricity capacity and there's no way that new capacity can be built in time. A wide deployment of smart meters will allow lots of customers to be disconnected so that "essential services" (MPs, police, etc) can be protected. You have been warned.

  30. Anonymous Coward
    Thumb Down

    @Tom Maddox

    You mean 47th, not 51st. There's only 46 states in the USA, the other 4 are common-wealths. :-P

    Anyway, we're going further under the heel of the greedy* fascists** in Brussels, so I doubt the USA will have their talons in us for much longer.

    *Sign into the European parliament for the day, collect £175 and then bugger off without having to do any work. But it's all OK as it's "in the rules" to get paid for doing sod all.

    **The is no public representation in most things, it's all run by unelected wonks. Any over-sight will result in the auditor/investigator getting the sack. Most minutes are kept secret. Obey or face the consequences.

  31. gollux
    Happy

    My lifetime ambition to be fulfilled soon...

    A giant game of tetris being played on Manhattan Island, viewable from altitude using city blocks as display pixels!!!!

  32. Anonymous Coward
    Anonymous Coward

    @Tom Maddox...

    being Canadian I can tell you right now that Canada is already the 51st state. Geez, I wish the other Americans knew their geography.

  33. Ian Michael Gumby
    Flame

    Security as an afterthought...

    I guess those who developed the system didn't think about security because in the first place you're not on a public network and there will be security at connection points.

    Developers can go bonkers or paranoid trying to think about all the potential attack vectors.

    But yeah, a good code review should have caught some of the blatant errors.

    The good news is that its possible to correct these defects without having to redeploy the existing meters and could be done remotely.

    A flame or pox on the bean counters who take shortcuts in the name of profits.

  34. Homard
    Coat

    These Things Could Be Useful

    I'm really grateful security research has shown what a dogs dinner the security of these devices is. I'd like to blame micro$oft for these failings, but for the device to work it has to have a real-time O/S, some thing micro$oft can't do. At least these problems are clearly in the open, and have to be fixed.

    Security issues aside, these things can be a real eye opener, and help *YOU* actually reduce consumption and save money : eg. comp on 24/7 all month £15, now off most of the time. I bought a device that tells you electricity costs. It claimed that it would save me money. It really has, and a lot ! It gives you a way of looking at just how much you are using. You can use this information to educate the kids, full of green 'thou shalt not do this' crap from school (but no practical guidance), and show them that taking ages in the shower, leaving the telly on while doing something else, etc. really can make a difference. Imagine you're tight on cash ....

    The UK has barely enough grid capacity to meet demand right now. With nuclear sites going offline at end of life, the situation is going to be even worse because new capacity has not been planned sufficiently far in advance. There are 2 stark choices that emerge from this result of incompetent labour government energy policy :-

    1) brownouts (if only it meant no turd in No 10, but I mean power dips in the grid) caused by load above generating capacity. Damage to the grid also very likely, so giving long term power supply failure is some areas.

    2) make what you have work more effectively by making the electricty demand more even. Enter the smart meter, and associated smart devices.

    Seems to me choice number 2 is preferable ? Assuming of course that those in the ISS won't be offended by the botnet art that results !

  35. anarchic-teapot

    Re: Oh right....

    Read the article, dooley. The same technology is destined for Europe, and guess where the UK is is geographically and economically situated.

    Sheesh. No wonder you went AC.

  36. Mark 65

    @AC 09:37

    "As for smart meters in general and in the UK in particular: in the next few years, electricity demand will far outstrip electricity capacity and there's no way that new capacity can be built in time"

    That'll be because they've all sat on their fat arses in Westminster living it up on taxpayer pork rather than slapping down the Eco numtpies and chucking up a few modern nuclear power stations. Sorry, I forgot that they've covered the breezier parts of the land with Windy Miller's wet dream that can power about 5 houses at peak usage.

  37. Anonymous Coward
    Black Helicopters

    Why hack it when you can pirate?

    The local smart grid uses wimax so if you and your friends can acquire a meter, you can bittorrent on your own private high speed network with out all the pesky bills.

  38. John Smith 19 Gold badge
    Boffin

    So how do the gas meters get powered?

    Only the UK wants to do this with both electricity and gas meters.

    NB In the UK utility companies are removing electronic gas meters as they don't like the logistic hassle of replacing the button cell in them every 5 years.

    I don't know how much power a gas meter with GSM modem consumes but I bet it will flatten a button cell in days, not years at the very best.

    So run a cable from the electric meter to the gas meter? What about people who have them in different places? Induction power transfer so meters remain disconnected.

    Micro fuel cell?

    Extra shelf for 12v car battery. How much fun will getting those replaced be? About 22 million every x years.

    Do you sense another half cock government policy which has not been though through?

  39. Code Monkey

    Easily Hacked

    "The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked" - we're talking Windows, here, right?

  40. Lionel Baden 1

    rethink

    can we just let them release the buggy software and not kick up a fuss

    then we may all goto hackaday build our own serial line and disable their bloody remote access.

    Anyway i dont get any bloody mobile phone signal from vodafone and O2 in my area so im not to bothered

  41. Trygve Henriksen

    Do the companies still send out someone to read off meters?

    That hasn't happened the last decade or so, here in Norway.

    (Except for a surprise visit here and there)

    Every customer reads off their meter at the end of the period, then register it using snail-mail, dialling it in to one of those annoying 'Press 1 to screw up your subscription, press 2 to be put on hold' systems, text messaging, or even on the intarweb.

    Must be working, for I'm only using 6000KWh/year...

  42. DJ 2
    Joke

    19 April 2011

    Skynet becomes aware,

    and turns off all your freezers and AC.

  43. Anonymous Coward
    Stop

    @XVar

    Wrong. They're starting to push out 802.15.4/ZigBee/ZigBee Pro meters in the UK, or in other words mesh networks.

  44. Alan W. Rateliff, II
    Paris Hilton

    Fewer jobs, less privacy,

    More smart meters means fewer meter reading jobs. This is antithetical to the promise of new or saved jobs (unless you adhere stringently to the "or" representation there, which is used often by our current administration to cover its ass and claim success or assign blame for any scenario.) Electric companies will not cross-train or re-train readers to become security specialists, I promise you that. Instead, they will become like every other automated monitoring system in which a minimal staff will be maintained which in no way could handle a true disaster or security breach outbreak.

    Additionally, the plans are to allow you to log into a "secure" web site to allow you to view your usage in real-time. Like other systems which allow this "convenience," you will probably not be able to opt-out to protect your privacy, so your activities will be protected by the lowest common denominator in security so as to be idiot-proof to avoid calls to the help line. And we all know end users are stupid, anyway, using the most insecure passwords available, or sharing passwords with people who have no business with them in the first place. This opens a nice door for stalking ex-partners or others who wish to determine when you are not home... or worse, when you are.

    And password aging and rotation is not an answer to this, as people ALWAYS find ways to circumvent this process. Your factors of authentication are where the entity is, something the entity knows, is, or has. The last one would be most significant -- an RSA token would be a great step towards securing this information. The electrical system and its subscribers are a part of our critical infrastructure and, as such, should be treated that way.

    @AC: "@Tzael"

    The fact that the electric companies do not do this now does not mean they never will. Our Glorious President has already stated that he intends power companies to do just that, charge additional for anyone using more than their "fair share." That is equality for you.

    Paris, a part of our not-so-critical infrastructure, and thusly treated.

  45. Wortel
    Pirate

    Hahaha

    Oh, this is just brilliant. Bring it on! Put their damn heads on the block and show the world what a fine example the power companies make by failing to test, test, test! before rollouts. idiots.

    Who's in for programming a giant animated mosaic of city lights, viewable from space?

  46. Anonymous Coward
    Flame

    Whoops!

    I have a friend of a friend personally involved in the UK rollout for a well known electricity supplier. Forwardint this article has ruined his day quite severely, to the extent they are seeking answers as to how much of this article is true.

    Yes they are mesh driven and if you know where to look you can find them with a scanner, decrypting the data should be trivial assuming its not already based internally on something like a Zigbee

  47. Anonymous Coward
    Anonymous Coward

    "charge additional for anyone using more than their "fair share.""

    Commercial/industrial consumers over a certain size (500kVA????) have for a long time had tariffs which include a charge component based on "maximum demand". The higher your maximum demand, even if only for a short while, the higher your bill, even if your overall usage is constant. Seems entirely reasonable to me, as the costs need to cover not only the energy consumed, but also the cost of the capacity to generate and distribute it. It costs more to supply 24 kWhr (24 units) of electricity in 1 hour than it does to supply 24kWhr over 24 hours. Mostly. Terms and conditions apply, your mileage may vary, etc.

  48. Martin Usher

    110v power is a myth

    >Well, they could always switch to 220v for local power lines ...should save quite a bit ...

    Err,,, sorry, the US already uses 230v household current. Its two phase (split around ground) so for low power household circuits it appears as 115v. Higher power circuits - cookers, driers and so on -- use 230v.

    What they're doing locally at the moment is offering people a rebate on their A/C if they sign up for remote control of their thermostat. The utility can regulate demand to match supply, avoiding brownouts or power cuts. We (in California) inherited a bastardized deregulation scheme similar to the way the UK's privatization was set up which has resulted in the situation where the suppliers get paid a fixed price (by the state) regardless of the power used. They've got a positive incentive to reduce power consumption -- not all bad, because we get CFLs at giveaway prices and so on -- but its still a bit of a scam (our electricity prices went through the roof after deregulation due to rampant speculation -- it got stabilized by the State but we're still paying though the nose for power).

  49. Alan W. Rateliff, II
    Paris Hilton

    @AC @me

    You are talking about peak demand, with which I can easily agree. If you put a burst load on the electrical system, obviously you are incurring a massive influx requirement. I would hate to see the power bill for the Florida State University High-Field Magnetic Laboratory, as well as the extra feeders and generating equipment the City of Tallahassee utility services needs to supply it.

    But what everyone else is talking about is "usage," much different from "demand." The cap-and-trade argument refers to being allowed to use only a certain amount of energy over a given period, limited by the associated carbon credits allotted to defer against the carbon dioxide your energy consumption releases into the air.

    A bunch of horse-shit, frankly. And it will indelibly hamper my profession as well, which requires me to drive around most of the day going from site-to-site to fix things hands-on which a remote session cannot handle. Nothing else in government financing takes into consideration sole proprietorships, as a single male I will easily overrun my allotted credits which will incur additional fees, or carbon credit purchases. In turn my service rates will have to increase, which will eventually cause customers to turn away from my services.

    More to the topic of electrical services, I like not shivering inside my own house. The recommended thermostat setting of 68F leaves me bundled up like I am in "Call of the Wild" so as not to shiver my teeth out of my skull. I make up for this during the summer, though, as I can ignore the recommended setting due to my heat tolerance.

    Others may have the opposite problems, but none the less, in neither situation would we want the power company telling our thermostat what is the ideal setting for us. As it is we guard the thermostat against roaming fingers with a Nerf sniper rifle just to stay comfortable.

    Paris, must be guarded against roaming fingers.

  50. JeffreyWalshVA

    Comparison with the credit card industry

    If a credit card customer notices having been billed for a fraudulent charge, it is usually rectified with a quick phone call or at worst, a signed affidavit.

    With these smart meters, hackers can apparently shut power off to unsuspecting customers.

This topic is closed for new posts.

Other stories you might like