back to article Smart meter SSL screw-up exposes punters' TV habits

White-hat hackers have exposed the privacy shortcomings of smart meter technology. The researchers said German firm Discovergy apparently allowed information gathered by its smart meters to travel over an insecure link to its servers. The information – which could be intercepted – apparently could be interpreted to reveal not …

COMMENTS

This topic is closed for new posts.

Page:

  1. Steve Knox Silver badge
    Thumb Up

    Class Act

    "Nikolaus Starzacher, chief exec of Discovergy, was among those who attended the presentation. He thanked the researchers for their work and promised to adapt Discovergy's technology so as to minimise potential security and privacy concerns."

  2. John Riddoch
    Thumb Up

    Given that 90% of execs who heard about this would have tried to sue them to stop them presenting, this is a remarkable outbreak of common sense... Can we clone him and put the clones in charge of some other companies, please?

  3. Rob
    Go

    Why stop there...

    ... we have a whole government that needs replacing.

  4. Anonymous Coward
    Anonymous Coward

    Re: Class Act

    Exactly my thoughts. Adobe et al. could learn a thing or two.

  5. Someone Else Silver badge
    Go

    He's not an American.

    'Nuff said

  6. Anonymous Coward
    Anonymous Coward

    What about the Governator?

  7. Sir Runcible Spoon Silver badge

    Sir

    So, even with all the hand-wringing that was done when these meters were announced they didn't bother to perform even the most basic of diligence regarding the security of the data.

    That's FAIL 2.0 in my book.

    Never liked these things, and as for a 2 second granularity - wtf!?

    As for running lights 12 hours on, 12 off - well, sheeeeit.

  8. The BigYin

    Security is fine

    The customer's details and systems are 100% protected 100% of the time.

    "Customer" in this case being the utility company who owns the meter.

    The consumers security is of no corporate or regulatory concern. :-(

  9. Sir Runcible Spoon Silver badge

    Sir

    Unfortunately even that isn't true, since they were able to intercept the traffic and inject their own readings before sending it back to the utility company.

  10. ...zenpyramid...
    Black Helicopters

    ...coral, one presumes...

    ...one wonders if it would be possible to install some form of 'scrambler' device between the meter and the fuse board. I'm guessing we're talking about some form of intelligent capacitor. My main concern would then be the efficiency of the system, as whatever% inefficiency would then manifest as whatever% increase in energy consumption. Oh yeah, and then there's inevitable delay between 'turn on' and 'power arrives', unless the 'scrambler' has some pretty hefty constant capacity in reserve, or a bloody great battery (same thing?). All of which are gonna do nothing to improve efficiency or lower build costs.

    I suppose it might almost be easier to have your devices individually scrambled, to avoid having to juggle the current from the whole house. Just scramble the ones you feel sensitive about. Like the lights above your, um, aquarium, say... (*cough)

  11. Anonymous Coward
    Anonymous Coward

    TEMPEST

    These interception methods have been around for about 40 years ... that's just about long enough that all the engineers who actually understand the problems to retire. The only thing new here is that the smart meters were built and designed by some wet behind the ears engineers.

  12. C-N
    Mushroom

    all the engineers who actually understand the problems...

    "wet behind the ears engineers."

    Cool story bro. Let me tell you how things work in the real world.

    Every time any company gets a choice of properly vs cheaply what do you think they choose?

    Until the decision makers at the top are taken to task over crap like this, expect the worker bees to do as they're asked / told. This isn't your father's job market so don't expect engineers to resign in protest over a failure to do some job right vs just-good-enough-to-remain-employed.

    You may not like it, I certainly don't, but that's the way it is.

  13. Davidoff
    Thumb Down

    "These interception methods have been around for about 40 years ... that's just about long enough that all the engineers who actually understand the problems to retire. The only thing new here is that the smart meters were built and designed by some wet behind the ears engineers."

    Nice rant, but what you miss here is that TEMPEST (shielding of all emissions to avoid interception) is hardly the answer when information has to travel quiet some distance from the appliance to the central server. That's what encryption is for. And I would bet that very few of these now retired engineers that worked on TEMPEST 40 years ago know about modern encryption technology.

  14. adnim Silver badge

    "Suppliers want to introduce the technology not only because it simplifies the process of collecting meter reading, but also because it makes it easier to control supply at times of peak demand. The technology also makes it easier to switch late or unreliable payers onto higher tariffs."

    Don't forget the savings from sacking all those fleshy meter readers. The return from selling off the vehicles they use and the savings from not fueling those vehicles. I dare say that despite these savings the consumer will not see a reduction in the cost of electricity and maybe even see an increase in costs to pay for the technology.

  15. The BigYin

    If it makes...

    ...readers harder to steal, that's a good thing (I have been the victim of meter theft, the police don't regard it as a priority and the utility companies won't lift a figure without a police response; if it happens to you, you are in for at least a week without power/gas).

    Umm...I think that's about the only benefit I can see with the things.

  16. Uncle Siggy
    Terminator

    lights out

    You could eschew the usage of electricity, fooling everyone into thinking you aren't home, effectively shutting off the meter.

    Ever notice you never hear about "billing systems" malfunctioning?

  17. sabba
    WTF?

    What the heck...

    ...do they do with the meter when they've nicked it? Surely the scar value can't be that high and I am presuming that it'd be pretty hard to sell as it is. Am I perchance missing something here?

  18. The BigYin

    @sabba

    Simple. They swap it for their meter, use power/gas for a while, then swap it back before the meter reader comes; makes them look like they've used less power/gas. Scrap has nothing to do with it.

    Trust me, I was as shocked/puzzled as you were. TransCo told me it was pretty common. The scum will even break-in to get the meter!

    However, rather than bare my private to a utility company I installed a decent security light.

  19. Allan George Dyer Silver badge
    WTF?

    Really?

    Why don't they just bypass their own meter without swapping yours in? Simpler, and less risk of being caught.

    I initially thought you had a pay-as-you-go meter, and they were stealing the coins (probably wouldn't work with a card meter, though).

  20. Davidoff

    Meter theft

    That maybe one of the reasons why most homes in mainland Europe have their utility meters inside.

    But then most of these houses also have basements.

  21. The BigYin

    @Allan George Dyer

    I asked that too - the meters apparently use non-standard connectors and as one doesn't really want to pass the regulator (mains pressure in domestic pipes? Yikes!) it is actually easier/safer to steal the meter.

    There's a rash of thefts around this way at the moment.

    @Davidoff

    Yes a basement would be nice, but they will break-in to steal the meter.

    And one cannot secure the meter for obvious reasons (access may be required in an emergency). Although I did consider fitting a light-sensitive diode inside the cabinet connected to an alarm inside the house.

  22. andy 45

    No benefit for the consumer and we have to surrender all energy privacy to the energy company and are under their total control.

    ...And we get swamped in yet more wi-fi signals (which may or may not be harmful)

    Great.

    I dont want a smart meter and I'm going to do anything I can not to have one (whatever that is).

  23. Anonymous Coward
    Anonymous Coward

    Faraday cage around the meter cupboard?

  24. C-N
    Pirate

    Naw

    Fancy load-leveling or load-randomizing UPS like device. They'll think I watch looney toons and eat microwave popcorn 24 hours per day.

  25. heyrick Silver badge
    Happy

    On the other hand...

    ...an enterprising person could rig up a PIC to randomly switch a couple of 60W bulbs on and off randomly to add plenty of "noise" to the recorded consumption levels. There you go, privacy back again.

  26. Ken Hagan Gold badge

    Why bother with a PIC? You've been able to buy "Pretend I'm at home" light switches and timer-controlled sockets for yonks.

    Of course, in these "enlightened" days, you might not be able to buy a 60W light bulb anymore.

  27. heyrick Silver badge

    @ Ken

    Bother with a PIC because if the thing is going to read the fluctuations in consumption from a large LCD telly, you will need to modulate a lightbulb fairly rapidly (several times a second) in order to mask these fluctuations, and at random intervals. A "I'm here, see?" gadget will have no more effect than turning on a lamp - namely, none. The consumption will alter, but the fluctuation pattern will remain, and can still be detected.

    Good point on the "enlightened days", I'm not sure how a stupid eco bulb will take to being switched at 10-20Hz? You can get compromise bulbs (halogen projector bulb inside) which might fare better?

  28. Dr Dan Holdsworth Silver badge
    Pirate

    If the security is this crap...

    If the security is this abysmal, then we can cheerfully expect the meter to have absolutely no protection whatsoever from man-in-the-middle attacks. This would mean that with a suitable hardware black box tacked onto the thing, a meter could be seeming to give a completely normal household read-out, whilst the power was being leeched at a truly staggering rate.

    If this is possible, I would expect that the drug farmers would find this quicker and safer to do then the current method of bypassing the meter altogether, or tying in to the streetlamp circuits for power.

  29. Anonymous Coward
    Anonymous Coward

    You don't suppose

    You don't suppose the domestic energy consumption changes if you put the kettle on? Or put the bathroom light on? Or the heating/hot water thermostat changes state? Or any of the many other things which would make the power consumption changes due to the film itself maybe literally "disappear in the noise".

    I mean, there's plenty of real threat stuff to talk about here. But then they're probably right, without the unnecessary and barely believable/relevant "we know what you've been watching (assuming it's a film we've profiled)" comments they may not have got this article.

  30. John Halewood

    Actually it's just as likely to reinforce what you're doing as hide it: classic scenario (long since known in the electricity industry), Eastenders/Coro/whatever finishes, a couple of million households put the kettle on (in the same way that lots of dogs in my 'hood seem to get walked by blokes between 19.30-20.00). If you've got a house with several people doing different things at once, then it would be more difficult, but with a big enough sample a statistical analysis will pull an awful lot of trends out. Someone would have to put a lot of effort into it, but it's probably more accurate than the old TV detector vans.

  31. Anonymous Coward
    Anonymous Coward

    Yep, the surge in grid demand when the Queen's Speech (or the commercials in Corrie or whatever) comes on is a well known phenomenon, although its importance is decreasing somewhat now there are fifty seven channels with nothing on, rather than just three.

    "with a big enough sample a statistical analysis will pull an awful lot of trends out."

    No it won't, adding dissimilar signals (different punters watching different things) does *not* reinforce the ability to work out the underlying pattern(s), unless a *lot* of them are watching the same thing (see above).

    "more accurate than the old TV detector vans."

    Probably more accurate than the new ones too, given that modern TVs no longer have line output transformers and that kind of thing (and there are computers that know which addresses don't have TV licenses).

  32. Rob Daglish
    Stop

    Great, you can spy on me...

    Unless there's no mobile signal.

    They came to fit one of the gas smart meters in my in-laws the other week.

    Poor bloke turned up 3 hours late after problems fitting the one at the previous job, stuck his head in the cupboard under the stairs where the meter is and took out a signal meter.

    Two minutes later, he was on his way as there was not enough signal on either of BGs preferred mobile provider networks.

    It isn't as if they are in the middle of nowhere like a lot of our country, there on the edge of a large town. Until the mobile providers have a 100% coverage obligation, the current meters are doomed, especially if you live in an old house with thick walls.

  33. C-N
    Trollface

    Is it April First?

    chief exec...attended the presentation... thanked the researchers... promised to fix...

    You guys are pulling my leg. You almost had me.

  34. Pointer2null
    Pirate

    Kaboom

    And the next step for any terrorist org is to hijack a city or two of meters, switch them off, wait a bit till everyone switches x, y and z on wondering why there is no 'leccy then turn the whole lot back on at the same time. Nice big power surge should take out the local grid...

  35. Marketing Hack Silver badge
    Big Brother

    Well, there goes the environmental benefit of smart meters!!

    Now I have to set my second TV to play Citizen Kane, Casblanca, On the Waterfront, 2001 A Space Odyssey, public affairs programs and other high-brow entertainment while I am not at home, and I have to run my big TV off a portable generator so that I can watch my usual trashy series, sports and occasional soft core while still maintaining my sophisticated, urbane public persona!!

    So while big brother is watching me expanding my horizons, I will be watching "Bikini Babes of Brazil", or some such uplifting entertainment!

    Curse you, progress!!!

  36. Anonymous Coward
    Anonymous Coward

    Designed by Indians(just graduated in bombay!)...

    installed by Cowboys,

    Instigated under a green flag by Greedy Idiots for votes

    the worst part of this kit is the fact its permanently ON and broadcasting via 3G 24/7 at full power!

    never mind the Wifi smart grid electro-smog,

    combining these together and you really are looking at the perfect storm of ELECTO-SMOG which will cause even more health issues for consumers across the world.

    the only hope is screening the kit either before by fitting a steep box to fully enclose the entire unit (with room to spare for the larger sized meter) or covering it in very expensive silver shielding cloth once its fitted.

    and has anyone actually scientifically proved that these devices are completly safe for consumers..... i dont think so.!!!!

  37. melts
    WTF?

    electo-smog(tm)

    i think you need to lay off the drugs

    seriously you're sitting infront of a pc, no doubt own a phone, and you aren't on an island in a faraday cage.

    because you can only blame yourself for these problems you casually disregard them to whine about a meter that sits in cell standby like your phone and beams out some data at some scheduled interval.

    and a silver shielding cloth? copper will work just fine. use lead if you want something more hazardous than the meter around...

  38. rurwin

    "has anyone actually scientifically proved that these devices are completly safe for consumers"

    Umm.... Yes.

    Thanks for the plug opportunity: http://www.soronlin.org.uk/mobile-phones

    That's for mobile phone masts, but the maths are there to disprove your point: Using a mobile phone for 15 minutes a day has three thousand times the effect of it's regular polling of the cell for five seconds every ten minutes. Make that that five times larger for the smart meter polling interval, and it's still 600 times less than making a 15 min. phone call. The figures are for 8 hours, so we should make it three times larger, or a mere 200 times less than a 15 minute mobile phone call.

    Assuming you are an average of five metres from the meter, you should reduce that by another factor of 25, since the numbers are worked out for a distance of one metre.

    So having the smart meter active is 5,000 times less damaging than a 15 minute mobile phone call per day, or 333 times less than a one minute call per day.

    You may not use a mobile phone for one minute or fifteen minutes a day, but many, many people use one for much longer than that. If smart meters caused any damage, then many, many people would be seriously damaged by their mobile phones. Mobile phone users are the canary that would warn of possible injury from smart meters. There is no discernible injury to mobile phone users, and therefore smart meters are safe.

  39. Anonymous Coward
    Anonymous Coward

    Electrosensitive?

    JREF or STFU! :)

  40. Field Marshal Von Krakenfart
    FAIL

    @rurwin

    "has anyone actually scientifically proved that these devices are completly safe for consumers"

    "Umm.... Yes."

    Ummmm...... *NO*

    What they, whoever 'they' are, have shown that there is no evidence that low levels of exposure to radio transmissions is harmful to health"

    That is not the same as saying low levels of exposure to radio transmissions is safe.

    I can imagine the Wright brothers saying the same thing, "we've no evidence that powered aircraft crash causing fatalities..... Who? Otto Lilienthal! No he was killed in a glider crash, totally different thing".

  41. Graham Marsden
    Boffin

    @Field Marshal Von Krakenfart

    Has anyone scientifically proved that posting to El Reg is completely safe...??

  42. The BigYin

    @Field Marshal Von Krakenfart

    Very hard to prove a negative, no evidence of risk is as close as one will ever get.

    All this talk of "electrosensitivity" is utter bollocks. There has simply been no evidence of it and what tests have been done (putting an "electrosensitive" in room where wiring was switched on/off) simply showed they had no sensitivity.

  43. P. Lee Silver badge
    Big Brother

    It isn't a bug

    it's a feature. Why else would you sample every couple of seconds unless you were looking for signatures?

    I'm pretty sure that there are plenty of people who would like to know what you are doing and when. Apart from the marketing opportunities of knowing what people are watching. I would imagine that all those computer-controlled washing-machine programmes also have fairly unique signatures. You can probably tell when a coffee machine kicks in (shorter than a kettle, but equally high power).

    Mine the data after a couple of years and you can probably tell who's is going to need to replace various appliances and when. Also, who might be be annoyed with their current appliance vendor and be ready to move.

    Pick out who is watching what and you might get a good idea of how they might vote too.

    I look into my crystal ball and see Google getting into the energy generation business...

  44. FredScummer
    Black Helicopters

    Don't Tell Chris Huhne!

    This sounds mighty dangerous. If Chris Huhne gets to know about it he'll be getting the techies to rearranged the digital plumbing so that his missus gets his bill.

  45. despairing citizen
    Stop

    Proper Name for Smart Meter is Burgle me indicator

    Drive round posh housing area, use radio to intercept and triangulate signals, bit of traffic analisys later, you know which house to go and rob.

    Thats without breaking the security (if implemented)

    Given encryption is a time and resource based security methodology, how frequently will the vendors be rotating the encryption keys, who will have access to them to flog off to their criminal friends.

    Smart Meters are all about the utilities companies making more money by getting rid of the costs of data collection, customer crime victim figures do not appear on their balance sheet..

  46. AndrueC Silver badge
    Thumb Down

    Burglars already know when you're out. It's called 'Office hours'. The only people still in their homes during office hours probably can't afford to buy anything worth stealing.

  47. despairing citizen
    Happy

    Assumption is you work for "Stone Age" employer, the minions must be seen sat in front of manager's desk to make him look important (the "presentism" culture of UK management)

    However home working is a popular move, your staff work better when not p*s**ed off at BR/Failtrack, you can cut circa 25% of your expensive office space, and the staff get a better work/life balance, by ditching comute hours.

    Thus burglar is increasingly likely to encounter large angry bloke working from home.

  48. Field Marshal Von Krakenfart
    Coat

    "Drive round posh housing area, use radio to intercept and triangulate signals, bit of traffic analisys later, you know which house to go and rob."

    Then case the house using street view...

    Program ASIMO to break in...

    Icon: burgler searching your coat for the car keys.

  49. John Smith 19 Gold badge
    Boffin

    So how difficult is it to configure an SSL certificate server *correctly*

    Is it a task requiring many years of study and wearing of sandals?

    Or just a case of RTFM?

    You can teach knowledge, but you can't teach thoroughness.

    BTW Sampling *every* meter every 2 secs. Note that's not switching tariffs every 2 secs.

    How often are they planning to bill customers?

  50. defiler Silver badge

    Billing customers

    I guess they'll bill the customers every 2 seconds as well. But you'll get about £1800 off per month if you opt out of paper billing...

    Okay - I'll get back to work.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2018