Smart meter SSL screw-up exposes punters' TV habits White-hat hackers have exposed the privacy shortcomings of smart meter technology. The researchers said German firm Discovergy apparently allowed information gathered by its smart meters to travel over an insecure link to its servers. The information – which could be intercepted – apparently could be interpreted to reveal not …
So, even with all the hand-wringing that was done when these meters were announced they didn't bother to perform even the most basic of diligence regarding the security of the data.
That's FAIL 2.0 in my book.
Never liked these things, and as for a 2 second granularity - wtf!?
As for running lights 12 hours on, 12 off - well, sheeeeit.
...one wonders if it would be possible to install some form of 'scrambler' device between the meter and the fuse board. I'm guessing we're talking about some form of intelligent capacitor. My main concern would then be the efficiency of the system, as whatever% inefficiency would then manifest as whatever% increase in energy consumption. Oh yeah, and then there's inevitable delay between 'turn on' and 'power arrives', unless the 'scrambler' has some pretty hefty constant capacity in reserve, or a bloody great battery (same thing?). All of which are gonna do nothing to improve efficiency or lower build costs.
I suppose it might almost be easier to have your devices individually scrambled, to avoid having to juggle the current from the whole house. Just scramble the ones you feel sensitive about. Like the lights above your, um, aquarium, say... (*cough)
"wet behind the ears engineers."
Cool story bro. Let me tell you how things work in the real world.
Every time any company gets a choice of properly vs cheaply what do you think they choose?
Until the decision makers at the top are taken to task over crap like this, expect the worker bees to do as they're asked / told. This isn't your father's job market so don't expect engineers to resign in protest over a failure to do some job right vs just-good-enough-to-remain-employed.
You may not like it, I certainly don't, but that's the way it is.
"These interception methods have been around for about 40 years ... that's just about long enough that all the engineers who actually understand the problems to retire. The only thing new here is that the smart meters were built and designed by some wet behind the ears engineers."
Nice rant, but what you miss here is that TEMPEST (shielding of all emissions to avoid interception) is hardly the answer when information has to travel quiet some distance from the appliance to the central server. That's what encryption is for. And I would bet that very few of these now retired engineers that worked on TEMPEST 40 years ago know about modern encryption technology.
"Suppliers want to introduce the technology not only because it simplifies the process of collecting meter reading, but also because it makes it easier to control supply at times of peak demand. The technology also makes it easier to switch late or unreliable payers onto higher tariffs."
Don't forget the savings from sacking all those fleshy meter readers. The return from selling off the vehicles they use and the savings from not fueling those vehicles. I dare say that despite these savings the consumer will not see a reduction in the cost of electricity and maybe even see an increase in costs to pay for the technology.
...readers harder to steal, that's a good thing (I have been the victim of meter theft, the police don't regard it as a priority and the utility companies won't lift a figure without a police response; if it happens to you, you are in for at least a week without power/gas).
Umm...I think that's about the only benefit I can see with the things.
Simple. They swap it for their meter, use power/gas for a while, then swap it back before the meter reader comes; makes them look like they've used less power/gas. Scrap has nothing to do with it.
Trust me, I was as shocked/puzzled as you were. TransCo told me it was pretty common. The scum will even break-in to get the meter!
However, rather than bare my private to a utility company I installed a decent security light.
I asked that too - the meters apparently use non-standard connectors and as one doesn't really want to pass the regulator (mains pressure in domestic pipes? Yikes!) it is actually easier/safer to steal the meter.
There's a rash of thefts around this way at the moment.
@Davidoff
Yes a basement would be nice, but they will break-in to steal the meter.
And one cannot secure the meter for obvious reasons (access may be required in an emergency). Although I did consider fitting a light-sensitive diode inside the cabinet connected to an alarm inside the house.
No benefit for the consumer and we have to surrender all energy privacy to the energy company and are under their total control.
...And we get swamped in yet more wi-fi signals (which may or may not be harmful)
Great.
I dont want a smart meter and I'm going to do anything I can not to have one (whatever that is).
Bother with a PIC because if the thing is going to read the fluctuations in consumption from a large LCD telly, you will need to modulate a lightbulb fairly rapidly (several times a second) in order to mask these fluctuations, and at random intervals. A "I'm here, see?" gadget will have no more effect than turning on a lamp - namely, none. The consumption will alter, but the fluctuation pattern will remain, and can still be detected.
Good point on the "enlightened days", I'm not sure how a stupid eco bulb will take to being switched at 10-20Hz? You can get compromise bulbs (halogen projector bulb inside) which might fare better?
If the security is this abysmal, then we can cheerfully expect the meter to have absolutely no protection whatsoever from man-in-the-middle attacks. This would mean that with a suitable hardware black box tacked onto the thing, a meter could be seeming to give a completely normal household read-out, whilst the power was being leeched at a truly staggering rate.
If this is possible, I would expect that the drug farmers would find this quicker and safer to do then the current method of bypassing the meter altogether, or tying in to the streetlamp circuits for power.
You don't suppose the domestic energy consumption changes if you put the kettle on? Or put the bathroom light on? Or the heating/hot water thermostat changes state? Or any of the many other things which would make the power consumption changes due to the film itself maybe literally "disappear in the noise".
I mean, there's plenty of real threat stuff to talk about here. But then they're probably right, without the unnecessary and barely believable/relevant "we know what you've been watching (assuming it's a film we've profiled)" comments they may not have got this article.
Actually it's just as likely to reinforce what you're doing as hide it: classic scenario (long since known in the electricity industry), Eastenders/Coro/whatever finishes, a couple of million households put the kettle on (in the same way that lots of dogs in my 'hood seem to get walked by blokes between 19.30-20.00). If you've got a house with several people doing different things at once, then it would be more difficult, but with a big enough sample a statistical analysis will pull an awful lot of trends out. Someone would have to put a lot of effort into it, but it's probably more accurate than the old TV detector vans.
Yep, the surge in grid demand when the Queen's Speech (or the commercials in Corrie or whatever) comes on is a well known phenomenon, although its importance is decreasing somewhat now there are fifty seven channels with nothing on, rather than just three.
"with a big enough sample a statistical analysis will pull an awful lot of trends out."
No it won't, adding dissimilar signals (different punters watching different things) does *not* reinforce the ability to work out the underlying pattern(s), unless a *lot* of them are watching the same thing (see above).
"more accurate than the old TV detector vans."
Probably more accurate than the new ones too, given that modern TVs no longer have line output transformers and that kind of thing (and there are computers that know which addresses don't have TV licenses).
Unless there's no mobile signal.
They came to fit one of the gas smart meters in my in-laws the other week.
Poor bloke turned up 3 hours late after problems fitting the one at the previous job, stuck his head in the cupboard under the stairs where the meter is and took out a signal meter.
Two minutes later, he was on his way as there was not enough signal on either of BGs preferred mobile provider networks.
It isn't as if they are in the middle of nowhere like a lot of our country, there on the edge of a large town. Until the mobile providers have a 100% coverage obligation, the current meters are doomed, especially if you live in an old house with thick walls.
Now I have to set my second TV to play Citizen Kane, Casblanca, On the Waterfront, 2001 A Space Odyssey, public affairs programs and other high-brow entertainment while I am not at home, and I have to run my big TV off a portable generator so that I can watch my usual trashy series, sports and occasional soft core while still maintaining my sophisticated, urbane public persona!!
So while big brother is watching me expanding my horizons, I will be watching "Bikini Babes of Brazil", or some such uplifting entertainment!
Curse you, progress!!!
installed by Cowboys,
Instigated under a green flag by Greedy Idiots for votes
the worst part of this kit is the fact its permanently ON and broadcasting via 3G 24/7 at full power!
never mind the Wifi smart grid electro-smog,
combining these together and you really are looking at the perfect storm of ELECTO-SMOG which will cause even more health issues for consumers across the world.
the only hope is screening the kit either before by fitting a steep box to fully enclose the entire unit (with room to spare for the larger sized meter) or covering it in very expensive silver shielding cloth once its fitted.
and has anyone actually scientifically proved that these devices are completly safe for consumers..... i dont think so.!!!!
i think you need to lay off the drugs
seriously you're sitting infront of a pc, no doubt own a phone, and you aren't on an island in a faraday cage.
because you can only blame yourself for these problems you casually disregard them to whine about a meter that sits in cell standby like your phone and beams out some data at some scheduled interval.
and a silver shielding cloth? copper will work just fine. use lead if you want something more hazardous than the meter around...
"has anyone actually scientifically proved that these devices are completly safe for consumers"
Umm.... Yes.
Thanks for the plug opportunity: http://www.soronlin.org.uk/mobile-phones
That's for mobile phone masts, but the maths are there to disprove your point: Using a mobile phone for 15 minutes a day has three thousand times the effect of it's regular polling of the cell for five seconds every ten minutes. Make that that five times larger for the smart meter polling interval, and it's still 600 times less than making a 15 min. phone call. The figures are for 8 hours, so we should make it three times larger, or a mere 200 times less than a 15 minute mobile phone call.
Assuming you are an average of five metres from the meter, you should reduce that by another factor of 25, since the numbers are worked out for a distance of one metre.
So having the smart meter active is 5,000 times less damaging than a 15 minute mobile phone call per day, or 333 times less than a one minute call per day.
You may not use a mobile phone for one minute or fifteen minutes a day, but many, many people use one for much longer than that. If smart meters caused any damage, then many, many people would be seriously damaged by their mobile phones. Mobile phone users are the canary that would warn of possible injury from smart meters. There is no discernible injury to mobile phone users, and therefore smart meters are safe.
"has anyone actually scientifically proved that these devices are completly safe for consumers"
"Umm.... Yes."
Ummmm...... *NO*
What they, whoever 'they' are, have shown that there is no evidence that low levels of exposure to radio transmissions is harmful to health"
That is not the same as saying low levels of exposure to radio transmissions is safe.
I can imagine the Wright brothers saying the same thing, "we've no evidence that powered aircraft crash causing fatalities..... Who? Otto Lilienthal! No he was killed in a glider crash, totally different thing".
Very hard to prove a negative, no evidence of risk is as close as one will ever get.
All this talk of "electrosensitivity" is utter bollocks. There has simply been no evidence of it and what tests have been done (putting an "electrosensitive" in room where wiring was switched on/off) simply showed they had no sensitivity.
it's a feature. Why else would you sample every couple of seconds unless you were looking for signatures?
I'm pretty sure that there are plenty of people who would like to know what you are doing and when. Apart from the marketing opportunities of knowing what people are watching. I would imagine that all those computer-controlled washing-machine programmes also have fairly unique signatures. You can probably tell when a coffee machine kicks in (shorter than a kettle, but equally high power).
Mine the data after a couple of years and you can probably tell who's is going to need to replace various appliances and when. Also, who might be be annoyed with their current appliance vendor and be ready to move.
Pick out who is watching what and you might get a good idea of how they might vote too.
I look into my crystal ball and see Google getting into the energy generation business...
Drive round posh housing area, use radio to intercept and triangulate signals, bit of traffic analisys later, you know which house to go and rob.
Thats without breaking the security (if implemented)
Given encryption is a time and resource based security methodology, how frequently will the vendors be rotating the encryption keys, who will have access to them to flog off to their criminal friends.
Smart Meters are all about the utilities companies making more money by getting rid of the costs of data collection, customer crime victim figures do not appear on their balance sheet..
Assumption is you work for "Stone Age" employer, the minions must be seen sat in front of manager's desk to make him look important (the "presentism" culture of UK management)
However home working is a popular move, your staff work better when not p*s**ed off at BR/Failtrack, you can cut circa 25% of your expensive office space, and the staff get a better work/life balance, by ditching comute hours.
Thus burglar is increasingly likely to encounter large angry bloke working from home.
Is it a task requiring many years of study and wearing of sandals?
Or just a case of RTFM?
You can teach knowledge, but you can't teach thoroughness.
BTW Sampling *every* meter every 2 secs. Note that's not switching tariffs every 2 secs.
How often are they planning to bill customers?
You've clearly never seen industrial utility meters - they are as granular as possible, some billing down to sub-minute blocks. Presumably the cost to manufacture and install more sophisticated meters has come down enough over time that the extra data supplied will outweigh the costs.
That and the government has decided that Smart Meters are a Good Thing (tm).
I would expect that in a year or two once the meters are well established they will start rolling out variable rate tariffs to domestic customers as well, so probably billing in 15-30min blocks. I would be surprised if they went much shorter than that, the usage usually isn't high enough to justify the extra hassle.
Oh, and one thing people haven't considered - if every house on a street has a smart meter giving constant usage figures, it becomes significantly easier to detect fraud and criminal usage as the flow for a given section of distribution circuitry can be precisely measured.
Ie, they could run a relatively simple calculation on a given segment known for using more power than billed for, and the maths would reveal the loss is happening between #34 & #36, or say the 5th & 6th floors of a larger building.
"they could run a relatively simple calculation on a given segment known for using more power than billed for"
They could, but only if they have some kind of reasonably accurate monitoring technology in place in the "last mile" (to borrow a telecom expression).
Last time I checked, that kind of stuff didn't seem to be used widely, if at all.
Have things changed?
One other obvious use for it would be that an instantaneous big step change downward in current consumption means that there may be an open circuit downstream, so the call centre folks may need to be ready for some inbound action.
Who in their right mind would sample a domestic electricity meter every 2 seconds
There are what? approximately 50 million people in England, for arguments sake lets say there are 4 people in each home and 1 meter in each home, that's 12 1/2 million meters sampled 43,200 times a day.
That's 540,000,000,000 meter readings a day.
That's 197,100,000,000,000 meter readings a year.
Multiply that by the size of your data record, then multiply it by 4 for 3 generations of backups!!!!
Fuck Me!!!! I don't fancy trying to restore that at the hot site.
How many olympic sized swimming pools could you fill with the back-up tapes?
They may sample every 2 seconds and average before storing it, perhaps?
When I last got involved with the metering people in Milton Keynes, their MW-scale customers meters were read every 15 minutes, and the system for reading them had to work come hell or high water.
That was a little over a decade ago though, before HP took over VMS, back when there were still a few people that knew what a VMScluster could do for availability and scalability.
The old meters directly measured the cumulative power flowing through the wire. Maybe these digital meters only measure the instantaneous power demand. In order to determine the cumulative power they take a reading every two seconds and assume it was constant for those two seconds. Then they add up all the readings and divide by the right number to give a result in kWh.
Or maybe it accumulates power for two seconds, measures it, dumps the accumulation and starts again. Unlike mechanical wheels, capacitors leak, so you could not accumulate a reading indefinitely like the old analogue meters. But over two seconds the leakage can probably be arranged to be negligible.
Since the first can be fooled fairly easily, I'd guess it was the second.
That's just a guess; I know nothing.
"Because meter readings were sent in clear text, the researchers were able to intercept and send back forged (incorrect) meter readings back to Discovergy".
Well, at least the company stands to lose money in that scenario, so they have some incentive to fix the problems. Unfortunately they can't give up smart metering, because that's their only product line as far as I can see.
"send back forged (incorrect) meter readings back to Discovergy"
Sod that; send forged commands to the meter to reset its counters.
Better still, don't pay the bill, get cut off, send forged command to the meter to switch it back on and not to record any usage.
Noisy neighbours having a party? Send forged commands to their meter to switch it off!
You'd need accurate details of what is in the house to make sense of the 'leccy demand figures.
e.g., just as the plasma telly (that I haven't got, it's an LCD with the annoying dynamic brightness stuff turned off) drops it's consumption in a dark scene, the NAS decides to start all four discs because something wants some data, wiping out the drop from the telly.
The big lights in the kitchen (3x60w incandescents) use more power than most of the rest of the kit in the house. If I go and get a beer out of the fridge, power use goes up 200w for 20 secs.
Cool idea, but I don't think it'd work in the real world.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
