Smart meters are ‘dangerously insecure’, according to researcher Netanel Rubin, with insecure encryption and known-pwned protocols – and, worryingly, attacks reach all the way to making them explode.
The utility hacker and founder of Vaultra derided global governmental efforts to install the meters as reckless, saying the “dangerous” devices are a risk to all connected smart home devices.
Smart meters can communicate with devices inside homes, such as air conditioners, fridges, and the like. A hacker who could break into the meters could control those, potentially unlocking doors.
They could also manipulate the meter’s code to cause fires, something that’s trivially easy at mains a.c. voltages.
“An attacker who controls the meter also controls its software, allowing them to literally blow the meter up.
“If an attacker could hack your meter, he could have access to all the devices connected to the meter.
“The smart meter network in its current state is completely exposed to attackers.”
Rubin acknowledged some complaint over fear-mongering from the security audience at the Chaos Communications Congress in Hamburg, Germany, but says his description of exploding boxes is to deliver the message of smart meter insecurity to the wider public.
He fended off comments that triggering explosions through hacking was not possible, saying it had been acknowledged in the US [The Register could not at the time of writing independently verify that claim].
The physical security of the meter is strong, but hackers still have plenty of wireless vectors to attack.
Rubin lists smart meters’ use of Zigbee or GSM protocols, often left insecure and unencrypted, or at best secured with the GPRS +A5 algorithm which is known to be broken for more than five years.
Attackers can also broadcast over the top of meters’ comms protocols forcing all units in an area to connect to malicious base stations using hardcoded credentials.
The access grants hackers direct access to the smart meter firmware for deep exploitation.
“All meters of the same utility use the same APN credentials,” Rubin told the applauding audience.
“One key to rule them all.”
Worse, Rubin found smart meters add home devices handing over the critical network key without first checking if the gadgets should be added. This opens an avenue for attackers to masquerade as home devices, steal the key, and impersonate the meter.
You can communicate with and control any device in the house from way across the street, open up locks, cause a short in the electricity system, whatever we want to do.
“A simple segmentation fault is enough to crash the meter, causing a blackout at the premises,” Rubin says.
He says the attack vectors would have been erased if proper encryption was used, and the network was segmented instead of treated as a “giant LAN”.
The attacks were in 2009 realised in Puerto Rico when hackers caused some US$400 million in billing fraud.
Rubin says meters ability to communicate with internal smart home devices is only the first step as utilities expand in the future to form city-wide mesh networks with city smart appliances.
“The entirety of the electricity grid, your home, your city, and everything in between will be in control of your energy utility, and that’s a bit scary.
About 40 percent of the smart metre market is held by Itron, Landis and Gyr, and Elster.
The European Union wants to replace more than 70 percent of electricity meters with smart versions at a cost of €45 billion. There are already some 100 million meters are installed globally.
Rubin expects a sharp increase in hacking attempts, and called on utilities to “step up”.
He released an open source fuzzing tool to help security researchers test their own meters. “Reclaim your home, before someone else does.”