Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Smart Meters Pose Security Risks to Consumers, Utilities: Researcher

 Smart Meter Installation - Credits: Portland General Electric

 Smart Meter Installation - Credits: Portland General Electric

Serious vulnerabilities in smart electricity meters continue to expose both consumers and electric utilities to cyberattacks. However, some have questioned claims that hackers can cause these devices to explode.

Smart electricity meters allow service providers to remotely monitor consumption and connect or disconnect power, and they enable consumers to better understand their energy usage. Millions of devices have already been deployed and governments around the world plan on completely replacing traditional meters in the next few years.

Smart meter vulnerabilities

Between 2010 and 2012, several experts detailed the security and privacy implications of using smart meters, and SecureState even released an open source framework designed for finding vulnerabilities in such devices.

However, according to Netanel Rubin, who recently founded Vaultra, a company that develops security solutions for the smart industry, smart meters continue to lack proper security mechanism, allowing malicious actors to use these devices to target both consumers and utilities.

In a presentation at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany, Rubin analyzed the methods that can be used to hack smart meters. The expert said that while physical attacks are more difficult due to various protection mechanisms, remote software hacking can be much easier to conduct.

The protocols used by smart meters include ZigBee, which is used for communicating with smart appliances in the consumer’s home, and GSM, which is used for communications between the meter and the electric utility. Both ZigBee and GSM have been known to contain serious vulnerabilities, and they have been poorly implemented in smart meters.

SAVE THE DATE: ICS Cyber Security Conference | Singapore – April 25-27, 2017

Advertisement. Scroll to continue reading.

In the case of GSM, many electric utilities still haven’t implemented any form of encryption, despite being warned of the risks several years ago. Those that do use encryption, rely on the A5 algorithm, which is known to be vulnerable to attacks.

The researcher said an attacker can get smart meters to connect to their own GSM base station by broadcasting a stronger signal than the legitimate base station. The smart meter will connect to the rogue station and will attempt to authenticate using hardcoded credentials, allowing the attacker to hijack traffic and take control of the device.

Moreover, since the meters deployed by each utility use the same credentials, it could be easy for malicious actors to compromise all the devices operated by that organization.

According to Rubin, such attacks can be prevented if utilities use proper encryption, implement network segmentation instead of “using one giant LAN,” and monitor their smart meter networks.

In the case of attacks aimed at consumer home networks, hackers can abuse ZigBee, a protocol standardized more than a decade ago. Unlike other devices that use ZigBee, such as smart hubs, smart meters don’t ensure that a new device should be allowed to join the network before they share the network key with it. This key can allow an attacker to impersonate any device and take control of other devices on the network, Rubin said.

If they hijack the meter itself, attackers could find and exploit vulnerabilities – the lack of CPU and memory resources in a smart meter often results in minimized ZigBee code, which does not include security checks. While memory corruption issues, such as buffer overflows, might not be easy to exploit, the researcher believes it’s enough for an attacker to find a segmentation fault and crash the meter, which can lead to a power outage.

Debug ports accessible via hardcoded credentials and the lack of proper ZigBee encryption can also be problematic, the researcher warned.

Risks and FUD

According to the expert, a malicious actor who manages to hack a smart meter could obtain information on the targeted user’s power consumption and potentially determine when the victim is at home, or they could inflate the electricity bill. The expert pointed to an incident in Puerto Rico, where an electric utility reported hundreds of millions of dollars in losses due to smart meter fraud conducted via hacking and other methods.

Even more worrying, Rubin said, is that since smart meters can communicate with all the smart devices in the consumer’s home, an attacker could hijack those systems, including smart door locks.

The expert also believes an attacker could cause a meter to explode by making modifications to the software running on the device.

One member of the audience at Rubin’s 33C3 talk, who has been designing smart meters, pointed out that these devices don’t include hardware that can be caused to explode via a software attack, and noted that smart meter explosions are typically caused by faulty installation. Others took to social media to question Rubin’s conclusions.

Rubin pointed to an incident in Canada where he claims investigators determined that such hacker attacks are possible, but the details he provided were vague. One of the smart meter explosion incidents he referenced during his presentation turned out to be a fire caused by something other than an exploding smart meter.

Another member of the audience said Rubin oversimplified and sensationalized the issue, but the researcher claimed he did that on purpose in an effort to get through to people outside the cybersecurity community.

Rubin sa
id Vaultra plans on releasing a smart meter fuzzing tool in the upcoming weeks. A video of the researcher’s talk at 33C3 has been made available by the conference organizers:

Related: ICS-CERT Issues Alerts After Expert Discloses Power Meter Flaws

Related: IBM Reports Significant Increase in ICS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.