I guess this is Friday, so it is OK
This development has BOFH written ALL over it.
Clicky clicky Lights off, Clicky clicky lights on. What fun. Can we light up the houses in an obscene pattern? Clicky clicky clicky...
New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid, according to a security researcher who plans to demonstrate several attacks at a security conference next month. The so-called smart meters for the first time provide two-way …
To quote from the article:
[quote]In some scenarios, smart meters would respond to power shortages by telling smart appliances such as clothes driers and dish washers to shut off until more power is more plentiful.
"This is something that's been on everyone's radar," said Ed Legge, a spokesman for Edison Electric. "I think we've reached that point of opportunity plus ability to do it."[/quote]
This sounds like an opportunity for electricity suppliers to say "Sorry, you've exceeded acceptable usage limits for your power plan, you'll have to switch up to the premium package"...
Thanks for posting this on a Friday, it's just the sort of article that permits, even forces me to go out and get blind drunk, kill off a few million brain cells and make sure I can see into the future no further than the blurred outline of the last drink morphing into an aspirin bottle the next day.
Oh the Tyler Durden in me is cackling with glee over the potential of this....
1) Randomly flick power on and off 10 times/second, and destroy home theatre equip in rich areas
2) Giant Penis, seen from space, created with houses, and google maps
3) Turn off the power of various politican's, and other people I don't like.
4) Take sides with Anon, and shut off power to every scientology site I can, and lock the meter. OR add a couple of zero's to their rate per KW hr.
5) Spell out BOFH was ere !
This list is endless..
Pirate, because we don't have a Tyler icon
>"This sounds like an opportunity for electricity suppliers to say "Sorry, you've exceeded acceptable usage limits for your power plan, you'll have to switch up to the premium package"..."
WTF are you talking about you nutjob? Some fantasy world where we all pay a fixed rate for electricity to companies that have promised us unlimited usage? Your copy-pasta spiel refers to the whole unmetered broadband and capping issue, but we're talking about electricity here. Have you not noticed that we all already pay for electricity by usage? You utter clown.
"...That would eliminate the need for meter readers to visit each customer to know how much electricity has been consumed, for instance."
In that case, I'll expect my monthly "Customer charge" to decrease since they're admitting they'll be doing less work and using less labor.
"...Technicians envision a system that raises or lowers rates hour by hour depending on the supply of power available, which would be measured based on the reports of millions of individual meters."
Is this legal? It doesn't sound like it to me. What that says is that you will have absolutely no idea how much the power will cost as you use it. You will only know how much it cost once you receive your bill, and even then, it will probably only show the month's or days' total cost instead of showing a breakdown of each rate period. I can't think of any other product or service for which we're expected to pay without knowing the cost up-front.
Lastly, the complete lack of security should be illegal as well. It probably isn't, but it should be. After all, if it's using a mesh network with no encryption, then it's broadcasting your personal information (power usage and possibly other data) and personally-identifiable information (the meter's ID and possibly other data) to anybody who wants to listen. That should be a violation of various data protection laws.
It may have escaped your notice but the UK Govt. is currently pushing full speed ahead for smart meters for both gas and electricity by 2015 at the latest.
Want to guess how they will source the roughly 22 million meters (in a hurry) at "reasonable" prices?
There plan is that *your* meter will be reporting back to them soone rather than later.
""New electricity meters being rolled out to millions of homes and businesses are riddled with security bugs that could bring down the power grid""
I know this is horribly technical, but countries outside the Continental USA also use electricity, and even have power grids!
Come on folks, this is an international site. At least make it clear to which country/countries you are referring when you throw out scary (sorry, attention grabbing) opening lines.
Aside from pointing out you cannot spell "ev*E*r" (and you can't serioulsy try to blame *that* on a typo!), you really should read properly before commenting.
Tzael was responding to the idea that the utility companies would be allowed to tell "smart" gadgets like dishwashers and washing machines to switch off for a while when demand was high (ie when Coronation Street or Eastenders finishes). He's (?) suggesting it won't be long before the idea that we can use as much electricity as we want and pay for it afterwards will be replaced by a rationing scheme where you get an allowance instead - like many "unlimited" broadband accounts ended up having limits on how much data you could move and how fast it would go...
Piracy, cos that's what you get when you let the supply companies determine how to regulate themsleves. The [EXPLETIVE DELETED] kept sending me estimated bills even though I'd ring 'em every time and give them the readings; finally they have agreed to send someone to read the meters (and yes, part of the charges I pay is suppsed to cover someone doing that anyway, but they never gave me a rebate when I did their job for them).
Jesus, such a low standard of living you guys are having these days, having to penny pinch tiny bits of power from your meters.
Sounds pathetic. They'll be giving you rations of 3 peas a day for your food next. What else are they planning on rationing the people in the West?
"insecure programming functions, such as memcpy() and strcpy()"
Those functions are not insecure. Code to do exactly what they do today will sit underneath the allegedly "safe" Microsoft-promoted versions which when abused can be just as unsafe as the MS-promoted ones. But that's Microsoft for you; they just redefine safety to mean "Microsoft-specific".
As for smart meters in general and in the UK in particular: in the next few years, electricity demand will far outstrip electricity capacity and there's no way that new capacity can be built in time. A wide deployment of smart meters will allow lots of customers to be disconnected so that "essential services" (MPs, police, etc) can be protected. You have been warned.
You mean 47th, not 51st. There's only 46 states in the USA, the other 4 are common-wealths. :-P
Anyway, we're going further under the heel of the greedy* fascists** in Brussels, so I doubt the USA will have their talons in us for much longer.
*Sign into the European parliament for the day, collect £175 and then bugger off without having to do any work. But it's all OK as it's "in the rules" to get paid for doing sod all.
**The is no public representation in most things, it's all run by unelected wonks. Any over-sight will result in the auditor/investigator getting the sack. Most minutes are kept secret. Obey or face the consequences.
I guess those who developed the system didn't think about security because in the first place you're not on a public network and there will be security at connection points.
Developers can go bonkers or paranoid trying to think about all the potential attack vectors.
But yeah, a good code review should have caught some of the blatant errors.
The good news is that its possible to correct these defects without having to redeploy the existing meters and could be done remotely.
A flame or pox on the bean counters who take shortcuts in the name of profits.
I'm really grateful security research has shown what a dogs dinner the security of these devices is. I'd like to blame micro$oft for these failings, but for the device to work it has to have a real-time O/S, some thing micro$oft can't do. At least these problems are clearly in the open, and have to be fixed.
Security issues aside, these things can be a real eye opener, and help *YOU* actually reduce consumption and save money : eg. comp on 24/7 all month £15, now off most of the time. I bought a device that tells you electricity costs. It claimed that it would save me money. It really has, and a lot ! It gives you a way of looking at just how much you are using. You can use this information to educate the kids, full of green 'thou shalt not do this' crap from school (but no practical guidance), and show them that taking ages in the shower, leaving the telly on while doing something else, etc. really can make a difference. Imagine you're tight on cash ....
The UK has barely enough grid capacity to meet demand right now. With nuclear sites going offline at end of life, the situation is going to be even worse because new capacity has not been planned sufficiently far in advance. There are 2 stark choices that emerge from this result of incompetent labour government energy policy :-
1) brownouts (if only it meant no turd in No 10, but I mean power dips in the grid) caused by load above generating capacity. Damage to the grid also very likely, so giving long term power supply failure is some areas.
2) make what you have work more effectively by making the electricty demand more even. Enter the smart meter, and associated smart devices.
Seems to me choice number 2 is preferable ? Assuming of course that those in the ISS won't be offended by the botnet art that results !
"As for smart meters in general and in the UK in particular: in the next few years, electricity demand will far outstrip electricity capacity and there's no way that new capacity can be built in time"
That'll be because they've all sat on their fat arses in Westminster living it up on taxpayer pork rather than slapping down the Eco numtpies and chucking up a few modern nuclear power stations. Sorry, I forgot that they've covered the breezier parts of the land with Windy Miller's wet dream that can power about 5 houses at peak usage.
Only the UK wants to do this with both electricity and gas meters.
NB In the UK utility companies are removing electronic gas meters as they don't like the logistic hassle of replacing the button cell in them every 5 years.
I don't know how much power a gas meter with GSM modem consumes but I bet it will flatten a button cell in days, not years at the very best.
So run a cable from the electric meter to the gas meter? What about people who have them in different places? Induction power transfer so meters remain disconnected.
Micro fuel cell?
Extra shelf for 12v car battery. How much fun will getting those replaced be? About 22 million every x years.
Do you sense another half cock government policy which has not been though through?
That hasn't happened the last decade or so, here in Norway.
(Except for a surprise visit here and there)
Every customer reads off their meter at the end of the period, then register it using snail-mail, dialling it in to one of those annoying 'Press 1 to screw up your subscription, press 2 to be put on hold' systems, text messaging, or even on the intarweb.
Must be working, for I'm only using 6000KWh/year...
More smart meters means fewer meter reading jobs. This is antithetical to the promise of new or saved jobs (unless you adhere stringently to the "or" representation there, which is used often by our current administration to cover its ass and claim success or assign blame for any scenario.) Electric companies will not cross-train or re-train readers to become security specialists, I promise you that. Instead, they will become like every other automated monitoring system in which a minimal staff will be maintained which in no way could handle a true disaster or security breach outbreak.
Additionally, the plans are to allow you to log into a "secure" web site to allow you to view your usage in real-time. Like other systems which allow this "convenience," you will probably not be able to opt-out to protect your privacy, so your activities will be protected by the lowest common denominator in security so as to be idiot-proof to avoid calls to the help line. And we all know end users are stupid, anyway, using the most insecure passwords available, or sharing passwords with people who have no business with them in the first place. This opens a nice door for stalking ex-partners or others who wish to determine when you are not home... or worse, when you are.
And password aging and rotation is not an answer to this, as people ALWAYS find ways to circumvent this process. Your factors of authentication are where the entity is, something the entity knows, is, or has. The last one would be most significant -- an RSA token would be a great step towards securing this information. The electrical system and its subscribers are a part of our critical infrastructure and, as such, should be treated that way.
@AC: "@Tzael"
The fact that the electric companies do not do this now does not mean they never will. Our Glorious President has already stated that he intends power companies to do just that, charge additional for anyone using more than their "fair share." That is equality for you.
Paris, a part of our not-so-critical infrastructure, and thusly treated.
I have a friend of a friend personally involved in the UK rollout for a well known electricity supplier. Forwardint this article has ruined his day quite severely, to the extent they are seeking answers as to how much of this article is true.
Yes they are mesh driven and if you know where to look you can find them with a scanner, decrypting the data should be trivial assuming its not already based internally on something like a Zigbee
Commercial/industrial consumers over a certain size (500kVA????) have for a long time had tariffs which include a charge component based on "maximum demand". The higher your maximum demand, even if only for a short while, the higher your bill, even if your overall usage is constant. Seems entirely reasonable to me, as the costs need to cover not only the energy consumed, but also the cost of the capacity to generate and distribute it. It costs more to supply 24 kWhr (24 units) of electricity in 1 hour than it does to supply 24kWhr over 24 hours. Mostly. Terms and conditions apply, your mileage may vary, etc.
>Well, they could always switch to 220v for local power lines ...should save quite a bit ...
Err,,, sorry, the US already uses 230v household current. Its two phase (split around ground) so for low power household circuits it appears as 115v. Higher power circuits - cookers, driers and so on -- use 230v.
What they're doing locally at the moment is offering people a rebate on their A/C if they sign up for remote control of their thermostat. The utility can regulate demand to match supply, avoiding brownouts or power cuts. We (in California) inherited a bastardized deregulation scheme similar to the way the UK's privatization was set up which has resulted in the situation where the suppliers get paid a fixed price (by the state) regardless of the power used. They've got a positive incentive to reduce power consumption -- not all bad, because we get CFLs at giveaway prices and so on -- but its still a bit of a scam (our electricity prices went through the roof after deregulation due to rampant speculation -- it got stabilized by the State but we're still paying though the nose for power).
You are talking about peak demand, with which I can easily agree. If you put a burst load on the electrical system, obviously you are incurring a massive influx requirement. I would hate to see the power bill for the Florida State University High-Field Magnetic Laboratory, as well as the extra feeders and generating equipment the City of Tallahassee utility services needs to supply it.
But what everyone else is talking about is "usage," much different from "demand." The cap-and-trade argument refers to being allowed to use only a certain amount of energy over a given period, limited by the associated carbon credits allotted to defer against the carbon dioxide your energy consumption releases into the air.
A bunch of horse-shit, frankly. And it will indelibly hamper my profession as well, which requires me to drive around most of the day going from site-to-site to fix things hands-on which a remote session cannot handle. Nothing else in government financing takes into consideration sole proprietorships, as a single male I will easily overrun my allotted credits which will incur additional fees, or carbon credit purchases. In turn my service rates will have to increase, which will eventually cause customers to turn away from my services.
More to the topic of electrical services, I like not shivering inside my own house. The recommended thermostat setting of 68F leaves me bundled up like I am in "Call of the Wild" so as not to shiver my teeth out of my skull. I make up for this during the summer, though, as I can ignore the recommended setting due to my heat tolerance.
Others may have the opposite problems, but none the less, in neither situation would we want the power company telling our thermostat what is the ideal setting for us. As it is we guard the thermostat against roaming fingers with a Nerf sniper rifle just to stay comfortable.
Paris, must be guarded against roaming fingers.