back to article Smart meters pose hacker kill-switch risk, warn boffins

A leading computer scientist has warned of the security risks of using smart meters in controlling utility supplies. A programme is underway to replace Britain’s 47 million meters with smart meters that can be turned off remotely. Utilities welcome the move because it will greatly simplify the process of collecting meter …

COMMENTS

This topic is closed for new posts.
  1. Number6

    In Case of Emergency...

    A pair of very insulated and thick jump leads to bypass the hacked component. If the Safety Elf turns up, hand him one end of each lead while you go to remove the other ends...

  2. Barn
    FAIL

    Firmware updates?

    The idea of firmware updates for smart meters is scary, let alone the thought of terrorists turning them off remotely. If the power company manages to brick several thousand meters while rolling out an update, how long will it take them to fix each one?

    1. James Hughes 1

      @Firmware updates

      Since there are refund systems in place to compensate the end user in cases of electricity failure, I imagine they will be very VERY careful doing upgrades, since they will get a big bill if it all goes wrong. Won't stop it happening, or them trying to get out of paying if it does though.

      1. Anonymous Coward
        Anonymous Coward

        Hardware bypass

        If the meter were to hold the supply closed, rather than open, then bricking them would still mean you get your 'leccy until they fix your meter. They wouldn't lose much (aside from the cost of fixing the meter) since they could guess your usage (far more accurately than before).

  3. Anonymous Coward
    Anonymous Coward

    It sounds Daily Mail alarmist..

    .. but to be honest, the fella has got a point. It'd be an extremely desirable system to hack and as we know in the PC vs Mac vs Linux wars, your system's only secure if no-one's really interested in hacking it.

  4. hplasm
    Big Brother

    BF FB

    Big Fat Ferrite Bead.

    Should keep *all* nosey packets where they belong...

  5. Anonymous Coward
    Anonymous Coward

    I always thought that..

    ..part of the reason utility companies haven't switched to remote reading of meters (even using local bluetooth signals), even though it's been feasible for years is that they want their readers to take a look at your meter and check that you've not been tampering with it.

  6. Laurent_Z
    Jobs Horns

    simply turning off ? ... nahhh

    The trick would be to quickly turn on and off the power 10 or 20 times in a row before cutting it.

    Not only you deprieve ppl from electricity, but most of their old (and not so old) hardware wil probably die in the process...and they'll never know about it until power is restored.

    (/me turns in his sleep and dreams 'My name is Bofh, James Bofh')

    1. Christoph

      Even worse

      Pulse lots of them simultaneously. You take out the supply hardware as well.

  7. Sergie Kaponitovicz
    Alert

    Daily Wail story

    A Pound to a pinch of shit that this is in the Daily Wail within 3 days.

    1. JimmyPage
      Joke

      Why 3 days ?

      1) to add the immigrant angle

      2) to add the house prices angle

      3) to add the threat to middle classes angle.

      So it'll read something like :

      SMART METER HACK FEAR AS MIDDLE ENGLAND RISKS RISE IN IMMIGRATION AND FALL IN HOUSE PRICES

      1. chr0m4t1c
        Happy

        You missed one

        4) Add a cause of cancer.

        IMMIGRANT SMART METER HACKERS CAUSE FALL IN HOUSE PRICES AND CANCER - OFFICIAL!

  8. Tom Paine

    soft/high value targets

    Electricity transmission lines, "increasingly well-guarded"? Shurely shome mishtake; it's impossible to guard thousands of miles of cross-country high-tension lines. It's always been a mystery to me that the IRA never realised that with a dozen well-chosen bombs the size of a packet of fags on London-bound electricity generation lines they could cause massive disruption with virtually zero risk of detection or bad publicity resulting from civilian casualties.

    1. Anonymous Coward
      Grenade

      Believe it or not ...

      energy supplies (in the 80s, certainly, when I worked for British Gas) were better guarded than people realised.

      And to respond to your point, the IRA *did* realise the potential of economic disruption. Late in the day, true. But it was their targeting of Canary Wharf in 1992 which forced the UK to start negotiating with them. Because the IRA demonstrated they could plant lots of small - almost harmless bombs, and cripple the city to the tunes of billions of pounds. Something people should bear in mind when they discuss anti terrorist policies. Kill 3,000 people, and you get nowhere. Threaten a few peoples fortunes, and you have the keys to the kingdom.

  9. Anonymous Coward
    Thumb Up

    Mobile networks

    Been involved in a couple projects around these smart meters. they use mobile networks for control. If anything dodgy happens just unplug the external antenna :)

    1. paulf
      Alert

      letters and/or digits

      While I want to agree with you (on the remove the antenna bit) it might be a bit late once the switch has been thrown to off and the only way to turn it back on again is via the (now disconnected) antenna (local methods using service manual hacks notwithstanding).

      Also I'm betting that if the antenna has to be external like that, and cannot be integrated to reduce tampering, they will put a compression seal on the connection.

      If my smart meter gets borked like that I don't think I'll bother removing the antenna connection. If they don't sort it within an hour I'll be removing the compression seal on the master fuse and bypassing the little bugger all together!*

      [*Exactly what I'll use to route a 250V 200A domestic supply inc night storage heaters around the borked meter I don't quite know - TBD at the time. Not sure the standard rated 'chocolate block' will fare that well.....]

      1. Anonymous Coward
        Anonymous Coward

        Hmm...

        I suspect that you're talking about different smart meters - I read (I think here) that the network which the meters use will be supplied by BT Redcare, which suggests it'll be wired.

  10. TWB

    Call me naive...

    But why could'nt the network for the meters be private and completely isolated ie. there is NO connection to any other network of any sort? (yes there would still be safe ways of getting meter readings to customers emails etc)

    1. Andy Mc

      You're naive

      Because it's either hooked up to the control servers via the power-lines (a connection to which is available in every house) or via a wireless network of some kind (which is therefore available everywhere). How exactly do you propose isolating this network?

      1. Anonymous Coward
        Anonymous Coward

        Wireless?

        Wireless, but not "wireless" in it's currently accepted common usage, but wireless in terms of the mobile phone network.

    2. Anonymous Coward
      Paris Hilton

      You're naïve

      Would you care to explain how you intend to isolate a network that has a node in every single house/building in the country.

      All it takes is someone with a scalpel, crocodile clips, big balls and the correct programming nouse to be able to connect to the network (ie the power lines) and all hell breaks loose. And of course, they can do it from the comfort of their own home.

      Of course, if I've misunderstood the technology and it instead uses RF or GSM signalling, it is a similar exercise, but conducted inside the 'smart meter' itself - you're just hacking at a different level.

      Of course, I'm sure they'll come up with a way to foil such hacking attempts, such as by placing "warranty void if seal broken" stickers on it, using security screws or labelling both sides with "open other end first"

  11. Pete 2 Silver badge

    Yawn! Generic alarmism, applicable to everything

    Everything has risks. The more interconnected everything gets the greater the potential for harm. However this guy has not managed to quantify the risk, or the downside, so is quite incapable of making any sort of judgement about whether the risk outweighs the benefits.

    Ignore.

  12. hugo tyson
    Grenade

    Re: Electricity transmission lines, "increasingly well-guarded"?

    Transmission lines, you have a point. But is it just me, or has anyone else noticed that new substations/switchyards are much more "indoors" than they used to be. One new one in CB4 for a new housing estate has a roof and complete screen walls; another decades old in an ordinary side street has gained high sloping barriers all around - within the chainlink perimeter - that reminds me of nothing more than a N.I lookout post during the troubles. Both are now physically much harder to both get into, and to throw anything into, or pour a flammable liquid into. Hardened against casual infrastructure attack, if you ask me.

    1. Anonymous Coward
      Black Helicopters

      "casual" attack

      that's the secret of security. You can never eliminate 100% of threats. But for 20% of the effort, you can eliminate 80%.

      I wonder if Streetview shows these substations, or if they have been removed ?

    2. Daniel Evans

      Casual Infrastructure Attack

      So the local yobs?

      Always thought it made the world a better place every time one of those idiots got fried in a substation, but hey!

  13. the spectacularly refined chap Silver badge
    Stop

    Hardly a new vuln...

    ...given that meter cabinets are invariably externally accessible on new build properties. A utility key to open up the cabinet and turn the existing meter off costs all of a couple of quid. It seems most people these days lack both the key and practical wherewithal to turn it back on again.

    1. Captain Thyratron

      Thinking too small, man.

      Sure, but you still have to go there to do that, and you can't use that to, say, remotely overcharge some poor bastard, steal somebody's credentials and abuse them for free power, or systematically shut off electrical service to most of a city. It's harder to get caught and standing beside your meter with a loaded rifle will not protect you in the least.

  14. Mr Humbug

    Secured sub stations

    I suspect the security of sub stations has more to do with the increase in the price of copper than with any terrorism threats

  15. Andy H

    Supply side problem

    If the hackers managed to turn off a sizeable proportion of a nations supply in a short space of time. The power stations will still be pumping out megawatt of electricity, all that energy has to go somewhere. Once they sorted the meters out it would be quite a quite a while before people go their supply restored

  16. Shady
    Stop

    So a "computer expert"...

    ...has finally 'echoed' (or re-worded) the opinion that the readers of this rag have been spouting for the last 18 months??

    FFS, we are all doomed.....

    1. John Smith 19 Gold badge
      Happy

      @Shady

      ...has finally 'echoed' (or re-worded) the opinion that the readers of this rag have been spouting for the last 18 months??

      I think you'll find his work was one of the contributions to *start* the debate in the first place.

  17. Andy Mc

    How many?

    "The rollout of an estimated 47 million smart meters to each of the UK's 26 million homes"

    I thought two meters in my house was plenty, and now I'm going to have 47 million installed? Dunno where they'll fit....

    1. Will Godfrey Silver badge
      Happy

      Priceless!

      You owe me a keyboard!

    2. Smarty Pants
      Happy

      Dammit

      Thought I would be first to post that

  18. Tom 35

    We have one

    In Toronto they use them to charge more during peak times (more or less all day) and cheaper over night and weekends.

  19. Anonymous Coward
    Terminator

    security risks of smart meters ?

    > Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, warns that the move to smart metering introduces a "strategic vulnerability" that hackers might conceivable be exploit to remotely switch off elements on the gas or electricity supply grid ..

    Similarly to SCADA units, wouldn't it be a good idea to put these devices on a separate network from the `hackers', using embedded hardware running SecIP/VPN etc. Don't tell me how it can't be done -tell me how it can be !

    http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2003/in200314.pdf

    1. Captain Thyratron

      Not worth it.

      Or don't, and just knock off all this smart meter business. Even if you came up with an implementation that is secure by computer network standards, you've still introduced a massive risk to the power grid for...what?

      It will still be a massive risk because the meters are still on a network. Anybody who does manage to find a hole in this hypothetical supposedly secure network and get in--and somebody will, because somebody /always/ does, encrypted or not, or else OpenSSH updates wouldn't come out nearly so often--will be more dangerous to the power grid than a truckload of ammonium nitrate and diesel fuel.

      However good the implementation, that situation is still possible, and there is nothing anybody can do to make it impossible--or even as difficult as more traditional attacks against infrastructure. Besides, how do you go about putting it on a "separate network from the hackers" when anybody with a utility meter in his yard, a set of electrician's snips, and some alligator clips can take a whack at it? Why make it possible in the first place? What's to be gained that's worth that risk?

  20. Anonymous Coward
    Anonymous Coward

    Shirly

    The meters will be given an ip address or similar to identify it and allow it to be controlled remotely (they sure as hell wont be using the customers own connection) , having now commented the reg has my ip address...can they use that to find my physical address without breaking into the ISP and going over their records? No. So how is a power line hacker or terrorist going to be able to identify the IP of the meter and the specific physical location they want to interact with? Bomb by the transformer makes more sense to me consider the "increasingly secure" power distribution systems security only goes as far as a bigger padlock on the wooden fence surrounding the transformer.

    1. KevinLewis
      Flame

      Chaos by randomness

      Sure if someone want's to hit a specific target it will be harder... but why not just release a virus that just randomly buggers people up? One minute takes number 42 down, then takes out a hospital, someone 300 miles away, fire station, etc... basically do a mass denial of service attack to the UK, US or wherever.

      Nothing is impossbile, somethings are just improbable..

    2. A J Stiles
      FAIL

      You don't have to identify it

      You don't necessarily have to identify *whose* meter you're just about to turn off. Just send the Ping of Doom™ anyway and see which house goes dark.

  21. Sampler

    No mention of remote power off?

    Why is it whenever I read about power companies being able to "remotely turn the power off during times of high demand" is it always a throw away line and never addressed - there's not even another comment about it!*

    We're in the 21st Centuary, times should be moving forwards not backwards to days of rolling blackouts.

    So a power company has the choice of investing the money I pay each month in new power generating equipment (my preference is nuclear but I understand we need a balanced mixture for ramping and what-have-you) or they can not spend any money, make their profit margins look good and then when they're in the shit simply turn my leccy off and charge me more when I'm allowed to have it switched on as it's scarce - which decision do you expect the money grabbing bastards to take?

    1. Anonymous Coward
      Anonymous Coward

      Power off...

      The power off at times of high demand thing is that the meters will be able to communicate with high energy devices in the home (subject to your purchasing compatible devices and subject to you agreeing with the leccy company that they can switch them for you.) The idea being that if you've got an air conditioner or fridge etc, which can be delayed switching on for five or ten minutes, it doesn't really do any harm to the fridge/air con and saves having to fire up an entire generating set, which is time consuming and expensive. In return you get a reduction in your bill.

      What it isn't is forcing you to have your entire supply switched on and off at the behest of the energy company whenever they feel like it.

      1. Jellied Eel Silver badge
        Flame

        Reduction in bill?

        When does that ever happen with our privatised utilities?

        What's more likely to happen is your bill stays the same, or increases to pay for dumb meter rollout and windmills. Standard tariff gives the utility (or hacker) the kill-switch ability and if you want a reliable supply, you have to pay a more expensive tariff. And for 'times of high demand', substitute 'in times of low wind'. I'm also betting utilities will accept zero liability for any damage to devices caused by remote cycling.

        But the existing network already has some vulnerability to hacking or fraud, eg the good'ol radio teleswitches.

    2. Anonymous Coward
      Grenade

      energy is not an unlimited resource

      so rationing is essential.

      1. Intractable Potsherd
        WTF?

        But...

        ... it has been an *effectively* unlimited resource until now,** and there is no reason it shouldn't remain so, except that power companies can leverage "shortages" to make obscene profits. Power generation and supply should be in the hands of governments, not companies.

        ** I am, of course, talking about locally - the universe, if it is infinite, has infinite energy. If it isn't, it doesn't really matter no, and we can treat it as if it is.

  22. Anonymous Coward
    Anonymous Coward

    Err...

    1) You've already reported this.

    2) Isn't the whole point of this sort of meter that they are going to be on a private network isolated from any publicly available networks?

    1. KevinLewis
      Stop

      Gary McKinnon

      Guess that's what Nasa thought until Gary McKinnon came along and whoops...

      Don't tell Gary that there's UFO evidence in the meters....

    2. Captain Thyratron

      Isolated?

      Isolated 'til Joe Hacker brings a shovel, a wire stripper, and a laptop, sure.

      1. Anonymous Coward
        Anonymous Coward

        Generic title

        @Captain Thyratron - The network would be encrypted, even if you can get connected to the network, and it's really not that simple stripping a live 3phase cable which is laid in the ground (just look at the amount of dead copper thives) you aren't going to be able to read or write data to the network. In the highly unlikely event that someone did crack the encryption, go undetected connecting to the mains cabling, not get killed in doing so and manage to switch off some meters, the maximum they'd be able to switch off would be the amount of homes connected to the local sub station. Grid monitoring would pick this up and they'd send someone out to fix it.

        @Kevin - NASA's systems that were 'hacked' by Gary McKinnon were public network attached non-passworded systems, there is no paralell here.

  23. Sam Liddicott

    8 Billion

    "Utilities welcome the move because it will greatly simplify the process of collecting meter reading and controlling supply at times of high demand. As an added bonus the technology also makes it easier to switch subscribers to new (higher) tariffs if they persistently fail to pay their bill on time."

    And that is really 8 billion pounds worth of benefit?

    And what does "controlling supply at times of high demand" mean? I guess it means cut me off and not the hospital, I hope I get a months refund every time they do that to me.

  24. Campbell
    WTF?

    Refuse

    Can we legally refuse these new meters?

    1. Anonymous Coward
      Anonymous Coward

      No

      The meter is the property of the electricity distributor, it isn't your property so they can pretty much do with it as they choose. Excepting that they are required to give you notice of disruption to your supply.

      Furthermore they are legally required to replace your meter every few years. So even if you did manage to hold out for a short while you would be legally required to let them change the meter when it got to the end of it's life.

      You'll probably find a clause in your contract saying they have the right to cut you off should you refuse access to the meter. You'd certainly find that clause if I were supplying your electricity. ;)

      1. william henderson 1
        Happy

        every few years?!!

        I've lived in my house for 49 years,i am on my third meter, so i can hold out for a bit then.

    2. Anonymous Coward
      Anonymous Coward

      Re: Refuse

      Sure, but you'll have to live "off grid" then. :)

    3. Anonymous Coward
      Anonymous Coward

      no need

      I plan on "never being in" when they get rolled out to my area. pretty sure they aren't allowed to break in to install them.

      1. Anonymous Coward
        Stop

        Re: Not allowed to break-in...

        Actually yes they are. So are the gas people. Funny ol' world innit?

  25. Lionel Baden

    well

    I cant get a signal for shit where i live

    But even if i could get a signal i wouldnt want one of these near my fucking supply

    Case in point

    Switch to new provider they mix up day night rates the first quarter = £1700 (normal £350)

    They demand the money i say Fuck off

    they threaten to cut me off i state you cannot i have small children and you are not following up the case i have argued you have ignored it and still demand the money

    They then have the cheek to ask me to pay the bill and then when it gets resolved they will pay it back (like Fuck)

    resolved and it turns out that i owed them around £220

    With smart meter they would of just demanded the money and just cut me off without

  26. TWB

    @Andy Mc

    I don't see why it has to be wireless and even if it was why one of the current standards - it could be a closed proprietary system.

    Also if it is all done in the electricity meter, why not contain everything in there like is currently done with the rolling dials - provide no way into the device except via the power line or those allowed to do so - tampering with an electricity meter you'll end up in jail (I know an idiot who did) - who is going to have a powerline-data interface in their kitbag and why would it use IP or other well know network protocols?

    I suspect I am still naive but I also think it is not impossible to make a secure-enough system - semtexing (sp?) a substation would be much easier thank a hack shurely?...

    1. hplasm
      Boffin

      Well-

      In my kitbag I would have a similar meter, hacked up with a 13Aplug on one end and a USB socket sticking out of a hole in the back.

      If I was in that line of er, work.

      I would also know all about the protocols etc, as I would probably have been involved with the internals of such meters at some point.

      It's not Rocket Science- unless you get across two phases...

    2. John Smith 19 Gold badge
      Coat

      @TWB

      "I don't see why it has to be wireless and even if it was why one of the current standards - it could be a closed proprietary system."

      Cost. As to *your* approach Google the phrase "Security by obscurity."

      "who is going to have a powerline-data interface in their kitbag and why would it use IP or other well know network protocols?""They will *almost* certainly have a GSM receiver and Wireshark or similar to handle the protocol dissection. If they are *that* interested they *will* have a power line interface. BTW the "interface" can be as simple as a 1M Ohm resistor wired into a pin of a microcontroller. A lot of power electronics work consists of making *very* sure you fingers cannot *ever* touch one of the bits at full mains.

      "why would it use IP or other well know network protocols?"

      Cost and time to market. Which is why the UK roll out will *probably* use most of the same (demonstrated insecure) meters rolled out in the US.

      "I suspect I am still naive"

      You are.

      " but I also think it is not impossible to make a secure-enough system - s"

      Impossible. No. Difficult and involving a lot more hard work than the makers have so far shown themselves *willing* to do so, yes.

      Mine will have the copy of the PIC application notes in the oversize side pocket.

  27. Anonymous Coward
    Anonymous Coward

    no more meter readers then?

    so in the future some people of lesser means will simply bypass the meter knowing that no one will ever come around and see the electricity being stolen.

    no doubt the bills will go up to compensate, so the number of thefts go up etc etc

    I wonder if there's a way you can inject static into the wires to disrupt the comms? When I was doing city and guild electronics in the 80s we were switching the streets lights on and off over the mains, so the technology has been around for ages

  28. Anonymous Coward
    Welcome

    Not again

    Great, new meters again. I look forward to another £800 bill because some twat can't type the previous meter reading into the right box.

  29. This post has been deleted by its author

  30. Anonymous Coward
    Alert

    This ain't a new threat

    back in the day (about 8 years ago) I heard a horror story of a fairly big UK utility using SNMP to control their grid switches. Default Public Private community strings using real routable IP addresses and firewall acls set to any any.

    Things have improved a little since then, least not cisco's new range of hardened routers and switches that can cope with 11kVsurges.

    Anyway WTF has this got to do with smart meters?

  31. Anonymous Coward
    Anonymous Coward

    I do love an unfounded security scare

    I don't suppose the unhackable security system exists, but assuming that something is not secure simply because it is an electronic system is a complete nonsense. He doesn't even know yet what standard is going to be adopted, but he's already rubbishing it. Here's a man looking for publicity and a few radio talk show fees, he's a shoo in for the Jeremy Vine show and I'm sure the Daily Fail will pay him for an interview. Or maybe he was turned down for a job on the project?

    Anyhoo it's not like our electrical distribution system isn't particularly secure anyway. The usual outdoor meter in a wall box is particularly insecure, but then substations aren't secure either. All you need is an old bike, just so long as you remember you're only supposed to blow the bloody doors off. Ahem.

    The current system of putting the meter in a box outside your house is particularly prone to interference. The official line is that they put them there so they can read your meter without having to bother you. However it's really so they can cut off your supply without having to get into your house. This is prone to tampering, I know plenty of people who have had their electricity supply switched off for a prank. It was a common mischief night and trick or treat prank a few years ago. OK so it's fairly easy to spot what's happened, but it can be done to your gas meter almost invisibly. In order to cut off your supply the supplier shuts off the tap, unscrews the pipe on the property side and inserts a cap (a metal disk) and screws the pipe back on. Vandals have been known to pull the same trick, but flicking the tap back on afterwards so it looks like the supply is on.

    It would be nice to think they would move meters back into houses when they introduce smart meters, but they probably won't.

    1. Captain Thyratron

      It's not that it's electronic.

      The problem isn't that it's electronic. The problem is that it's on a network that is necessarily no further than a few meters from the fingers of tens of millions of people, and that it creates a /massive/ incentive for somebody to figure out a way to break into that network.

      It is a ubiquitous, physically indefensible, extremely high-value target. Is it not wiser to avoid this situation altogether than to try to solve an expensive and ultimately insoluble problem that doesn't need to exist?

  32. Paul 139
    Thumb Up

    One step closer ...

    .. to being able to send a surge of power through the keyboard of that 'tard who truly deserves it.

  33. Anonymous John

    Title

    Will I be able to hack my own meter? And get paid for the 50Mw/H I feed into the National Grid?

  34. Dork Lard
    WTF?

    Why can't meters just meter?

    Surely most of the gains from remote metering will be had just from the metering/billing part of the program.

    Unless the idea is to run the country with power cuts as a normal part of the service there should be little need to cut off anyone's energy supply; don't they currently need a court order of some kind to do this at the moment?

    The solution has to be that Parliament acts to clearly legislate what remote metering can do (i.e. say they can't have the capability to remotely disconnect users). The national security aspects of this should be reason enough to act (or maybe the government likes the idea of a remote kill-switch - hypothermia is one way of cutting the pensions deficit).

  35. Robert Carnegie Silver badge

    I think this must be mainly about meters on the infrastructure?

    Not meters in homes - which, as some are saying, are unlikely to be able to disable the domestic supply.

    The infrastructure, however, needs to be able to switch around where electricity is coming from, and to pay for it. There is an argument for both of those functions to be remote controlled.

  36. Anonymous Coward
    Grenade

    utilities typically have legal right of access

    "pretty sure they aren't allowed to break in to install them."

    Betcha they either are already or will be by the time it happens.

  37. JaitcH
    Pint

    All it takes are three ferrite toroids

    Ontario, Canada has switched to these interactive meters.

    Toroids placed around each feed, including the neutral, should happily isolate your meter. Some systems are using a Wimax system, bit shielding will defeat these weak signals.

    The upside is they will have to keep on employing meter readers!

    1. Anonymous Coward
      Anonymous Coward

      Although

      The down side is you can get sent to prison for tampering with a public utility.

  38. GettinSadda
    Alert

    It seems quite possible!

    These devices seem to be less secure than the average PC - so things need to be sorted!

    http://www.smartmeters.com/the-news/893-security-firm-reveals-smart-meters-vulnerability.html

    What would happen if someone gained access to the system via some sort of hack, and instead of making a nuisance of themselves and drawing attention, they simply set off a script to turn off every meter, one-by-one as fast as they can. How long do you think it would take before enough load had been removed that the oversupply would cause serious long-term damage to the network? I would guess between 5 and 15 minutes.

  39. Anonymous Coward
    Thumb Up

    for what it's worth at least one of these meters is well secured.

    I worked on one of these smart meters for a previous employer.

    The smart meter hardware was not accessible from outside the fusebox (inductively powered).

    The meter encrypted all data with 256-AES as a block cypher (i won't disclose the stream cypher built around it, but suffice to say it's an encrypted-authenticated protocol) prior to broadcasting to a USB dongle attached to

    the user's pc.

    This encypted data was passed to the electric company servers, decrypted there and

    the data used for graph generation and peak usage analysis.

    The cypto protocols were designed by a proper cryptographer at a truly eye watering daily rate.

    Key points.

    1) you can't shut the thing off remotely as you can't communicate with the meter directly.

    2) all data is encrypted between meter -> dongle -> server

    3) the key on the meter's only help you with that meter and don't help you touch any other meters.

    4) no keys are stored on the dongle and the meter key is burned in at manufacture time.

    5) the protocol between the server and the meter had some nice safeguards built in so someone trying to hijack an established connection would fail, hard causing that meter to be flagged.

    6) the meter itself is an embedded board(no external connections), so in short unless you remove your own meter, reverse engineer it to derive the key *AND* somehow break into the server with the master keys, all you have is a really rather useless meter that will be spotted next time you try to connect to the server.

    @AC 15:55

    Professor Anderson is quite well known in crypto circles, I suggest you google him prior to gobbing off about him trying to get publicity.

    1. Jellied Eel Silver badge
      FAIL

      Rental?

      Cool. so how much can we charge the utility for use of our PC's or USB port rental, and by relying on customer's PC's, what risks/vulnerabilities does that add? Presumably there are PC, Mac, Linux, PS3, Xbox versions of any dongle->net code as well?

      Pretty neat if installation requirements for a new leccy meter include a PC and 'net connection.

      1. Anonymous Coward
        Anonymous Coward

        Re Rental

        Not quite, nominally the idea is that the meter is supposed to help you workout if you can save electric, but really the thing is just a method for working out that a particular electric signal is a fridge and not a telly, so you can more accurately model the usage profile of different times of day and adjust accordingly (you as a punter, not so much the electric company).

        As a punter, your bill will be more accurate but other then that, I couldn't really see any huge benefit to the punter for having one, no downside either really).

        The Net and PC combo is only if you want the pretty graphs as a user, the meter itself doesn't require an active connection, it just broadcasts encrypted data when ever a suitable dongle is in range.

        Sed

        Meter reading becomes, as simple as turn up to premises with laptop and 3gdongle with spare usb port.

        Insert dongle, wait a couple of seconds to grab the usage data and off you go, not much different from just looking at the numbers on screen.

        Given I wrote the code myself, I'm quite sure that the code only exists in my former employers git repo.

        About the only thing from that board that is available to anyone other then the manufacture is the AES implementation and fat lot of good that will do you.

        As for Mac/Nix etc version of the dongle code, no you have to log on to the website and *choose* to upload the data.

        Of course there are many versions of low power short range comms over usb out on the market but, it doesn't matter as the dongle itself doesn't forward the data, its just a passive consumer bit like a oyster card reader.

  40. karl 15
    Unhappy

    Greed greed and more greed

    "the technology also makes it easier to switch subscribers to new (higher) tariffs if they persistently fail to pay their bill on time."

    So low income families who struggle to pay the bill on time have to pay more in the end.

    This is just a way for the greedy bastards to make more money from people who can't afford to live.

    The well off get a tummy rub, the poor get a kicking

    1. John Smith 19 Gold badge
      Happy

      @karl 15

      "So low income families who struggle to pay the bill on time have to pay more in the end."

      In the UK this *already* happens if they use a card payment meter. The card tariff is *roughly* 100% higher per unit than bank payment accounts. Electricity companies explain this is because of the higher logistics costs and "Risk" of non payment.

      It is potentially a *very* good deal for electricity companies with very *unclear* benefits to the UK consumer.

  41. redtek

    Too late for us

    It just so happens that I talked to one of the fine people from SDG&E (our local utility company) who is installing the meters in our area. The utility has not done any testing that I am aware of but if you refuse installation of the new meter they will just cut your old meter and take it away leaving you without any juice.

    There is of course the upside for the utility company. The old analog meters tend to not report correctly in some cases since the motors get sluggish after a certain number of years. The customer gets a nice shock when there higher power bill shows up in the mail.

  42. Wile E. Veteran
    Thumb Up

    No problem so far here

    I have a split supply, one branch for my air conditioning unit and the other for the rest of the house. The meter for the A/C is a so called "smart" meter and my contract with the power company gives me a nice discount in exchange for permission to shut off my A/C for 10 minutes (maximum) per hour when the total system load on the grid exceeds some threshold. Who gets shut off is done on a round-robin basis.

    I've had this set-up for 12 years with no problems.

  43. Anonymous Coward
    Alert

    sleep tight

    Hopefully this is just for the electric - turning the gas supply off & on again, by accident or intent, is not quite the same thing...

    1. John Smith 19 Gold badge
      Thumb Down

      AC@06:59

      "Hopefully this is just for the electric "

      Go on hoping.

      It's true electronic gas meters are *less* accurate than their mechanical counterparts and despite running at least 5 years companies are phasing them out due to having to send a guy around every 5 years to replace the battery.

      Meanwhile in the UK utility companies are installing remote reading *water* meters. they seem to use an outside plate which acts as either an aerial or power connector.

      Logic says gas companies *will* want to find some way to do this. My guess would be some kine of absolute reading passive accumulating sensor which can be periodically powered up like an RFID tag or a miniature fuel cell (gas safety issues I know, needing to keep the air supply *absolutely* separate from the gas while venting the wast products).

      Note the water meter does not AFAIK have a remote cut off feature. Likewise a remote gas cut-off would need some muscle in the power supply to drive a valve shut or open it again *unless* it was a one shot, needs-a-gas-fitter-to-come-out-and-reset-it deal.

      Looks like whatever the utility lobbyists bunged that Labor peer to get this included in the bill was money *very* well spent.

  44. peter_dtm
    Pirate

    Oh !

    All those nice anti-capitlists will no doubt set the tarif to FREE !

    No, they'll never work that out,

  45. GKLR

    Nice for people who want to nick power

    Some in Australia are playing with these meters too. Generally if you get a smart meter you get a higher power bill. You see you get charged more during 'peak' periods. Apparently whenever the average family are getting a hot meal is a peak period..

    Still if you have a meter reporting power consumption via a separate data channel and you want to steal power hacking the meter or spoofing its data channel might be easier (and a lot safer) than hardwiring around an old meter...

    As to securing the system from remote - i.e. via the Internet - attack. Why would you connect a presumably closed network of electricity meters to the general Internet unless you were a total idiot?

  46. david 12 Silver badge

    Not so modern as you think

    My elderly mother has a Smart Meter here in Melbourne Vic, Aus. So perhaps London isn't so far in advance of the rest of the world as you would like to imagine.

  47. Tigra 07
    Welcome

    What next?

    We've had warnings about hacking implants, cars and now smart meters...

    Maybe vacuum cleaners will be next?

    I for one welcome our shiny, height impared, noodle-eating chinese hacker overlords

  48. A J Stiles
    FAIL

    And it's not even what would really be the best option

    Smart meters are solving the wrong problem anyway.

    Many people could generate a portion of their electricity requirement themselves from solar panels, wind turbines or micro-CHP (if an engine turns 3/4 of the fuel into heat and 1/4 into electricity, then why not use it as a boiler?) However, the present system actively discourages this.

    "Feed-in tariffs" mean that if you have a big enough home generation installation including an expensive grid-tied inverter, you can sell any surplus electricity you generate.

    But if you were to install something more modest -- perhaps covering just 50% of your needs, which would still represent a worthwhile reduction in the amount of fossil fuel consumed -- you would still have to pay a standing charge for the privilege of maintaining the wires to your home, just so you could fall back on the public grid when your own storage batteries were flat, or if you needed to run a more powerful appliance than your inverter could cope with.

    The electricity companies need to be made (because they're hardly likely to cut off a revenue stream of their own accord) to offer a tariff with no standing charge to consumers who generate some of their own.

    1. John Smith 19 Gold badge
      Thumb Up

      @A.J. Stiles

      "The electricity companies need to be made (because they're hardly likely to cut off a revenue stream of their own accord) to offer a tariff with no standing charge to consumers who generate some of their own."

      Excellent point. UK Electricity and gas are *highly* regulated markets. A fairly modest change in T&C's could have a *huge* impact on the overall viability of *lots* of schemes.

      More to the point they would start developers thinking about designing in some features from the *start*. Ground and air source heat pumps, solar cells, shared facilities like anaerobic digesters and wind turbines of a decent size are *all* better installed wholesale

      The devil is in the detail.

  49. Anonymous Coward
    Anonymous Coward

    IOactive: Zero Credibility

    Sorry, but I see IOactive attached to far too many stories where they are screaming "the sky is falling, only IOActive can help!" This smart meter issue has been way blown out of proportion. The hacks are all just proofs of concept. There is no evidence whatsoever that these attacks are happening in the wild or even could. NONE of these reports has done a test in a real environment. It is all lab testing with controlled conditions.

    In other words, its just FUD.

    1. John Smith 19 Gold badge
      Troll

      AC@15:57

      Well it's good to hear the voice of authority on this matter. I had no idea...

      And you are?

  50. Alan Lewis 1

    is it really about metering?

    Perhaps the devil is in the detail, the comment about "managing demand at peak times". A couple of years ago there were news stories that projections suggested that the UK would face an energy shortage around 2015, when a number of nuclear power stations would be decommissioned.

    As a country, we haven't addressed that yet. And it would appear that the utility companies are not prepared to crash build several new fossil powered stations, and neither administration was/is prepared to invest in nuclear (Labour ran down and then disbanded our expertise in nuclear technology, iirc, in 2005?).

    It would not suprise me if the real driver behind remote meters is to micro-manage the supply to consumers and/or areas. For example, rather then cut all power to a given post code are (or sub-station footprint), to 'throttle' the power available to consumers in a given area, to throttle/cut-off power to a given consumer profile, or to throttle/cut-off power to residential customers only.

This topic is closed for new posts.