Smart electricity meters, of which there are more than 100 million installed around the world, are frequently “dangerously insecure”, a security expert has said.
If a hacker took control of a smart meter they would be able to know “exactly when and how much electricity you’re using”, according to Netanel Rubin, co-founder of the security firm Vaultra. An attacker could also see whether a home had any expensive electronics.
“He can do billing fraud, setting your bill to whatever he likes … The scary thing is if you think about the power they have over your electricity. He will have power over all of your smart devices connected to the electricity. This will have more severe consequences: imagine you woke up to find you’d been robbed by a burglar who didn’t have to break in.
Rubin said many of the warnings were not hypothetical. In 2009 Puerto Rican smart meters were hacked en masse, leading to widespread billing fraud, and in 2015 a house fire in Ontario was traced back to a faulty smart meter, although hacking was not implicated in that.
“But even if you don’t have smart devices, you are still at risk. An attacker who controls the meter also controls the meter’s software, allowing him to cause it to literally explode.”
Other weak security decisions made by vendors include:
- Encryption keys derived from short (often just six-character) device names.
- Pairing standards with no authentication required, allowing an attacker to simply ask the smart meter to join the network and receive keys in return.
- Hardcoded credentials, allowing administrator access with passwords as simple and guessable as the vendor’s name.
- Code simplified to work on low-power devices skipping important checks, allowing nothing more than a long communication to crash the device.
“These security problems are not going to just go away,” Rubin said. “On the contrary, we are going to see a sharp increase in hacking attempts. Yet most utilities are not even monitoring their network, let alone the smart meters. Utilities have to understand that with great power comes great responsibility.”
A spokesperson for the UK government’s department of Business, Energy and Industrial Strategy said: “Robust security controls are in place across the end to end smart metering system and all devices must be independently assessed by an expert security organisation, irrespective of their country of origin.”
More information on this story can be found on The Guardian website.
Complete the new 2016 Cyber Crime survey, so we can see the full scope of Cyber Crime in Warwickshire, and across West Mercia, the West Midlands and Staffordshire– https://www.surveymonkey.co.uk/r/RegionalCyber16
For more information about our work, please visit www.safeinwarwickshire.com/cybercrime
Cyber Aware is a cross-government campaign, funded by the National Cyber Security Programme. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs).
Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems.