Money from the United States' stimulus package is flowing into the energy industry, in part to improve the infrastructure for delivering electricity by adding "smart meters" to homes. But security researchers say the dollars are flowing too fast, without enough attention to security.
Mike Davis, a senior security consultant at the Seattle-based security research company IOActive, tested several varieties of the new meters and presented some of his findings yesterday at Black Hat, a computer-security conference in Las Vegas.
Davis explains that smart meters contain a radio chip and mesh networking software that enable them to automatically report customers' energy use, automatically update the software running the devices, and have remote controls that allow a utility to shut off a customers' electricity over the network. Previously, meters have been able to report energy use wirelessly, but it required using a short-range signal that could be picked up from a utility company vehicle as it drove by. The new meters are more automated, and could operate with less human intervention, Davis says.
With the influx of stimulus dollars, Davis says, a lot of companies have huge lists of features they want to add to the meters. There is also a high level of competition between manufacturers so products are being rushed to market, he says.
Of particular concern to Davis are commands that allow remote control over consumers' meters. Though individuals have long tried to hack into their meters to save themselves a few dollars, the results of remote control could have a broader effect. "This generation of smart meters is probably not mature enough to handle the remote disconnect feature," he says.
Though Davis is not at liberty to disclose what brands of meters he tested, he says that, for one brand, he was able to design a worm that he could install in one meter and propagate through the network. In simulations, Davis calculated that, in a region where 100 percent of homes have a smart meter installed, the worm could infect some 15,000 meters in the span of 24 hours. Once the worm spreads, an attacker could use it to give commands to the infected meters such as to shut down.
Davis says all the meters he has tested have security flaws that need further examination before the devices are widely deployed. "Cleaning up from a compromise is going to be expensive and slow," he says, and it's better to fix as much as possible before that happens.
Davis is not the only one investigating the security of smart meters. Security researcher Travis Goodspeed also presented at Black Hat his attacks on some of the chips that typically go into smart meters (Goodspeed specializes in chips that use the Zigbee protocol, a communications protocol that's typically used for the low-power digital radios found in smart meters). Goodspeed believes that the chips need more work. "The Zigbee chips presently available are not secure against a local attack," Goodspeed says, meaning that, if an attacker can get access to a device, he believes the attacker can compromise it.
Davis believes better security is possible on the devices. For example, he suggested that the meters themselves could be programmed to detect and report anomalies in the network. In his talk, Davis said, "Customers need to pressure their utilities to make conservative choices when it comes to the security of their meters."