Most smart meters that are installed, or are soon to be installed, in hundreds of millions of homes around the world are woefully insecure and can be easily hacked by a remote attacker to alter energy consumption levels, hack other smart devices in the user's home, or even cause the meter to explode.
These are the findings of Netanel Rubin, a researcher with Vaultra, a security firm specialized in smart device security. Rubin presented his findings at the 33rd Chaos Communication Congress held last week in Germany.
In his presentation, available at the end of this article in video format, Rubin paints a grim picture where governments around the world, in an effort to reduce energy consumption, have adopted legislation that pushes smart meters into the homes of million of people.
Because of the push to make energy grids "smarter," there's now a need for smart meters, with more than 60 different smart meter manufacturers more than happy to provide products to energy companies across the world.
Unfortunately, as is the case in any competitive market, these smart meter vendors are cutting corners in order to provide the cheapest and feature-full products, often sacrificing device security measures to do so.
Rubin says that most smart meters available on the market today are woefully insecure, mainly by the vendor's design choice.
Smart meters use GSM to talk to the energy provider, and ZigBee to connect to the user's home network and allow the user to inspect his energy consumption levels. The problem is that both protocols have been known to be vulnerable for years.
Attackers could very easily spoof GSM communications and control smart meters across a city. This is possible because GSM does not support encryption, allowing a determined attacker an avenue to hack smart cities.
In the cases where GSM is replaced with the combination of GPRS and A5 protocols, Rubin says that this is still not enough, as both protocols could be brute-forced, and the attacker can get hold of the encryption key with ease.
Even worse, Rubin says, is that in cases he analyzed, most power grid companies use the same encryption key for all smart meters across a city. An attacker that manages to hack one smart meter could very easily escalate his access to all smart meters belonging to that energy provider.
This is also possible, as Rubin explained to the audience, because energy vendors also fail to segment their networks, managing their customers in one giant LAN.
And if that wasn't enough, energy companies also don't monitor their smart meter network for attacks, meaning an intruder could go undetected for days, weeks, or months.
At the customer level, Rubin also says that smart meters are a gateway for cyber-attacks. The main reason, he says, is the ZigBee protocol.
Because there are no official government-issued standards in most countries, smart meter vendors are left on their own to decide how to secure their devices.
Since the ZigBee standard is loosely regulated and because there are about 15 different versions of this protocol, smart meter vendors pick and choose what features to implement.
In most cases, they choose the ones that take up the fewer resources on their devices or remove security features from the protocol, in order to cut down functions they need to embed in the smart meter's firmware.
This inadequate hack job has left smart meters open to trivial attacks. For example, a remote attacker could query the smart meter and ask it if he can join the meter's network (which is the customer's home network).
In this case, Rubin explains, smart meters would dish out the network secret key to anyone asking, allowing an attacker to connect to the user's network without any form of authentication.
Once an attacker has joined the user's home network, it's game over. The attacker could impersonate any device on that network, or send commands to those devices, such as to open doors protected by smart locks, alter heating system settings, control smart ovens, and more.
But a loudmouth smart meter wasn't the only problem Rubin discovered. Additionally, the security expert says that these devices have very faulty firmware.
This is because developers often minimize the smart meter's firmware and in most cases skip security-related checks in their code, leading to many open holes that could be exploited.
While memory buffer overflows allow attackers to take over the smart meter, Rubin says that there's no need for someone to mount such a complex and time-consuming attack.
"A simple segmentation fault will crash the meter, causing an electricity shutdown at the premise," Rubin said. "On top of that, some crashes will actually cause this [shows a picture of a burned down house, seen below]. So, all you have to do in order to burn someone's house down is send a very long header string."
These are only a few of the many other issues Rubin presented. All these issues contribute to a quite worrying smart meter attack surface.
As with other IoT devices, the problem lies with uninterested and unscrupulous vendors, but also with governments around the world, which have failed to put regulation in place even after security researchers have warned about insecure Internet of Things for more than a decade.
But this won't change anytime soon, until some NSA, Chinese, or Russian hacker crashes the energy grid in a city with ten or more million people, and everyone understands the dangers they're exposing themselves to.