Smart Meter Hacks

Brian Krebs writes about smart meter hacks:

But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. "These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters," the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device ­- such as an infrared light ­- connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

Posted on April 19, 2012 at 5:52 AM • 33 Comments

Comments

wiredogApril 19, 2012 6:24 AM

another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage
That is an indication of a pretty dumb meter… I mean, really, a magnet?

JurgenApril 19, 2012 7:00 AM

(@wiredog) Isn't this typical of an arms' race, that sometimes, we see a flip to the roots again? Reminds me of the 'stealth' bombers that coalition forces deployed over Iraq. Invisible 'even' to the most sphisticated radars, but clearly visible with the crappy decades old stuff the Russians had stored just in case behind the Ural. Fifties radars beat eighties SotA technology.
Same here ..? Bruce, is this a studied pattern ..?

Peter A.April 19, 2012 7:10 AM

@wiredog - I've seen several "electronic" meters installed recently in Poland (I have no idea how "smart" are they), but not very close - only through a round glass window in a installation box. Besides having an LCD display and a red flashing diode they seem like based on the old patent of aluminum disc revolving in the magnetic field of a coil, only smaller. So a magnet would presumably work as on the bulky old analog meters, unless there's some countermeasure or intrusion detection added.

RobertTApril 19, 2012 8:00 AM

Does anyone know who's meters they are talking about? I dont keep up with the US smart meter market, although I thought the measurement method sounded like it used Analog Devices smart meter chips.

Does anyone know for certain which meter maker and which chipset they are talking about?

gebiApril 19, 2012 8:11 AM

There are also "overly"-smartmerters which bill the maximum possible if they detect an attack.
BUT... if you sent power to the grid with your solar panels they will also bill the grid the maximum possible expense if they detect tampering :D!

gebiApril 19, 2012 8:21 AM

Not to mention that in austria those smartmeters use an "interesting" protocol for management...
They simply have instructions to read and write directly into the flash and that's also how firmware upgrades are rolled out over the power line.
But there are much more valuable information stored than the firmware, notable the calibration values for the actual measurement unit.
If you change those values, and you can change that with a simple device hooked up to your power line for the whole power distribution sector, the company using those smart-meters is in severe trouble.

Nick PApril 19, 2012 8:32 AM

Already hit that one. My comment was nicely up-voted. That's unusual: too many voting trolls on that blog.

AnonymouseApril 19, 2012 9:26 AM

"The FBI believes that miscreants hacked into the smart meters using an optical converter device ­- such as an infrared light ­- connected to a laptop"

Perhaps they mean the $5 IR to USB dongles that can be purchased online? It is interesting that in these stories the most common devices are made to sound sinister and evil, as though their only use is for trouble-making.

AnonymouseApril 19, 2012 9:28 AM

Perhaps "sinister and evil" was too strong. "Questionable" may be a better choice of word(s).

GweihirApril 19, 2012 9:34 AM

No! No! That is not the $5 dongle! That is the $5 dongle re-branded as hi-tech hacking device and sold for $200! Obviously that is far more dangerous, as anybody can immediately see.

There are even rumors (well, just started by me) that some of these ueber-hackers wired their own device! That means WIRES! Just add Explosives and a detonator and you have a BOMB!

Seriously, I expect these things have an IrDA interface and no security at all. Likely no security evaluation was ever done and the risk evaluation was something along the lines: "We do not think there is a problem". Very low amateur level, indeed.

karrdeApril 19, 2012 9:34 AM

@wiredog,

After a little web-searching, I found a strange-looking blog that discussed methods of stealing from metered utilities.

Most of the methods of theft are footnoted with a statement that they are illegal, and raise the cost of the utility for every user. Also, the methods used are hard to hide from the company if the meter is regularly visited by a meter-reader.

It appears that the magnet-on-the-meter trick is among those methods of theft. (Other methods of stealing electricity involve modifications of the meter mechanism itself, or modifications to the wiring on the mechanism. Again, each of these is usually detectable with a cursory inspection of the meter site, assuming that the meter was mounted/sealed in a predictable way by the utility company.)

Do these problems with smart-meters begin with the fact that they are not regularly visited by the utility company's meter-readers?

If so, then this places the security question in a very different context. The utility company is talking about changing the security environment from a situation that assumes regular visits by utility company employees into a situation which assumes that such visits are rare.

The problem isn't the security of meter design, but the level of human effort surrounding the meter installation/maintenance/reading.

old curmudgeonApril 19, 2012 10:19 AM

Does this mean that a way could be developed to block and or spoof the data collection capabilities of the meter without anything that would effect the metering and fee-charging abilities of the meter? It would be great fun to introduce garbage into the data snooping function of the meter. I don't see how that could be considered criminal, though today who knows. There are over 25,000 Federal felonies counting regulatory listings.

MikeApril 19, 2012 11:38 AM

It's not quite a normal LED/IR to serial port. They are 'special', but in a 1970's style way. Almost all meters have them, and it's not hard to read-only data from most of them. Just like walking by the meter and looking at the display. The newer meters require meter specific encryption keys and special software to read and/or write data.
This is not a technology failure as much as it is a people failure. The human vector is the easiest attack vector.

Hacking a meter, dumb or smart, is a short term gain in most cases. The utility usually finds them eventually. When a system is unbalanced past the normal technical losses, they go looking. The first step is usually by comparing upstream meters on feeders with the total consumption billed below that parent/upstream meter. A little comparison of historical usage and billing with current usage and billing quickly identifies the most probable cause. Then it just takes a little inspection.

"Smart meters" are much more secure than electro-mechanical ones, many will detect a strong nearby magnetic field, movement, case tampering... and call home to notify the utility. It's an old crime with some new twists, and lands quite a few people in trouble.


Petréa MitchellApril 19, 2012 11:44 AM

Perhaps they mean the $5 IR to USB dongles that can be purchased online?

Or an older PDA, some of which have both wireless capability and IR ports built in. (One of the more fun applications I've seen for them is as universal remotes.)

Neil in ChicagoApril 19, 2012 12:57 PM

A sensitive, "sealed" device with an IR port? Sort of like those utterly trustworthy electronic voting machines?

Ken (Caffeine Security)April 19, 2012 1:15 PM

While the power companies should be worried about theft, consumers and companies should be more worried about this.

If the meters can be hacked into and calibration settings altered, what's to prevent an attacker from hacking into an individual's or company's meter and adjusting the power settings to double the power consumption? Someone with ill will towards a company could easily increase their operating costs, and I don't see the power company being too concerned about someone calling and complaining that their bill is higher than normal. It would most likely take months, if not years to convince the power company that your meter was maliciously altered, especially if changes to the calibration are made gradually over time.

MikeApril 19, 2012 5:13 PM

You can't change the calibration on most residential digital electric meters, if it's out of whack it's broken and replaced. Most residential units are too cheap to waste time re-calibrating. C&I (Commercial and Industrial) meters are different.

Bruce ClementApril 19, 2012 5:55 PM

Back in the 1970s my father discovered a method for paying the electricity company less money.

He used to wander around turning off unused lights and appliances. What's worse, he corrupted his children by teaching us to use the same scam.

These day's he'd probably be prosecuted.

Nick PApril 19, 2012 6:11 PM

@ bruce clement

Haha. Did he bill them for all the time he put into that? Whose getting ripped off now? :P

Doug CoulterApril 19, 2012 7:48 PM

@BruceC

He's probably safe. I haven't paid a power company a single cent since 1979.
Homesteading, solar power all the way, now I'm even driving an electric car charged from the system, so even big oil doesn't like me.

Sure, the cops have come here a few times, claiming profiling gave them the right to break my doors down with no recompense when I didn't have or wasn't doing what they wanted to find, but that's just a cost of doing business, right?

(I have learned how to not get shot, they act really nervous and over the top)

Some of the excuses are hilarious. When you're pinching pennies, the idea that you might be using solar power to grow pot plants indoors qualifies. The truth is you're short of watt hours to run computers and lighting and refrigeration. 10x that when you're struggling for that minimum is kind of a joke.

And oh yeah, we're talking a 50 acre chunk of land, mixed forest and pasture. Would you grow indoor pot in a place like that?

Authorities just need to check up on you once in awhile to feel all good about stuff. When you effectively defeat all the other ways (i AM security conscious) then they think you're up to something.

I'm reminded of a phrase "If you're not doing anything wrong, what do you have to hide" in this context.

A psychologist might invoke "projection". They know what they'd be doing (!!!). I just don't want to broadcast everything needed to steal from me.

In my case, they tend to realize fairly quick that there's nothing bad at all going on - rather the opposite, and become my friends. But - new guys...

With profiling you have to be careful how it looks to others...extra PITA effort.

DanApril 20, 2012 2:30 AM

The best thing about this story is that this is a great example of that "government information sharing" that is supposed to save us all.

Discovered in 2009 - it takes until mid 2010 for the FBI to tell anyone about it and it's not "public" in any way until mid 2012. Even then - it's a screenshot of one page of a FOUO document.

Gee thanks.

Clive RobinsonApril 20, 2012 6:42 AM

@ Bruce,

I've occassionaly mentioned the UK satirical bi-weekly magazine "Private Eye" as a worthwhile read, esspecialy the "In The Back" section. Well guess what they have mentioned this very smart meter issue in the latest issue.

@ Jurgen,

Isn't this typical of an arms' race, that sometimes, we see a flip to the roots again... ...Same here ..? Bruce, is this a studied pattern ..

It's a very very old pattern and it often involves a gap of about one human generation (15-25years).

The reason is often given as "people failing to learn from history", however it's a bit more complex than that. If you look at IT security it's happening in that the old malware built to exploit initialy floppy disks and later from floppy to hard disk boot sector etc are showing up again. The reason is that removable media has come back into fashion with the likes of USB thumb drives.

So it also requires technology to go in cycles as well as human memory remembering the good but not the bad. Normaly each cycle tends to be an improvment on the previous cycle because the technology whilst improving rapidly over the first couple of cycles usually fairly quickly ceases to make sufficient improvment to open new attack vectors.

Oh and on the purely human terms "con tricks" have followed these cycles just as fashion does...


@ Gweihir, Nick P, RobertT,

Seriously, I expect these things have an XXXX interface and no security at all. Likely no security was something along the lines: "We do not think there is a problem". Very low amateur level indeed.

Ever get that feeling "we've been here before" and "talked it to death already" ;)

Sadly it appears many "engineers" either don't learn or have given up under marketing and managment preasure.

Lets be honest we are seeing "open comms" on a whole variety of very cheap contactless technology and I amongst one or two others have said it's going to be a significant issue for around twice the expected life time of the products.

Smart meters although being very cheap are very expensive to instal (between 30 & 120 times more than the cost of the device) so they are expected to have a +25year life expectancy to break even.

So guess where the Marketing dept and Managment thoughts have gone? yup how to get a tied market selling "add ons", but in order "to get the in" they have to come in at a very low individual unit price. Now the "consumer" of these devices are not the end users but the utility companies. It's not in their interest to get stuck in a "tied market" so they specify certain things in their tender specifications to prevent that.

But the Utilities are only interested in the "utility interface" not the "end user interface". Which has a perverse effect in that some end user interfaces do have "obscurity features" to get the tied in market.

However the utilities are painfully aware that they are likely to buy many manufactures units in order to keep the unit price down, and this would under ordinary market conditions mean they would have to buy many sets of meter reading and programing equipment.

So their solution (from restricted documents I've seen with regards "water meters") is "known plain text protocals" so they can have a seperate market place in reading and programing equipment.

So we are coming around to "common specifications" but only at the lowest possible price, which means no security of any kind not even "obscurity"...

We have seen this all happen with "remote controls" for TV's / Video's / Home Entrtainment systems. So much so that you can buy "universal" or "programable" remotes (hint the electronics in these are compatable with some of the utility meter interfaces and as we know you can by Universal Remote USB dongles and for those with an interest there are Linux drivers).

Now as some of you know I've been banging on about a properly thought out "International Standard" communications protocol with inbuilt security for not just utility meters but for medical implants as well. Importantly with "upgradable" base security protocols so we don't end up having to use 50year old security protocols (remember DES was broken in much less and RSA keys of 700bits or less as well and various hash protocols).

@ Bruce Clemens,

He used to wander around turning off unused lights and appliances. What's worse, he corrupted his children by teaching us to use the same scam

He sounds a lot like the (supposadly) "richest man in Britain" the Duke of Westminster, apparently he has a mania for such behaviour boardering on OCD.

However it needs to be said, that many "low energy" lights actually use less electricity when on than many home appliances in standby...

The problem is then that "switched outlets" are not that reliable, as I've said before many switches and plugs/sockets are only guarenteed for 50-200 operations. The cheaper the design the worse the problem, and beleive me when I say that many UK "switched faceplate" outlet sockets are not going to be upto to many operations.

Oh and this applies to our "in pocket appliances" as well, many people are finding that their nice shiny smart phone with USB charger is not charging to well on micro USB after less than a year, and that they need to use a rubber band or put the phone and lead in "exactly the right place" for it to reliably charge (Motorola appear to be way better on reliability in this respect than HTC, LG or Samsung).

@ Doug C,

I have learned how to not get shot, they act really nervous and over the top

Please don't get me wrong on this but perhaps you might be better off if you did get shot...

Certain Federal and other LEO's in the US have basicaly just "gone in hard" sometimes even "with gun's a'blazing" and injured people, who have then sued and received not just substantial damages but considerable publicity, the result being they have become "gold plated" in that all LEO's "know, the varmint has sharp teeth" and give them a wide berth from then on.

However like you I would prefer not to have any more additional holes in my person where nature did not put them by design. I know from personal experiance that such holes tend to hurt and cause medical complications for years afterwards.

However a funny story about "living of the grid" for you.

In the UK untill recently you could get paid a considerable multiplier for every watt of electricity you "put back into the grid" than you would pay that is you got paid about five times the base unit price for "renewable energy".

Well I'm aware of someone "fudging" the system. They put in solar cells, wind generators and a woodburning generator. Thus their home electrcity was more than covered "off the grid" and they were making a "few bob" putting back the excess. Well they got together with their neighbour (semi-detached house) to make the few bob a much better payer... Basicaly they took grid electricity off the neighbour, down converted it to DC and put it back into "the solar cell" interface to make a nice little earner for them both...

Mark P. HahnApril 20, 2012 2:20 PM

This statement in Kreb's post caught my attention: "The feds estimate that the Puerto Rican utility’s losses from the smart meter fraud could reach $400 million annually." I found the PREPA annual budget here: http://www.aeepr.com/INVESTORS/... (they use both aeepr.com and prepa.com domains.)

Their entire income is 4.5 billion, so 400 million is a about 9% of income. After debt service they "clear" 287 million (they're a gov't agency so that's not profit, I don't know what it is). Is $400 million possible? I don't see the cost of their "smart grid" project, but I doubt that it's 10 year return would be in that range, let alone 1 year.

Someone, somewhere, is very bad with numbers. I'd expect Krebs to have pondered that figure before repeating it.

-MpH

gilbertoApril 20, 2012 4:58 PM

I live in Puerto Rico. Since 2000 the power authority embarked in replacing analog meters with remote metering (AMR) meters. More recently the replacement of these with "smart" ones has been explained publicly as to control and reduce meter tampering and energy theft. How ironic that the "smart" ones seem more easy to hack!!!

Nick PApril 21, 2012 12:00 AM

"Certain Federal and other LEO's in the US have basicaly just "gone in hard" sometimes even "with gun's a'blazing" and injured people, who have then sued and received not just substantial damages but considerable publicity, the result being they have become "gold plated" in that all LEO's "know, the varmint has sharp teeth" and give them a wide berth from then on."

That's rare. Usually, it escapes the public consciousness and the victims just suffer. It's usually dirty cops targeting people w/out the money to fight them. I've seen a ton of that in places I've lived. Another case is SWAT having the wrong address. In one case, the wife heard someone breaking in and shouted to her husband. The husband grabbed his gun, charged into the hallway, and was hit with pinpoint accuracy by a government marksman.

At least Doug hasn't had to deal with the types who plant evidence and have judge friends that approve of it. His strategy wouldn't be effective then.

RobertTApril 21, 2012 5:32 PM

@Mark P Hahn
"Someone, somewhere, is very bad with numbers...."

Yea EVERY smart meter assessment that I have ever read includes more Imaginary numbers than even a math major can dream-up.

mrriskApril 23, 2012 12:53 PM

If you are going to choose to do criminal activities to make money, there has got to be stuff with less risk for the same (~$200) a month reward. I know some people just like the challenge, but its also funny to see how much criminals don't really think about risk too.

Clive RobinsonApril 23, 2012 10:33 PM

@ mrrisk,

If you are going to choose to do criminal activities to make money, there has got to be stuff with less risk for the same (~$200) a month reward.

It depends on how you look at it.

For instance I'm fairly sure that many otherwise law abiding US citizens that try a bit of "creative accounting" with their expense claims, tax returns and even stationary requests for a great deal less than $200/month. Not because they can but because they look on it either as not being a crime or a victimless crime. Some even do it because they beleive that they "are owed" the money for some reason or are "sticking it to the man".

Making false financial claims is more commonly called fraud and in most places for most people it's a crime which in some cases (taxation) can lead to quite long terms of imprisonment or long term unemployment etc.

However these same people would not "shop lift" or go and commit various non violent "street crime" or "breaking into homes" all of which if done with intelligence can carry less risk and greater reward.

It is all crime but the risk / reward is rarely if ever seen correctly by the people carrying it out and that is often why they are caught.

P. AndersenApril 24, 2012 10:05 AM

@Clive
you make a good point in that people have other decision motivators when choosing their crime than the risk/reward balance.

But where can taxation crime lead to long term unemployment? In UK?

Clive RobinsonApril 24, 2012 11:30 AM

@ P.Anderson,

But where can taxation crime lead to long term unemployment? In UK

As far as I'm aware in all Sovereign Nations "Tax Legislation" is actually law, and (in many nations actually larger and more complex than other areas of law) thus breaching it can be considered only as one of three things,

1, Unintentional (usually punishable by paying owings pluss interest).
2, A Tort (punishable by fine).
3, A Crime (punishable by a fine and or imprisonment).

The person who initialy decides which it is, is the taxman. As we have come to see in the UK the chance of option three or two being selected is proportional to how many resources you have to fight, and the amount of influance you have purchased from the taxman or the politicos.

Thus the big fish (Tesco's, Vodafone and various other large businesses) hardly ever get taken to court and if they do they usually have the resources required to hamstring the system such that they get away with it (because tax legislation is so extrodinarily complex most judges cannot get their head around it and the reason it's so complex is because the politico's want it that way as it alows them to benifit from the system).

However if you are one of the little people who the taxman knows does not have the resources to fight then the chances are you will end up with a criminal record or a very very large hole in your pocket (ie you pay off the taxman to avoid prosecution).

Now in the UK it's a bit more complicated, because we have the Proceads Of Crime Act (POCA) and this can be used to "strip you of your rights" basicaly the taxman sequestrates all your assets prior to trial on the excuse that you will "flee with your illegaly aquired gains" (please note this is putting the cart before the horse in that at that point no illegal activity on your part has been shown let alone tested in court or proved). So you have no money to employee sufficiently qualified representatives to help defend you...

The result is you end up with a criminal conviction irrespective of if you are guilty or not but that's OK because "Justice has been SEEN to be done" irrespective of the actuality.

Now in the UK and many other places your employer will ask you if you have a criminal conviction, caution or have ever been arrested or have County Court judgments etc. The fact they are not supposed to about "spent convictions" or most of the rest of it is neither here or there, because if you say no when the answer is yes your employment can be terminated immediatly without recourse as you have breached you contract of employment. If however you decline to answer (for whatever reason) you don't get hired...

And as has been revealed via recent legal action in the UK there are quite a few private organisations who collect any and all data they can on people and build profiles. The fact that this is in contravention of both UK and EU data protection legislation is neither here or there as they usually base the part of the organisation iinvolved with such activities in foreign countries...

And as far as I can see this applies to the majority of first world nations and all WASP nations...

ToorSeptember 3, 2012 5:19 AM

I have been following up blogs on regular basis but somehow the main thing as to how the data / reading on the digital meter is altered has never been discussed. So does any one have any idea how. I understand to access the digital meter, we need to have the IR connected to USB to be accessible on to the laptop, but what about after that? Which software give complete access to the data and configuration of the meter.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..