UK smart meters arrive in 2020. Hackers have ALREADY found a flaw

Energy summit bods warned of free energy bonanza


British consumers could easily hack into controversial new smart meters, allowing them to illegally slash their energy bills, cyber-security experts have warned.

The caution came as top White Hall apparatchiks met with energy industry leaders today to discuss plans that will see the the devices installed in every British home by 2020.

Smart meters are supposed to provide more accurate bills by constantly monitoring energy use and sending this information to utility providers in real time.

But cyber security experts have warned that these devices can be easily hacked to send false information.

"Smart meters could be hacked to under-report consumption and this should act as warning to the British programme," said Alejandro Rivas-Vásquez, principal adviser in KPMG’s Cyber Security department. "If the technology could be hacked for fraud, hackers with more nefarious intent may use these flaws for other purposes."

In Spain, researchers have already managed to hack smart meters and send false information to energy providers.

The UK has set out guidelines aimed at beefing up the security of smart meters, but this might not be enough to stop determined hackers finding a way to bypass protections.

“Cyber criminals and cyber terrorists are improving their capabilities very quickly," Rivas-Vásquez continued.

He said that industry and regulators needed to start thinking and acting much more quickly if they want to stop a free energy bonanza.

Previous energy innovations have been attractive to criminals.

Criminals were also quick to hack top-up cards for prepaid electricity meters when they were introduced in the noughties, in some cases going door to door to sell cheaper, illegal energy credit to customers.

In chilly Scotland, the problem was particularly acute. This reporter once exposed the organised gangs that knocked on vulnerable, elderly people's doors to flog them fake energy credit.

Between now and 2020, more than 50 million new smart meters will be rolled out to 30 million homes across Britain.

Previous research has suggested that smart meters will save British homes just £26 a year and will cost a total of £10.6bn to install across the country.

The Westminster Energy, Environment & Transport Forum is meeting today at the Royal Society in London. This event is called "Delivering the Smart Meter Implementation Plan: roll‐out, privacy and consumer engagement". ®

Similar topics

Broader topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Jenkins warns of security holes in these 25 plugins
    Relax, most of the vulnerabilities so far have, er, no fix

    Jenkins, an open-source automation server for continuous integration and delivery (CI/CD), has published 34 security advisories covering 25 plugins used to extend the software.

    Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.

    The vulnerabilities described include: cross-site scripting (XSS); passwords, API keys, secrets, and tokens stored in plaintext; cross-site request forgery (CSRF); and missing and incorrect permission checks.

    Continue reading
  • Germany unveils plan to tackle cyberattacks on satellites
    Vendors get checklist on what to do when crooks inevitably turn up in space

    The German Federal Office for Information Security (BSI) has put out an IT baseline protection profile for space infrastructure amid concerns that attackers could turn their gaze skywards.

    The document, published last week, is the result of a year of work by Airbus Defence and Space, the German Space Agency at the German Aerospace Center (DLR), and BSI, among others. It is focused on defining minimum requirements for cyber security for satellites and, a cynic might say, is a little late to the party considering how rapidly companies such as SpaceX are slinging spacecraft into orbit.

    The guide categorizes the protection requirements of various satellite missions from "Normal" to "Very High" with the goal of covering as many missions as possible. It is also intended to cover information security from manufacture through to operation of satellites.

    Continue reading
  • Ex-Uber security chief accused of hushing database breach must face fraud charges
    Company execs and their lawyers are paying close attention to this one

    A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

    Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

    In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022