Smart meters are "dangerously insecure," according to researcher Netanel Rubin – who claimed the gear uses weak encryption, relies on easily pwned protocols, and can be programmed to explode.
The software vulnerability hunter derided global efforts to roll out the meters as reckless, saying the "dangerous" devices are a risk to all connected smart home devices.
Smart meters can communicate with networked devices inside homes, such as air conditioners, fridges, and the like. A hacker who could infiltrate the internet-connected meters could control those gadgets and appliances and potentially unlock doors.
They could also manipulate the meter's code to cause fires, something that's trivially easy using mains supplies, Rubin claimed. You'd be forgiven for thinking fuses would prevent such a blaze, although the researcher is convinced the hardware can be tricked into overexerting itself and exploding.
"An attacker who controls the meter also controls its software, allowing them to literally blow the meter up," he told the Chaos Communications Congress in Hamburg, Germany, earlier this month.
"If an attacker could hack your meter, he could have access to all the devices connected to the meter. The smart meter network in its current state is completely exposed to attackers."
Rubin was accused of fear-mongering by the conference's audience. He shot back that he wanted to grab the public's attention with dire warnings of exploding boxes – claims that reminded El Reg of an old infamous World Weekly News spoof.
He fended off comments from the audience that triggering explosions through hacking was not possible, alleging it had been demonstrated in the US. (The Register could not at the time of writing verify that claim. We've written a ton about insecure smart meters, though, of course.)
While the physical security of the meter is typically strong, hackers still have plenty of wireless vectors to attack and exploit to compromise the equipment, he argued.
Rubin listed smart meters' use of Zigbee and GSM protocols, often left insecure and unencrypted, or at best secured with a GPRS A5 algorithm that is known to be broken for more than five years. Attackers can also wirelessly force all units in an area to connect to malicious base stations using their hardcoded login credentials. This access grants miscreants direct access to the smart meter firmware for deep exploitation.
"All meters of the same utility use the same APN credentials," Rubin told the applauding audience. "One key to rule them all."
Worse, Rubin found smart meters that hand over critical network keys when communicating with home devices without checking if the gadgets should be trusted. This opens an avenue for criminals to set up equipment that masquerades as home devices, steals the keys, and impersonates meters.
"You can communicate with and control any device in the house from way across the street, open up locks, cause a short in the electricity system, whatever we want to do. A simple segmentation fault is enough to crash the meter, causing a blackout at the premises," Rubin said.
He says these security shortcomings would have been eliminated if proper encryption was used, and the network was segmented instead of being treated as a "giant LAN."
In 2009, in Puerto Rico, bill fraudsters were able to exploit similar security holes to snatch US$400m. Rubin said the meters' ability to communicate with internal smart home devices is merely an immediate concern – it will be way worse when utilities expand in the future to form city-wide mesh networks with city smart appliances.
"The entirety of the electricity grid, your home, your city, and everything in between will be in control of your energy utility, and that's a bit scary," he said.
About 40 percent of the smart meter market is held by Itron, Landis and Gyr, and Elster. The European Union wants to replace more than 70 percent of electricity meters with smart versions at a cost of €45 billion. There are already some 100 million meters installed globally.
Rubin expects a sharp increase in hacking attempts, and called on utility companies to "step up." He said he will release an open-source fuzzing tool to help security researchers test their own meters. "Reclaim your home, before someone else does," he said. ®