* Researchers find security flaws in some smart meters
* Says weaknesses could lead to fraud, blackouts
* Spain one-third done with nationwide meter upgrade
By Eric Auchard
FRANKFURT, Oct 7 Network-connected electricity
meters installed in millions of homes across Spain lack
essential security controls, according to two researchers who
say the vulnerabilities leave room for hackers to carry out
billing fraud or even cause blackouts.
Security experts Javier Vazquez Vidal and Alberto Garcia
Illera said in an interview on Monday that so-called smart
meters installed by a Spanish utility to meet government energy
efficiency goals lack basic safeguards to thwart hackers.
The researchers said flawed code in reprogrammable memory
chips enable them to remotely shut down power to individual
households, switch meter readings to other customers and insert
network "worms" that could cause widespread blackouts.
"You can just take over the hardware and inject your own
stuff," Vazquez Vidal said, referring to the threat that hackers
could insert malicious code into one box and use it to control
nearby meters, and thereby cascade an attack across the network.
Traditionally, energy utilities have kept power plants and
mechanical electricity meters safe from cyber attack by keeping
them insulated from the open Internet.
Smart meters are connected over power line networks to give
customers and utilities instant data about when, where and how
much energy households use, enabling energy providers to monitor
and adjust energy flows.
The European Union wants more than two thirds of Europe's
electricity users to have smart meters by 2020, an initiative it
hopes will reduce energy use by three percent.
Over the last decade, most countries in Europe have mandated
that smart meters be installed in homes and businesses. But as
nationwide deployments have taken place in Italy and Sweden and
are now in motion across France, Spain and the United Kingdom,
experts have begun to uncover cybersecurity threats posed by
some meters.
The two researchers declined to identify the utility or
European-based hardware manufacturer of the smart meters found
to be vulnerable to attack. They will discuss their findings at
the Black Hat Europe hacking conference in Amsterdam next week.
"We are not releasing the exact details; we are not going to
say how we did this," Garcia Illera said. "This issue has to be
fixed."
The top power utilities in Spain are Endesa,
Iberdrola and E.ON. Collectively, 8 million
smart meters have been installed, or 30 percent of households.
The researchers said they had identified security flaws only
in boxes from one meter manufacturer. Vazquez Vidal said he
believes the utility may be able to patch the problem remotely,
without being forced to send repair staff to upgrade each box
physically.
An expert with Spain's markets and competition regulator,
which oversees the smart meter mandate, said the agency was
finishing a study on the threat of meter hacking and had not
found any evidence it was taking place or at risk of occurring.
LEAVING THE DOOR OPEN
The security impact of a vast array of connected devices
from smart meters to automobile controls to wearables such as
smartwatches and health monitors are only now being seriously
considered by industry, despite their growing use in daily life.
The Spanish researchers said they hacked the meters by
bypassing encryption that was designed to secure their
communications.
Vazquez Vidal and Garcia Illera said the meters use
relatively easy to crack symmetric AES-128 encryption. The
limited security appeared to be designed largely to prevent
tampering with billing systems by fraudsters, they said.
Once through this first level of security, they said they
could take full control of the box, switching its unique ID to
impersonate other customer boxes or turning the meter itself
into a weapon for launching attacks against the power network.
"Oh wait? We can do this? We were really scared," Vazquez
Vidal said. "We started thinking about the impact this could
have. What happens if someone wants to attack an entire
country?" he said.
They say they tested the devices in their own lab, where
they were able to reproduce various attacks in miniature using
several of the smart meters.
The same researchers last year uncovered weaknesses in
computer chips found in many automobiles, which they said could
boost performance or be used to hotwire a car or cause crashes.
Vazquez Vidal, who said he was "unemployed and bored" at
home in Cadiz when he carried out the smart meter research,
subsequently was hired by a major European automaker based on
his earlier work on car security.
Garcia Illera works for a California-based software maker.
The two asked that their employers not be identified because
their research projects do not involve their employers.
Mike Davis, a top security researcher with cybersecurity
consulting firm IOActive, identified similar threats in U.S.
smart meter devices five years ago.
"It was strange. Pretty much none of the utilities deploying
smart meters at the time were considering the meters themselves
as part of their threat problem," Davis said.
Disclosure of his findings was a wake-up call for U.S.
utilities, leading to increased government scrutiny and industry
action to better secure the devices against cyberattack.
Davis said the vulnerabilities described by the Spanish
research team sounded feasible given the slow response by
utilities and meter makers to overhaul their meters' security.
"The industry is starting to be much more intelligent,"
Davis said. "Although for something that is attached to the side
of your house, it still has a ways to go."
(Editing by Mark Potter)