Back in June, I posted a note about the development and potential deployment of “smart” electric meters, and the possibility that they would introduce a new set of security concerns. It also mentioned a forthcoming presentation on the topic, at Black Hat, by Mr. Mike Davis of IOActive.
The Technology Review has now published a short article summarizing some of the results from Mr. Davis’s work. It appears that there are some significant vulnerabilities:
At a recent conference, Mike Davis, a senior security consultant at the Seattle-based research company IOActive, gave a presentation on a proof-of-concept cyber attack that could potentially allow an attacker to shut off large numbers of meters remotely.
It appears that there are several attack vectors, including a direct physical analysis of the meter’s memory and digital radio components, and a “man in the middle” attack via its wireless networking. It is also apparently possible to devise a network worm that can be spread among similar meters:
To demonstrate his attack, Davis crafted a piece of malware that could self-replicate to other meters, allowing an attacker to shut them down remotely. In simulations, Davis showed that if his worm were released in an area where all the houses were equipped with the same brand of meter, the worm could spread to 15,000 homes in the space of 24 hours.
It is also possible that the meters can be hacked to under- or over-report electricity consumption.
Perhaps it is better in other places, but our electric utility already has a capability to make the pwoer go off that is excess to my requirements. I’d just as soon they not get any more ways to screw it up.