This article is also available in:
Deutsch: Smart Metering: Forscher sehen Verletzung der Privatsphäre
Two German researchers presented a talk entitled "Smart Hacking for Privacy" at the 28th Chaos Computing Congress that took place between 27 and 30 December 2011, on the privacy implications of "smart" electricity meters. These devices, installed in homes, collect information to determine the power consumption. The researchers had signed up with Discovergy, one of the independent companies providing such smart meters, to check out how secure the devices were and what information could be obtained from the data gathered by them.
According to Discovergy's website, the web interface accessing the consumption data used HTTPS to protect the data and the data sent back to Discovergy was encrypted and signed in order to prevent forged data. The website also stated these facts had been confirmed by independent experts.
Following the presentation of the researchers on 30 December, these statements disappeared from the company's website and as it came out, the SSL certificate of the site was misconfigured and presented an invalid certificate warning, then proceeded to redirect them to an HTTP URL where the data and password were transmitted in clear text across the internet. The researchers found out the traffic was not encrypted and signed and, therefore, easy to intercept. Thus, they were able to demonstrate that data from the entire life of the device was stored on Discovergy's servers.
One of the main concerns was that the smart meters were monitoring the power usage in two-second intervals which implies the devices were able to discern very fine modifications in power consumptions such as differences based on the brightness levels displayed for different scenes in TV shows and movies.
The researchers believe that two seconds measurements are unnecessary for the stated goals of the smart meter companies and too privacy intrusive as the data obtained could be used to establish very fine details.
"Unfortunately, smart meters are able to become surveillance devices that monitor the behaviour of the customers leading to unprecedented invasions of consumer privacy. High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e.g., TV set, refrigerator, toaster, and oven)", said the researchers in a statement prior to the presentation.
Nikolaus Starzacher, CEO of Discovergy, explained that one of the reasons for using the two second polling interval was to provide services such as notifying a customer that he forgot an iron or another house appliance on, when leaving the house.
Also, the researchers claimed that they had been able to send false details about their energy consumption back over the unencrypted Discovergy network meaning that consumers might be able to "potentially fake the amount of consumed power being billed".
In the opinion of Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, EU and UK plans to install smart meter are "set to become another public sector IT disaster".
In a joint paper with his fellow academic Shailendra Fuloria, Anderson warned over the threat of the vulnerability of the smart meters which might allow hackers to break into a "head-end" hub where smart metering data are collated and thus be able to even cut the supply of energy across "tens of millions of households".
"The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, creates a shocking vulnerability," Anderson said adding: "An attacker who takes over the control facility or who takes over the meters directly could create widespread blackouts; a software bug could do the same."
In his opinion, regulators have started to be aware of the issue and possible solutions under discussion might be "shared control, as used in nuclear command and control; backup keys as used in Microsoft Windows; rate-limiting mechanisms to bound the scale of an attack; and local-override features to mitigate its effects."
Smart meter hacking can disclose which TV shows and movies you watch
Smart Hacking for Privacy (16.01.2012)
Smart meter technology is privacy intrusive, researchers claim (11.01.2012)