[Noisebridge-discuss] FBI: Smart Meter Hacks Likely to Spread

Sat Jun 2 21:07:48 UTC 2012

An interesting article. Strictly for casual reading outside of Puerto Rico,
where the technology is _totally_ different.

http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/

 FBI: Smart Meter Hacks Likely to Spread
A series of hacks perpetrated against so-called “smart meter” installations
over the past several years may have cost a single U.S. electric utility
hundreds of millions of dollars annually, the *FBI* said in a cyber
intelligence bulletin obtained by KrebsOnSecurity. The law enforcement
agency said this is the first known report of criminals compromising the
hi-tech meters, and that it expects this type of fraud to spread across the
country as more utilities deploy smart grid technology.

Part of an FBI alert about smart meter hacks.

Smart meters are intended to improve efficiency, reliability, and allow the
electric utility to charge different rates for electricity at different
times of day. Smart grid technology also holds the promise of improving a
utility’s ability to remotely read meters to determine electric usage.

But it appears that some of these meters are smarter than others in their
ability to deter hackers and block unauthorized modifications. The FBI
warns that insiders and individuals with only a moderate level of computer
knowledge are likely able to compromise meters with low-cost tools and
software readily available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help
it investigate widespread incidents of power thefts that it believed was
related to its smart meter deployment. In May 2010, the bureau distributed
an intelligence alert about its findings to select industry personnel and
law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of
the meter manufacturer and employees of the utility were altering the
meters in exchange for cash and training others to do so. “These
individuals are charging $300 to $1,000 to reprogram residential meters,
and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an
optical converter device — such as an infrared light — connected to a
laptop that allows the smart meter to communicate with the computer. After
making that connection, the thieves changed the settings for recording
power consumption using software that can be downloaded from the Internet.

“The optical converter used in this scheme can be obtained on the Internet
for about $400,” the alert reads. “The optical port on each meter is
intended to allow technicians to diagnose problems in the field. This
method does not require removal, alteration, or disassembly of the meter,
and leaves the meter physically intact.”

The bureau also said another method of attacking the meters involves
placing a strong magnet on the devices, which causes it to stop measuring
usage, while still providing electricity to the customer.

“This method is being used by some customers to disable the meter at night
when air-conditioning units are operational. The magnets are removed during
working hours when the customer is not home, and the meter might be
inspected by a technician from the power company.”

“Each method causes the smart meter to report less than the actual amount
of electricity used.  The altered meter typically reduces a customer’s bill
by 50 percent to 75 percent.  Because the meter continues to report
electricity usage, it appears be operating normally.  Since the meter is
read remotely, detection of the  fraud is very difficult.  A spot check of
meters conducted by the utility found that approximately 10 percent of
meters had been altered.”

“The FBI assesses with medium confidence that as Smart Grid use continues
to spread throughout the country, this type of fraud will also spread
because of the ease of intrusion and the economic benefit to both the
hacker and the electric customer,” the agency said in its bulletin.

The feds estimate that the Puerto Rican utility’s losses from the smart
meter fraud could reach $400 million annually. The FBI didn’t say which
meter technology or utility was affected, but the only power company in
Puerto Rico with anywhere near that volume of business is the
publicly-owned Puerto Rican Electric Power
Authority<http://www.prepa.com/aeees_eng.asp>(PREPA). The company did
not respond to requests for comment on this story.

The hacks described by the FBI do not work remotely, and require miscreants
to have physical access to the devices. They succeed because many smart
meter devices deployed today do little to obfuscate the credentials needed
to change their settings, said according to *Tom Liston* and *Don Weber*,
analysts with InGuardians Inc. <http://www.inguardians.com/>, a security
consultancy based in Washington, D.C.

Liston and Weber have developed a prototype of a tool and software program
that lets anyone access the memory of a vulnerable smart meter device and
intercept the credentials used to administer it. Weber said the toolkit
relies in part on a device called an optical probe, which can be made for
about $150 in parts, or purchased off the Internet for roughly $300.

“This is a well-known and common issue, one that we’ve warning people about
for three years now, where some of these smart meter devices implement
unencrypted memory,” Weber said. “If you know where and how to look for it,
you can gather the security code from the device, because it passes them
unencrypted from one component of the device to another.”

The two researchers were slated to demo their smart meter hacking tools at
the Shmoocon security conference <http://www.shmoocon.org/speakers> earlier
this year, but agreed to pull the presentation at the last minute at the
request of several vendors and utilities that they declined to name.

“It turns out that the vendor has a consortium of utility customers with
whom they have regular conference calls,” Weber said. “Several of the
utilities in this group had a concern about the information becoming
public. Luckily we have worked with several of the utilities in the group.
We have been able to stem the fears of all but one utility. We hope to have
them on board very soon.”

Liston said utilities have become accustomed to deploying meters that can
last 30 years before needing to be replaced, but that the advanced
interactive components being built into modern smart meters requires a much
more thoughtful and careful approach to security.

“Traditionally, metering technology has been very cost effective, because
much of it is very resilient. But these older devices didn’t have a lot of
technology in them, and they certainly didn’t have wireless connections and
things like memory storage,” Liston said. “The utilities are still
expecting the lifecycle of newer pieces of equipment to be 2o to 30 years,
and they’re just coming to the realization that some of new stuff deployed
is not going to last nearly that long.”

*Robert Former*, a security engineer at smart meter manufacturer
Itron<http://www.itron.com>,
said he hopes that researchers continue to push the industry toward
adopting technologies that can withstand these and potentially other,
as-yet-undiscovered attacks.

“What you’re hearing is the sound of [a] paradigm shifting without a
clutch,” Former said. “Utilities have to be more enterprise security-aware.
With these incidents at  organizations of any size or age, the first
reaction is to cover it up. The thinking is if we keep this kind of thing
secret, nobody will find it or exploit it. But for those of us who are
inside the industry, and have been at this long enough, the only way we’re
going to fix a security problem is to expose it.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120602/5e5278f6/attachment-0002.html>