Open Source "Smart" Power Meter hacking framework is released
Security outfit SecureState’s smart meter hacking framework, Termineter, has gone live over at Google Code."Extensible Framework" has been the security hotness for five or six years now. I've been warning about these stupid "Smart" meters for basically as long as I've been blogging. Companies rushed to get them deployed before the security framework was thought through. Welcome to Hell, Department of Energy types!
The software is described as having a structure like Metasploit, with a similar interface and ability to be extended with external modules.
Termineter isn’t up to the full doomsday-scenario “remote attack” that troubles owners of critical infrastructure who stupidly opened up their control interfaces to the Internet (so as to save themselves the cost of private networks): it gathers smart meter data over the devices’ local serial optical interfaces.
For everyone else, I think that the first use for this will be to audit your power company. This tool likely will let you get access to all sorts of meter data, so you'll be able to tell if the power company is trying to rip you off. Or if someone has pwned the power company and is messing with you.
It's the End Of The World As We Know It
A couple of folks have emailed links to this (thanks), although the security community is pretty well going bonkers over it:
Looks harmless, right. Of course it does - that's the point. But inside this friendly looking power strip is a linux computer loaded with H4X0r 'sploits, WiFi and enhanced Bluetooth radios, WiFi key cracking goodness, and a 3G cell phone for high speed pwnage even if there's no WiFi. If the Bad Guy drops one of these in your office, he can get presto-changeo reverse SSH shell access through your firewall, tunneling back through an outbound https connection.
And oh yeah, the power outlets all work, so nobody's the wiser.
This 100 proof pure distilled evil is brought to you courtesy of the good folks at DARPA, which is very, very interesting indeed. As ZDNet truthfully says, if you see one of these around the office, make sure it's supposed to be there.
Ready, fire, aim, apologize
Black Hat conference Organisers of the annual Black Hat conference have apologised after an estimated 7,500 conference delegates received a suspicious email yesterday resembling a phishing attack.Oops. Remember, if I come across as paranoid, I was trained to be that way by the finest minds in the Free World.
The dodgy email, informing entrants of a supposed password reset, was sent out after a volunteer with ITN International, the third-party firm handling on-site registrations for this week's Las Vegas conference, "pressed the wrong button" on a mail-out webform, the organisers explained.
More over the next few days.