Saturday, May 9, 2015

Shocker: Smart Power meters have lousy encryption

It's a basic axiom of cryptography that you should not create your own encryption cipher (for real use; it can be pretty interesting doing this just to learn crypto).  After all, as they say, everyone can design a cipher that they can't break.  The implication, of course, is that someone else might be able to break it, perhaps without much work.  In other words, for anything other than a toy application, use known secure encryption.

The people who designed the "Smart" power meters didn't listen to this, and rolled their own crypto system.  And guess what?
In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide.

And like its SCADA, industrial control system, and embedded system brethren, it’s rife with security issues.
This is me, with my surprised face one.
The weaknesses discovered by Jovanovic and Neves enabled them to recover private keys with relative ease: 13 queries to an OMA digest oracle and negligible time complexity in one attack, and another in just four queries and 2^25 time complexity, the paper said.
Picky, picky, picky.  Other than being able to read all the data, spoof data, and pretend to be a different device (jacking someone else's power bill up), the system is like TOTALLY secure.

Or something.

I see lawsuits against the power companies in the future.  Or unscrupulous consumers getting a lot of free power while the power companies slowly go bankrupt.  Idiots.

3 comments:

Ratus said...

Wait, 'Smartmeters' have encryption?

It may be shortbus security, but at least they thought of securing it, BP.


Eagle said...

I recently interviewed at a VC-funded company that is building systems that interface with the grid. Their primary purpose is to perform power line conditioning, but sme of their equipment is meant to balance the load on local power segments when solar is connected.

Their systems can only be programmed and/or adjusted when an external control box is connected, but they do want to be able to control their systems via a remote connection (wired or wireless).

The VP had no idea how they would provide the security necessary to do this. He only knew that, for now, there would only be a hardwired connection for maintenance and control.

I refused the job. If these people know that there's a problem and refuse to think about it, I don't want to work there... and eventually be one of the people that gets accused of "knowing how to fix the problem but ignoring the solution".

Paul Bonneau said...

In the old days we'd have to pull the meters and turn them upside down to get them to run backward. It's good to see that just hacking them with your computer will do the trick. Technology, always moving forward...