FRANKFURT (Reuters) - Network-connected electricity meters installed in millions of homes across Spain lack essential security controls, according to two researchers who say the vulnerabilities leave room for hackers to carry out billing fraud or even cause blackouts.
Security experts Javier Vazquez Vidal and Alberto Garcia Illera said in an interview on Monday that so-called smart meters installed by a Spanish utility to meet government energy efficiency goals lack basic safeguards to thwart hackers.
The researchers said flawed code in reprogrammable memory chips enable them to remotely shut down power to individual households, switch meter readings to other customers and insert network “worms” that could cause widespread blackouts.
“You can just take over the hardware and inject your own stuff,” Vazquez Vidal said, referring to the threat that hackers could insert malicious code into one box and use it to control nearby meters, and thereby cascade an attack across the network.
Traditionally, energy utilities have kept power plants and mechanical electricity meters safe from cyber attack by keeping them insulated from the open Internet. Smart meters are connected over power line networks to give customers and utilities instant data about when, where and how much energy households use, enabling energy providers to monitor and adjust energy flows.
The European Union wants more than two thirds of Europe’s electricity users to have smart meters by 2020, an initiative it hopes will reduce energy use by three percent.
Over the last decade, most countries in Europe have mandated that smart meters be installed in homes and businesses. But as nationwide deployments have taken place in Italy and Sweden and are now in motion across France, Spain and the United Kingdom, experts have begun to uncover cybersecurity threats posed by some meters.
The two researchers declined to identify the utility or European-based hardware manufacturer of the smart meters found to be vulnerable to attack. They will discuss their findings at the Black Hat Europe hacking conference in Amsterdam next week.
“We are not releasing the exact details; we are not going to say how we did this,” Garcia Illera said. “This issue has to be fixed.”
The top power utilities in Spain are Endesa, Iberdrola and E.ON. Collectively, 8 million smart meters have been installed, or 30 percent of households.
The researchers said they had identified security flaws only in boxes from one meter manufacturer. Vazquez Vidal said he believes the utility may be able to patch the problem remotely, without being forced to send repair staff to upgrade each box physically.
An expert with Spain’s markets and competition regulator, which oversees the smart meter mandate, said the agency was finishing a study on the threat of meter hacking and had not found any evidence it was taking place or at risk of occurring.
The security impact of a vast array of connected devices from smart meters to automobile controls to wearables such as smartwatches and health monitors are only now being seriously considered by industry, despite their growing use in daily life.
The Spanish researchers said they hacked the meters by bypassing encryption that was designed to secure their communications.
Vazquez Vidal and Garcia Illera said the meters use relatively easy to crack symmetric AES-128 encryption. The limited security appeared to be designed largely to prevent tampering with billing systems by fraudsters, they said.
Once through this first level of security, they said they could take full control of the box, switching its unique ID to impersonate other customer boxes or turning the meter itself into a weapon for launching attacks against the power network.
“Oh wait? We can do this? We were really scared,” Vazquez Vidal said. “We started thinking about the impact this could have. What happens if someone wants to attack an entire country?” he said.
They say they tested the devices in their own lab, where they were able to reproduce various attacks in miniature using several of the smart meters.
The same researchers last year uncovered weaknesses in computer chips found in many automobiles, which they said could boost performance or be used to hotwire a car or cause crashes.
Vazquez Vidal, who said he was “unemployed and bored” at home in Cadiz when he carried out the smart meter research, subsequently was hired by a major European automaker based on his earlier work on car security. Garcia Illera works for a California-based software maker. The two asked that their employers not be identified because their research projects do not involve their employers.
Mike Davis, a top security researcher with cybersecurity consulting firm IOActive, identified similar threats in U.S. smart meter devices five years ago. “It was strange. Pretty much none of the utilities deploying smart meters at the time were considering the meters themselves as part of their threat problem,” Davis said.
Disclosure of his findings was a wake-up call for U.S. utilities, leading to increased government scrutiny and industry action to better secure the devices against cyberattack.
Davis said the vulnerabilities described by the Spanish research team sounded feasible given the slow response by utilities and meter makers to overhaul their meters’ security.
“The industry is starting to be much more intelligent,” Davis said. “Although for something that is attached to the side of your house, it still has a ways to go.”
Editing by Mark Potter