By EDRi

This article is also available in:
Deutsch: [Smart Metering: Forscher sehen Verletzung der Privatsphäre | https://www.unwatched.org/EDRigram_10.1_Smart_Metering_Forscher_sehen_Verletzung_der_Privatsphaere?pk_campaign=edri&pk_kwd=20120127]

Two German researchers presented a talk entitled “Smart Hacking for Privacy”
at the 28th Chaos Computing Congress that took place between 27 and 30
December 2011, on the privacy implications of “smart” electricity meters.
These devices, installed in homes, collect information to determine the
power consumption. The researchers had signed up with Discovergy, one of the
independent companies providing such smart meters, to check out how secure
the devices were and what information could be obtained from the data
gathered by them.

According to Discovergy’s website, the web interface accessing the
consumption data used HTTPS to protect the data and the data sent back to
Discovergy was encrypted and signed in order to prevent forged data. The
website also stated these facts had been confirmed by independent experts.

Following the presentation of the researchers on 30 December, these
statements disappeared from the company’s website and as it came out, the
SSL certificate of the site was misconfigured and presented an invalid
certificate warning, then proceeded to redirect them to an HTTP URL where
the data and password were transmitted in clear text across the internet.
The researchers found out the traffic was not encrypted and signed and,
therefore, easy to intercept. Thus, they were able to demonstrate that data
from the entire life of the device was stored on Discovergy’s servers.

One of the main concerns was that the smart meters were monitoring the power
usage in two-second intervals which implies the devices were able to discern
very fine modifications in power consumptions such as differences based on
the brightness levels displayed for different scenes in TV shows and movies.

The researchers believe that two seconds measurements are unnecessary for
the stated goals of the smart meter companies and too privacy intrusive as
the data obtained could be used to establish very fine details.

“Unfortunately, smart meters are able to become surveillance devices that
monitor the behaviour of the customers leading to unprecedented invasions of
consumer privacy. High-resolution energy consumption data is transmitted to
the utility company in principle allowing intrusive identification and
monitoring of equipment within consumers’ homes (e.g., TV set, refrigerator,
toaster, and oven)”, said the researchers in a statement prior to the
presentation.

Nikolaus Starzacher, CEO of Discovergy, explained that one of the reasons
for using the two second polling interval was to provide services such as
notifying a customer that he forgot an iron or another house appliance on,
when leaving the house.

Also, the researchers claimed that they had been able to send false details
about their energy consumption back over the unencrypted Discovergy network
meaning that consumers might be able to “potentially fake the amount of
consumed power being billed”.

In the opinion of Ross Anderson, professor in security engineering at the
University of Cambridge Computer Laboratory, EU and UK plans to install
smart meter are “set to become another public sector IT disaster”.

In a joint paper with his fellow academic Shailendra Fuloria, Anderson
warned over the threat of the vulnerability of the smart meters which might
allow hackers to break into a “head-end” hub where smart metering data are
collated and thus be able to even cut the supply of energy across “tens
of millions of households”.

“The introduction of hundreds of millions of these meters in North America
and Europe over the next ten years, each containing a remotely commanded off
switch, remote software upgrade and complex functionality, creates a
shocking vulnerability,” Anderson said adding: “An attacker who takes
over the control facility or who takes over the meters directly could create
widespread blackouts; a software bug could do the same.”

In his opinion, regulators have started to be aware of the issue and
possible solutions under discussion might be “shared control, as used in
nuclear command and control; backup keys as used in Microsoft Windows;
rate-limiting mechanisms to bound the scale of an attack; and local-override
features to mitigate its effects.”

Smart meter hacking can disclose which TV shows and movies you watch
(8.01.2012)
http://nakedsecurity.sophos.com/2012/01/08/28c3-smart-meter-hacking-can-disclose-which-tv-shows-and-movies-you-watch/

Smart Hacking for Privacy (16.01.2012)
http://www.youtube.com/28c3#p/u/54/YYe4SwQn2GE

Smart meter technology is privacy intrusive, researchers claim (11.01.2012)
http://www.out-law.com/en/articles/2012/january-/smart-meter-technology-is-privacy-intrusive-researchers-claim/