[Cryptography] Smart electricity meters can be dangerously insecure, warns expert

Jerry Leichter leichter at lrw.com
Sun Jan 1 07:12:29 EST 2017 

> Hackers can cause fraud, explosions and house fires, and utility companies should do more to protect consumers, conference told....
Oh, come on.

A smart electric meter provides a way to read electricity used remotely.  It might, I suppose, have a way to shut off current remotely - but I rather doubt it - how often do electric companies need to cut off the power to a subscriber?  There may be separate - though perhaps integrated - controls that can turn power off to certain appliances to shed load.  OK, so your A/C and such might get shut down.

"An attacker could also see whether a home had any expensive electronics."  From hacking the smart meter?  How, exactly?

"He will have power over all of your smart devices connected to the electricity."  How?  Yes, the protocols used for these things are badly insecure - but they communicate wireless, not through the power lines.  Just what does hacking the power meter have to do with breaking into IoT communications?

"This will have more severe consequences: imagine you woke up to find you’d been robbed by a burglar who didn’t have to break in."  Just what exactly could you have been robbed of?

I can believe billing fraud - though we're talking mischief here, not theft, which tends to limit the scale.  There's also potential annoyance from having your A/C shut down.  But explosions and house fires?  How, exactly?

"[I]n 2015 a house fire in Ontario was traced back to a faulty smart meter, although hacking was not implicated in that."  Well, gee, a malfunctioning device attached to main power - in front of even the home main breaker in typical installations, mind you - had a "malfunction" and caused a fire.  Malfunction - as in short, perhaps?  These things are rare, but they do happen.  I once saw a short develop in a wall socket.  In what in retrospect was probably a fraction of a second before the breaker tripped, an impressive amount of energy was dumped into the surrounding wood panelling.  Fortunately, it didn't catch fire.

Yes, the security of IoT sucks.  That's widely reported.  Personally, I've avoided IoT devices, as the cost/benefit tradeoffs - from the overpriced devices to the potential costs due to hacking - just don't make sense to me.  But let's keep things in some perspective.  I know "based on reality" is out of style these days, but ... call me old-fashioned, but I still believe in it.

For many years, I avoided doing on-line banking because I didn't trust the security systems involved.  Then I read Don Knuth's stories about how someone used a paper check he'd written to get his account number and produce and use bogus checks in his name.  It took significant effort on his part to get the money back.  In fact, even closing the account wasn't enough - when some "late" checks arrived, the bank re-opened the account, paid them, and tried to bill him.  At that point, it became clear that the security issues are elsewhere, so I might as well go for the convenience.  I've never looked back.

                                                        -- Jerry

More information about the cryptography mailing list