Hacking For Privacy: 2 days for amateur hacker to hack smart meter, fake readings

Detailed smart meter data can show what TV shows you watch, scan for copyright-protected DVD movies you watch, and other privacy intrusive details. Yet it takes an amateur hacker only two days to hack a home smart meter and fake the readings -- which could result in a utility bill showing absolutely no power consumption at all.

At the Chaos Communication Congress in Germany, 28C3, researchers presented "Smart Hacking For Privacy." After analyzing data collected by a smart meter, these gentlemen were able to determine devices like how many PCs or LCD TVs in a home, what TV program was being watched, and if a DVD movie being played had copyright-protected material. In other words, smart meters do have privacy implications that translate into consumer identification. On the bright side, they showed it takes an amateur hacker only two days to hack a home energy meter and fake the smart meter readings -- which could result in a utility bill showing absolutely no power consumption at all.

According to the Supreme Court and the Fourth Amendment's protection, "In the home, our cases show, all details are intimate details, because the entire area is held safe from prying government eyes." While some folks roll their eyes at the idea of , others like IEEE Spectrum explained, "It all sounds less paranoid when you consider that each appliance" has its "own energy fingerprint" that a smart meter can read. Who might want to read the smart meter data? Insurance companies to "determine health care premiums based on unusual behaviors that might indicate illness," or private investigators to "monitor specific events" or even criminals to learn high-priced appliances and the best times to steal them.

Since smart meters send detailed energy consumption to providers, there are other privacy implications to be exploited. For example, when the police confused bitcoin miners and the power usage to generate bitcoins for a pot farm operation. In another case of high electricity usage flagging a false positive, a DEA agent expected to find an indoor marijuana grow-op. Instead, the feds found "this guy had some kind of business involving computers. I don't know how many computer servers we found in his home."

Researchers from Münster University of Applied Sciences were previously able analyze smart meter data to identify the power consumption activity for a refrigerator, stove, and television. They showed that the type of LCD TV set could be identified, what TV program was on, or if a movie was playing from a DVD or other source. The research team called for a tightening of data protection regulations. Building upon that, the 28C3 presentation "Smart Hacking For Privacy" demonstrated that consumers can be identified via the data collected by a smart meter, from the types and amount of your devices, your TV shows, to scanning for copyright-protected (or pirated) movies being watched.

At 28C3 'behind enemy lines,' Dario Carluccio and Stephan Brinkhaus explained that they used an EasyMeter for the power meter and had a company called Discovergy install a smart meter which transmitted data via the Internet; Discovergy has a web interface so consumers can plot their own data for the last three months. Although there was no API, no way provided by Discovergy to download the data, the researchers used a HTTP GET request to retrieve all data, finding that one value every two seconds can be downloaded.

Discovergy had promised on its website to protect data, that the smart meter sent HTTPS allegedly encrypted/secure data to provide confidentiality, a cryptographic signature so data can't be altered, and that the company was inspected by independent experts. Yet the researchers said the claims that should guarantee security and privacy did not match up with reality.

The first Discovergy smart meter problem was that the HTTPS server was misconfigured, the certificate did not match the website. Although Firefox showed a warning, most users would click "it's safe" and then be redirected from HTTPS to HTTP so that all the passwords and data were sent in the clear. While the company web interface did not display data older than three months, the researchers found that all the data ever collected from the smart meter was still on the server.

They didn't want to destroy the smart meter to hack it, so they went the packet hacking route, disconnected the meter and emulated the smart meter sending packets. Since there was absolutely no protection at all from the smart meter to the server, no cryptographic signature or MAC message authentication code, the smart meter data could be faked. One of the researchers said it was "easy even for a Windows user" to monitor the smart meter communication by using FritzBox! to capture data and Wireshark to analyze it. Two days after the Discovergy smart meter was installed and the company sent the password, the researchers were able to hack the smart meter and claimed that it would be no problem for anyone to hack.

The next step was "having fun with the smart meter" which began with writing Python, continuously spoofing the packets, faking smart meter data which required a MITM attack. After gleaning knowledge from an article in the German c't magazine, the smart meter suddenly "didn't work anymore" -- meaning that according to the smart meter, he used no power consumption at all. Two months later, via the Discovergy web interface, he was able to see the calculations that his minimum power consumption was -106610 watts.

Many smart meters relay data in 15 minute intervals, which is bad enough for privacy, but Discovergy sent data every 2 seconds which gives a highly intrusive peek into private lives. During the question and answer portion of the presentation, the CEO of Discovergy popped up to apologize for the security and privacy issues, to say some had been resolved, and "thanks for pointing out" the others. The data is centralized, sent over the Internet as opposed to a LAN because "ordinary folks would find it challenging" to setup the LAN. While the smart meter collects detailed data per second to allegedly help consumers reduce energy use and identify old energy hog appliances -- not to know what you are watching on TV, consumers will now be offered the chance to "opt-out of detailed data collection."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)