A View from Erica Naone

Smart Meters Not Ready for Primetime

Researchers at Black Hat say the current generation of energy devices aren’t ready for mass deployment.

  • July 31, 2009

Money from the United States’ stimulus package is flowing into the energy industry, in part to improve the infrastructure for delivering electricity by adding “smart meters” to homes. But security researchers say the dollars are flowing too fast, without enough attention to security.

Mike Davis, a senior security consultant at the Seattle-based security research company IOActive, tested several varieties of the new meters and presented some of his findings yesterday at Black Hat, a computer-security conference in Las Vegas.

Davis explains that smart meters contain a radio chip and mesh networking software that enable them to automatically report customers’ energy use, automatically update the software running the devices, and have remote controls that allow a utility to shut off a customers’ electricity over the network. Previously, meters have been able to report energy use wirelessly, but it required using a short-range signal that could be picked up from a utility company vehicle as it drove by. The new meters are more automated, and could operate with less human intervention, Davis says.

With the influx of stimulus dollars, Davis says, a lot of companies have huge lists of features they want to add to the meters. There is also a high level of competition between manufacturers so products are being rushed to market, he says.

Of particular concern to Davis are commands that allow remote control over consumers’ meters. Though individuals have long tried to hack into their meters to save themselves a few dollars, the results of remote control could have a broader effect. “This generation of smart meters is probably not mature enough to handle the remote disconnect feature,” he says.

Though Davis is not at liberty to disclose what brands of meters he tested, he says that, for one brand, he was able to design a worm that he could install in one meter and propagate through the network. In simulations, Davis calculated that, in a region where 100 percent of homes have a smart meter installed, the worm could infect some 15,000 meters in the span of 24 hours. Once the worm spreads, an attacker could use it to give commands to the infected meters such as to shut down.

Davis says all the meters he has tested have security flaws that need further examination before the devices are widely deployed. “Cleaning up from a compromise is going to be expensive and slow,” he says, and it’s better to fix as much as possible before that happens.

Davis is not the only one investigating the security of smart meters. Security researcher Travis Goodspeed also presented at Black Hat his attacks on some of the chips that typically go into smart meters (Goodspeed specializes in chips that use the Zigbee protocol, a communications protocol that’s typically used for the low-power digital radios found in smart meters). Goodspeed believes that the chips need more work. “The Zigbee chips presently available are not secure against a local attack,” Goodspeed says, meaning that, if an attacker can get access to a device, he believes the attacker can compromise it.

Davis believes better security is possible on the devices. For example, he suggested that the meters themselves could be programmed to detect and report anomalies in the network. In his talk, Davis said, “Customers need to pressure their utilities to make conservative choices when it comes to the security of their meters.”

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Sustainable Energy

Can we sustainably provide food, water, and energy to a growing population during a climate crisis?

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.