We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Erica Naone

Smart Meters Not Ready for Primetime

Researchers at Black Hat say the current generation of energy devices aren’t ready for mass deployment.

  • July 31, 2009

Money from the United States’ stimulus package is flowing into the energy industry, in part to improve the infrastructure for delivering electricity by adding “smart meters” to homes. But security researchers say the dollars are flowing too fast, without enough attention to security.

Mike Davis, a senior security consultant at the Seattle-based security research company IOActive, tested several varieties of the new meters and presented some of his findings yesterday at Black Hat, a computer-security conference in Las Vegas.

Davis explains that smart meters contain a radio chip and mesh networking software that enable them to automatically report customers’ energy use, automatically update the software running the devices, and have remote controls that allow a utility to shut off a customers’ electricity over the network. Previously, meters have been able to report energy use wirelessly, but it required using a short-range signal that could be picked up from a utility company vehicle as it drove by. The new meters are more automated, and could operate with less human intervention, Davis says.

With the influx of stimulus dollars, Davis says, a lot of companies have huge lists of features they want to add to the meters. There is also a high level of competition between manufacturers so products are being rushed to market, he says.

Of particular concern to Davis are commands that allow remote control over consumers’ meters. Though individuals have long tried to hack into their meters to save themselves a few dollars, the results of remote control could have a broader effect. “This generation of smart meters is probably not mature enough to handle the remote disconnect feature,” he says.

Though Davis is not at liberty to disclose what brands of meters he tested, he says that, for one brand, he was able to design a worm that he could install in one meter and propagate through the network. In simulations, Davis calculated that, in a region where 100 percent of homes have a smart meter installed, the worm could infect some 15,000 meters in the span of 24 hours. Once the worm spreads, an attacker could use it to give commands to the infected meters such as to shut down.

Davis says all the meters he has tested have security flaws that need further examination before the devices are widely deployed. “Cleaning up from a compromise is going to be expensive and slow,” he says, and it’s better to fix as much as possible before that happens.

Davis is not the only one investigating the security of smart meters. Security researcher Travis Goodspeed also presented at Black Hat his attacks on some of the chips that typically go into smart meters (Goodspeed specializes in chips that use the Zigbee protocol, a communications protocol that’s typically used for the low-power digital radios found in smart meters). Goodspeed believes that the chips need more work. “The Zigbee chips presently available are not secure against a local attack,” Goodspeed says, meaning that, if an attacker can get access to a device, he believes the attacker can compromise it.

Davis believes better security is possible on the devices. For example, he suggested that the meters themselves could be programmed to detect and report anomalies in the network. In his talk, Davis said, “Customers need to pressure their utilities to make conservative choices when it comes to the security of their meters.”

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
More from Sustainable Energy

Can we sustainably provide food, water, and energy to a growing population during a climate crisis?

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.