Smart meters – maybe not so smart

You may already have read about ‘smart metering technology’ being installed in all homes across the UK from 2014 onwards, with every home expected to have smart metering installed by 2019. This might slip if funding is not readily available, but that seems to be the current timescale.

Smart metering allows two-way information exchange between energy users and suppliers, providing real-time (almost) information about supply and demand at the individual user level, allowing the level of that supply and demand to be accurately determined on a moment-to-moment basis. According to the Government, smart metering will slash unnecessary energy use, reduce emissions, and cut consumers’ energy bills.

But, it seems there’s a problem, and nobody’s telling us about it.

Researchers have found that the meters can monitor users’ consumption at intervals of only 2 seconds, which is far too frequent for their intended purpose.

Worse, this rapid high-resolution sampling makes it possible to analyse the consumption and identify what equipment is being used in the users’ home – and this can lead to an invasion of privacy as it reveals people’s habits, preferences, and even whether or not the home is occupied. I found the explanation of this (and the weakness which was used to exploit it) particularly interesting, since a similar discussion I took part in about five years ago concluded that this could not be done. However, technology and analytical techniques have moved on, and I have to say I am impressed with what can be done now, and the level of detail that a ‘simple’ consumption monitoring exercise can provide.

It has to be said that a simple change to the metering could also defeat quite a lot of this – if the manufacturers were to incorporate such a thing, which would degrade the operation of the device (without affecting its claimed purpose), so I doubt they will.

They also found they could send false detail to the supplier – in other words, users could falsify their consumption.

Particularly worrying was their finding that all security techniques which were supposed to be in place were not, or could be easily circumvented – and the data being sent to and from the smart meter was not encrypted, so anyone with reasonable skills could intercept it.

We currently lack any robust privacy and data requirements in the UK for this technology.

Professor in security engineering at the University of Cambridge Computer Laboratory (Ross Anderson) has said that the Government’s smart meter plans are “set to become another public sector IT disaster”.

Technically, it does not take the greatest leap in imagination to see how such insecure devices could become a disaster if hackers were able to break into a ‘head-end’ hub where smart metering data may be collated, and from where they could cut the supply of energy across millions of households. Deploying these meter across the World – once developed, the same technology is mass-produced, and standardised – would see hundreds of millions of the devices installed in Europe (and North America apparently) with each having a remotely controlled ‘Off switch’, remote software updating, each becomes a rather alarming point of vulnerability in every home.

Anderson and Fuloria’s paper on the vulnerabilities of smart meter technology (6-page / 119KB PDF)

There is also a video presentation (but it’s hard going, as the guys are not used to speaking in public, but the slides speak for them):