Serious vulnerabilities in smart electricity meters continue to expose both consumers and electric utilities to cyberattacks. However, some have questioned claims that hackers can cause these devices to explode.

Smart electricity meters allow service providers to remotely monitor consumption and connect or disconnect power, and they enable consumers to better understand their energy usage. Millions of devices have already been deployed and governments around the world plan on completely replacing traditional meters in the next few years.

Smart meter vulnerabilities

Between 2010 and 2012, several experts detailed the security and privacy implications of using smart meters, and SecureState even released an open source framework designed for finding vulnerabilities in such devices.

However, according to Netanel Rubin, who recently founded Vaultra, a company that develops security solutions for the smart industry, smart meters continue to lack proper security mechanism, allowing malicious actors to use these devices to target both consumers and utilities.

In a presentation at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany, Rubin analyzed the methods that can be used to hack smart meters. The expert said that while physical attacks are more difficult due to various protection mechanisms, remote software hacking can be much easier to conduct.

The protocols used by smart meters include ZigBee, which is used for communicating with smart appliances in the consumer’s home, and GSM, which is used for communications between the meter and the electric utility. Both ZigBee and GSM have been known to contain serious vulnerabilities, and they have been poorly implemented in smart meters.

SAVE THE DATE: ICS Cyber Security Conference | Singapore - April 25-27, 2017

In the case of GSM, many electric utilities still haven’t implemented any form of encryption, despite being warned of the risks several years ago. Those that do use encryption, rely on the A5 algorithm, which is known to be vulnerable to attacks.

The researcher said an attacker can get smart meters to connect to their own GSM base station by broadcasting a stronger signal than the legitimate base station. The smart meter will connect to the rogue station and will attempt to authenticate using hardcoded credentials, allowing the attacker to hijack traffic and take control of the device.

Moreover, since the meters deployed by each utility use the same credentials, it could be easy for malicious actors to compromise all the devices operated by that organization.

According to Rubin, such attacks can be prevented if utilities use proper encryption, implement network segmentation instead of “using one giant LAN,” and monitor their smart meter networks.

In the case of attacks aimed at consumer home networks, hackers can abuse ZigBee, a protocol standardized more than a decade ago. Unlike other devices that use ZigBee, such as smart hubs, smart meters don’t ensure that a new device should be allowed to join the network before they share the network key with it. This key can allow an attacker to impersonate any device and take control of other devices on the network, Rubin said.

If they hijack the meter itself, attackers could find and exploit vulnerabilities – the lack of CPU and memory resources in a smart meter often results in minimized ZigBee code, which does not include security checks. While memory corruption issues, such as buffer overflows, might not be easy to exploit, the researcher believes it’s enough for an attacker to find a segmentation fault and crash the meter, which can lead to a power outage.

Debug ports accessible via hardcoded credentials and the lack of proper ZigBee encryption can also be problematic, the researcher warned.

Risks and FUD

According to the expert, a malicious actor who manages to hack a smart meter could obtain information on the targeted user’s power consumption and potentially determine when the victim is at home, or they could inflate the electricity bill. The expert pointed to an incident in Puerto Rico, where an electric utility reported hundreds of millions of dollars in losses due to smart meter fraud conducted via hacking and other methods.

Even more worrying, Rubin said, is that since smart meters can communicate with all the smart devices in the consumer’s home, an attacker could hijack those systems, including smart door locks.

The expert also believes an attacker could cause a meter to explode by making modifications to the software running on the device.

One member of the audience at Rubin’s 33C3 talk, who has been designing smart meters, pointed out that these devices don’t include hardware that can be caused to explode via a software attack, and noted that smart meter explosions are typically caused by faulty installation. Others took to social media to question Rubin’s conclusions.

Rubin pointed to an incident in Canada where he claims investigators determined that such hacker attacks are possible, but the details he provided were vague. One of the smart meter explosion incidents he referenced during his presentation turned out to be a fire caused by something other than an exploding smart meter.

Another member of the audience said Rubin oversimplified and sensationalized the issue, but the researcher claimed he did that on purpose in an effort to get through to people outside the cybersecurity community.

Rubin said Vaultra plans on releasing a smart meter fuzzing tool in the upcoming weeks. A video of the researcher’s talk at 33C3 has been made available by the conference organizers:

Related: ICS-CERT Issues Alerts After Expert Discloses Power Meter Flaws

Related: IBM Reports Significant Increase in ICS Attacks