[braindead0]

Quote:

Originally Posted by ND_Irish

There may be reasons why you wish to place a smart meter in the same category as the things you mentioned, but security and privacy are not among them in my opinion.

I believe part of the problem is that people think the 'anti smart meter' people are claiming a conspiracy.. AND you get a lot of whacko's jumping on the bandwagon anytime something like this comes up.

IMO it's that the government handing out monopoly power to NV Energy and NV Energy itself don't give a damn about the people and the potential risks of these devices. Fact is that the deployments of smart meters in many places have been done poorly and often with no security at all. Combine that with the use of off the shelf mesh network technology and their is a lot of potential fun to be had such as shutting down power for entire neighborhoods.

Hacking smart meters is trivial, here's just a couple of items on that subject:

Smart meter hacking tool released | ZDNet
FBI: Smart Meter Hacks Likely to Spread — Krebs on Security

Eventually some bored kid is going to have fun in your neighborhood, which could lead to widespread power outages (a huge drop in consumption on the grid can be just as bad as a huge increase in demand). Old style meters may not help in that case.

The answers we get from those in charge are simple denial, repeating baseless assertions that these meters and the networks and their servers are secured. If you have to lie to 'sell' something.. well perhaps you're selling snake oil and FUD.

[lvoc]

Quote:

Originally Posted by braindead0

I believe part of the problem is that people think the 'anti smart meter' people are claiming a conspiracy.. AND you get a lot of whacko's jumping on the bandwagon anytime something like this comes up.

IMO it's that the government handing out monopoly power to NV Energy and NV Energy itself don't give a damn about the people and the potential risks of these devices. Fact is that the deployments of smart meters in many places have been done poorly and often with no security at all. Combine that with the use of off the shelf mesh network technology and their is a lot of potential fun to be had such as shutting down power for entire neighborhoods.

Hacking smart meters is trivial, here's just a couple of items on that subject:

Smart meter hacking tool released | ZDNet
FBI: Smart Meter Hacks Likely to Spread — Krebs on Security

Eventually some bored kid is going to have fun in your neighborhood, which could lead to widespread power outages (a huge drop in consumption on the grid can be just as bad as a huge increase in demand). Old style meters may not help in that case.

The answers we get from those in charge are simple denial, repeating baseless assertions that these meters and the networks and their servers are secured. If you have to lie to 'sell' something.. well perhaps you're selling snake oil and FUD.

Did you read your cites?

They indicate a problem for the utility if anyone. Basically that one can get at the local optical port on a smart meter and reprogram it. The only interesting thing to do with that capability would be to lower the customers usage.

I suppose you could cut off a customer but you have to get to the meter to do that. Such a tactic is unlikely to be anything other than a nuisance.

Simple defenses such as periodically uploading a check sum on program and fixed data would defeat it.

Simply no threat to the customer.

[braindead0]

Quote:

Originally Posted by lvoc

Did you read your cites?

...snip...

Simple defenses such as periodically uploading a check sum on program and fixed data would defeat it.

Simply no threat to the customer.

Those were just some example problems with the implementation from the most accessible sources. Similar attacks are possible over the NAN. There's a lot more information available on the subject for anyone who cares to look..

Main point is that no utility does anything beyond the bare minimum as far as security. I spent over a decade consulting for the Southern California Gas Company and witnessed first hand how much security expertise and care a regulated utility has (hint.. none at all). If they actually implemented proper security that was audited by a reliable third party I would have a lot less worry about it, however they instead repeat the mantra of adhering to 'industry standard security practices' which is a meaningless statement.

[lvoc]

Quote:

Originally Posted by braindead0

Those were just some example problems with the implementation from the most accessible sources. Similar attacks are possible over the NAN. There's a lot more information available on the subject for anyone who cares to look..

Main point is that no utility does anything beyond the bare minimum as far as security. I spent over a decade consulting for the Southern California Gas Company and witnessed first hand how much security expertise and care a regulated utility has (hint.. none at all). If they actually implemented proper security that was audited by a reliable third party I would have a lot less worry about it, however they instead repeat the mantra of adhering to 'industry standard security practices' which is a meaningless statement.

Your comments are absolutely misleading. The articles are specific to entry through the local optical port. There is no indication of anyone even attempting to get at the wireless network. I am not suggesting it cannot be done but unless the firmware is manipulable from that route there is little to gain. The con is to sell people lower electric bills. A direct attack on the net is war and would likely result in stringent security protocols by the utilities. I personally doubt it would ever come and amateur attacks will be easily beaten back often by simply tracking down and arresting the perpetrator.

Security has always been a mixed bag. Get to clever and the worst problem on your systems turns out to be the security system. You end up with it so secure it does not work at all. Particularly protecting against insiders is filled with problems. If you do it well you always end up making the system less robust and more difficult to maintain.

[braindead0]

Quote:

Originally Posted by lvoc

Your comments are absolutely misleading. The articles are specific to entry through the local optical port. There is no indication of anyone even attempting to get at the wireless network. I am not suggesting it cannot be done but unless the firmware is manipulable from that route there is little to gain. The con is to sell people lower electric bills. A direct attack on the net is war and would likely result in stringent security protocols by the utilities. I personally doubt it would ever come and amateur attacks will be easily beaten back often by simply tracking down and arresting the perpetrator.

Security has always been a mixed bag. Get to clever and the worst problem on your systems turns out to be the security system. You end up with it so secure it does not work at all. Particularly protecting against insiders is filled with problems. If you do it well you always end up making the system less robust and more difficult to maintain.

Like I said, those are just a couple of examples. You pick out ONE of my concerns and note that those links didn't address that ONE concern.

This article talks about two specific network based attacks: Smart Meters Not Ready for Primetime | MIT Technology Review

Both of these require physical access for initial attack, the first then propagates over the network. I don't recall the details of the attacks Travis Goodspeed talked about however it demonstrates ONE weakness in the network.

tl;dr;

Quote:

Though Davis is not at liberty to disclose what brands of meters he tested, he says that, for one brand, he was able to design a worm that he could install in one meter and propagate through the network. In simulations, Davis calculated that, in a region where 100 percent of homes have a smart meter installed, the worm could infect some 15,000 meters in the span of 24 hours. Once the worm spreads, an attacker could use it to give commands to the infected meters such as to shut down.

Davis says all the meters he has tested have security flaws that need further examination before the devices are widely deployed. “Cleaning up from a compromise is going to be expensive and slow,” he says, and it’s better to fix as much as possible before that happens.

Davis is not the only one investigating the security of smart meters. Security researcher Travis Goodspeed also presented at Black Hat his attacks on some of the chips that typically go into smart meters (Goodspeed specializes in chips that use the Zigbee protocol, a communications protocol that’s typically used for the low-power digital radios found in smart meters). Goodspeed believes that the chips need more work. “The Zigbee chips presently available are not secure against a local attack,” Goodspeed says, meaning that, if an attacker can get access to a device, he believes the attacker can compromise it.

Two interesting reads about privacy issues. NIST has some of the same concerns that I raise, and also proposes fixes.. none of which have been implemented by any utility in this Country (or any other that I'm aware of).

http://csrc.nist.gov/publications/ni...-7628_vol2.pdf

And here's something from the Congressional Research Service, again on privacy issues:

http://fas.org/sgp/crs/misc/R42338.pdf

Like I said earlier, tons if information IF you are willing to actually look. You have to skip past the tin foil hat/conspiracy sites and you'll find a lot of reliable sources with a lot of valid concerns about smart meters.

Consider attending the next Black Hat, there you will likely see people hacking smart meters using all manner of means.

[lvoc]

Quote:

Originally Posted by braindead0

Like I said, those are just a couple of examples. You pick out ONE of my concerns and note that those links didn't address that ONE concern.

This article talks about two specific network based attacks: Smart Meters Not Ready for Primetime | MIT Technology Review

Both of these require physical access for initial attack, the first then propagates over the network. I don't recall the details of the attacks Travis Goodspeed talked about however it demonstrates ONE weakness in the network.

tl;dr;



Two interesting reads about privacy issues. NIST has some of the same concerns that I raise, and also proposes fixes.. none of which have been implemented by any utility in this Country (or any other that I'm aware of).

http://csrc.nist.gov/publications/ni...-7628_vol2.pdf

And here's something from the Congressional Research Service, again on privacy issues:

http://fas.org/sgp/crs/misc/R42338.pdf

Like I said earlier, tons if information IF you are willing to actually look. You have to skip past the tin foil hat/conspiracy sites and you'll find a lot of reliable sources with a lot of valid concerns about smart meters.

Consider attending the next Black Hat, there you will likely see people hacking smart meters using all manner of means.

Sorry but I started working on worms and firmware security about 30 years ago.

This is all mental masturbation. The issue of privacy is NSA. Nothing else gets within two orders of magnitude. And smart meters are an order of magnitude below that.

Securing such networks against worms and such is much simpler at the level of firmware systems where simple hardware fixes can prevent virtually any attack.

But to keep things simple is important. Complex security strategies screw up the systems. If you are worried about worms and propagation of worms you set up a piece of hardware that can only be locally programmed. No more worms.

The security guys live off whatif scenarios. The practical system designers tries for whatis systems. And perhaps what maybe in a few years. But no you don't work the worst case. I would also be down on any system that allowed a software change to propagate freely through the system without a least some basic hard or firm blocks. Perhaps a coded alert to each system that a software change was coming.