Smart meters can be hacked to cut power bills
Smart meters widely used in Spain can be hacked to under-report energy use, security researchers have found.
Poorly protected credentials inside the devices could let attackers take control over the gadgets, warn the researchers.
The utility that deployed the meters is now improving the devices' security to help protect its network.
The discovery comes as one security expert warns some terror groups may attack critical infrastructure systems.
Many utility companies are installing smart meters to help customers monitor and manage their power use and help them be more energy efficient.
"We took them apart to see how they work," said independent researcher Javier Vidal who, with Alberto Illera, found the flaws in the smart meters.
"We suspected there could be some issues with them and we wanted to check.
"We feared the security would be easy to break and we confirmed that," he told the BBC.
Buried inside the onboard software, or firmware, the pair found encryption keys used to scramble all the information that the smart meter shares with "nodes" sitting higher in the power distribution system.
Using the keys and the unique identifier associated with each meter it became possible for the researchers to spoof messages being sent from the power-watching device to a utility company.
"We can fool the nodes and send them false data," said Mr Vidal.
Attackers could use what Mr Vidal and Mr Illera found to under-report energy use or to get someone else to pay their bill by using their ID in messages sent back to the nodes that log usage. With more work it might be possible to find a way to seek out meters and cut off the power they are supplying, they said.
The Spanish utility firm deploying the meters, which the researchers declined to name, had been told about the work and was working to close loopholes, said Mr Vidal. Millions of the smart meters are set to be installed in Spain before 2018, he added.
Security investigator Greg Jones who carried out similar work on smart meters being rolled out in the UK, said he was "not surprised" about the Spanish researchers' findings.
Mr Jones's work uncovered shared IDs, poor protection against tampering and data formats that would be easy to fake.
"I'm pretty sure that anyone who picked up one of these units would find similar problems," he said.
Although many different researchers had found the security on smart meters wanting, so far, he said, this work had not prompted a big improvement in the way the gadgets worked.
Some meters were being installed in their millions across nations, he said, despite security holes having been found in them.
A lot of the equipment being rolled out was securable, he added, though its limited computational capacities made it a tricky job to get right.
Added to this was the problem that the devices sat in peoples' homes and were not under the control of power firms.
"If you physically own a piece of hardware you can compromise it," he said.
Ashar Aziz, founder and head of security firm FireEye, said it was easy to explain why power networks and other critical infrastructure systems had not yet been attacked despite widespread reporting of their security shortcomings.
"The balance is maintained right now because the people that have the skill set and capability to infect these kinds of networks do not have the motivation," he said, "and those that have the motivation do not have the skill set."
Cybercrime gangs who had programming skills on tap were much more interested in making money than knocking out power grids, he said. By contrast, terror groups currently did not have the depth of computational skill required to tackle such a big target.
The research, analysis and development required to carry out such an attack was "non-trivial", said Mr Aziz and would probably take many months.
"The threshold to acquire this sophisticated cyber-weapon is much bigger than you need to make credit-card stealing malware," he said.
The Spanish researchers took about six months to reverse engineer the smart meter and work out how the power network handled communication.
Despite this hurdle, Mr Aziz said that an attack on critical infrastructure was bound to happen.
"We have a lot of brutal, non-state entities popping up all around the world and they are getting more organised on a daily basis," he said. "That capability is getting to be within the reach of them."