In a report published June 12th, Register.com's Dan Goodin reports, "The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse."
Davis will present at the Black Hat Conference next month, and will demonstrate a worm that he has developed that he claims easily infects the current generation of smart meters. "We can switch off hundreds of thousands of homes potentially at the same time," Davis, who has spent the past few months analyzing a half-dozen smart meters, told The Reg. "That starts providing problems that the power company may not be able to gracefully deal with."
For more details read the rest of the article here.
Is this a surprise to anybody? It certainly isn't a surprise to Unfettered. We've been warning and just waiting for a report like this to surface. I've spoken to many functional security experts who believe that the real benefits of smart grid aren't going to come from household smart meters anyway, but from the generation systems and the transmission and distribution systems and interconnecting them properly.
Most of the functional security experts I know won't have a smart meter in their house for any money-- certainly not now.
Eric Byres warned of this 10 yeas ago when he started developing edge device security appliances, like his Tofino device. If we've known that this was probably going to happen for a decade, there's no excuse for the development of smart meters that are penetrable easily and quickly by the script kiddie who lives in the house, or next door, or around the block.
