Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Next Gen Utilities meters..
Posted by: thrill
Date: June 09, 2009 06:51PM

Today the house I live in got a new "Next gen electric meter". Had a chance to speak to the installer and it's obvious there's some dis/mis-information going on.. he claims the unit communicates via satellite, but most of us would quickly realize that this is quite impossible for such a small device.

So for the past few minutes we've been discussing things with id regarding the technology they might be using and wondering what type of security measures these small units might be capable of.

You can view almost the identical meter that got installed through this link. And if you read the description, you will see that they state "Provides full security and encryption for today’s stringent requirements". Of course, I actually read "we got a password, and use 64bit encryption".

Some of my first thoughts focus on altering the data in the unit, but the implications of breaking their 'security measures' might mean gaining access to their central office.. and given the recent news that the NSA discovered various power companies throughout the US had already been penetrated by foreign hackers, makes me wonder how serious these companies have taken security.. or better yet.. what the importance of security is on a day to day basis..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: tx
Date: June 15, 2009 05:55PM

There's supposed to be a talk about these new Smart Meters at blackhat next month actually. The register did a brief writeup, and I've gotta say it doesn't look like they're taking security too seriously.

Quote

Davis and his IOActive colleagues designed a worm that self-propagates across a large number of one manufacturer's smart meter. Once infected, the device is under the control of the malware developers in much the way infected PCs are under the spell of bot herders...It exploits an automatic update feature in the meter that runs on peer-to-peer technology that doesn't use code signing or other measures to make sure the update is authorized...One deficiency common among many of the meters is the use of insecure programming functions, such as memcpy() and strcpy()

Also, I looked up the Access Point that the meters are using. There's some brief info here which raises its own alarms in my head, from the pdf:
Quote

From end-to-end, the Smart Grid network is managed and controlled by UtilityIQ®... [A] feature-rich, Web-based interface [that] collects and displays critical network statistics and alarms from numerous data sources, including electricity, water, and gas meters... And it gives you a scalable platform that enables advanced applications to be deployed—both now and in the future—to add even more value to service offerings.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 15, 2009 06:29PM

Quote

A feature-rich, Web-based interface

I think those 6 words sum up how important security was at the time of design.

Thanks for the info tx.. I was pretty sure they weren't going to be that secure, but now I realize that it goes way beyond not being secure.. now if you piss off the right person you might be without power and gas for a while.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 15, 2009 06:39PM

And actually.. being without electricity would be the least of the problems.. imagine tampering with the data to the point where someone's utility bill comes out to the millions of dollars..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: tx
Date: June 15, 2009 07:10PM

@thrill: You said it. I noticed this little blurb in the UtiliQ data sheet:
Quote

Securely accessed by an intuitive web-based
interface or by advanced web services APIs,
UtilityIQ supports secure remote disconnect/
reconnect services and transmission of load and
price control signals to endpoint devices.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 15, 2009 07:59PM

@tx

Didn't need to read that in their paper.. the instant I saw the guy installing these new meters I joked with him about hacking into it and having it report that we only used 2kwH this month.. he laughed, but was one of those laughs as to say "hmm.. what a great idea!"..

I'm sure some dumb kid will try doing that and will most likely get caught, those are not the ones that scare me.. the ones that scare me are the ones that will be able to take control of the meters without being detected.. as I told id:

Quote

I think that it's going to be the next undetected worm.. imagine someone silently taking over these meters.. first it's just a few dozen, then it's hundreds, next is thousands, suddenly you control 99% of all meters in a metropolitan area, including businesses, private homes, hospitals.. and your occasional bank.. I just really think it's a bad idea to put things on-line.. think of the fun people were having with those "control your lights from the internet" crap.. well, this is just slightly more accessible and less monitored..

it's just a huge attack surface with hardly any monitoring

Now, I understand I'm a paranoid nutjob, it's part of being in this business and having seen what people can do, but deploying millions of these things without having taken serious consideration into their security, it's about as careless as putting millions of windows 95 computers directly connected to the internet via real world IP addresses and up-all-day internet connections.Except that now it's not just pop's pr0n downloads that are going to be disrupted.. it's the same power grid the FBI just recently announced it had discovered backdoors to.

How convenient that now we're providing a larger attack surface for them to penetrate..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: Anthem
Date: June 17, 2009 09:12PM

Nothing can ever be completely secure, huh?

Can it?

--
Can you hear them?

So much to learn, so little time...

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 17, 2009 11:16PM

@Anthem

Not while usability is considered first, and even then, it's a very fine line. It's the old adage, build a better mouse trap, the world will build a smarter mouse.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: id
Date: June 17, 2009 11:59PM

Complete security is only a fool's goal, managing risk is what matters.

-id

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 18, 2009 10:09AM

Quote

Complete security is only a fool's goal, managing risk is what matters.

Yes! Glad to see that strategy worked well for you at TJMaxx..

You're lucky you're 2500 miles away or I'd whack you over the head.. Yes, complete security may be unattainable, however, not taking it into consideration during the design process is also foolish.

You don't have the security guard design your safe, even though he might be the person most familiar with it. And if security engineers were as hard to find as a good safe designer I might just agree with your statement. However, this is not the case. But companies are still having their safes designed by their security guards.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: id
Date: June 18, 2009 12:28PM

for me at tjmaxx? eh?

Anyway, tjmaxx didn't manage risk very well did they? Has absolutely nothing to do with the concept of "complete security" (unattainable, and probably not desirable because of the side effects).

And how do you propose to take into account "Complete Security"? Are you going to spend some time making a contingency plan in case hostile eskimo pirates attack in numbers greater than 2000?

-id

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 18, 2009 12:48PM

Quote

Securely accessed by an intuitive web-based
interface or by advanced web services APIs,
UtilityIQ supports secure remote disconnect/
reconnect services and transmission of load and
price control signals to endpoint devices.

Keywords to concentrate on here:

intuitive == ease of use, aka, usability
web-based == sla.ckers never saw this code
advanced web services APIs == we built some shit and think it works

Starting the paragraph with 'securely' does not mean they took security into account. Risk management for them meant the use of 'securely' in their description I'm sure. And again, I agreed with you on the 'complete security' portion.. going back to my safe analogy, there will never be a completely secure safe.. if it can be opened, well, it can be opened. However, this doesn't mean that safe builders are creating a cube with one end completely open.. it still means taking into consideration the aspect of security with locks and combinations, etc., etc.. so why in hell build an "intuitive web-based interface with advanced web services APIs" that allows for more holes to be built rather than a very simple push technology that allows you to gather the data and then you can make it look purdy????

A simple vt100 (or if you're sadistic, tn3270) interface with a 16 char password that locks out after 3 bad tries for 24 hours would suffice. Oh, and yes, there is NO risk in enabling a device to allow for remote shut-down of power.. none.. zip, zero, zilch!

Comprende Pancho Villa?

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: id
Date: June 18, 2009 04:01PM

I was only answering Anthem's question.

Comprende Pocahontas?

-id

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 18, 2009 04:25PM

Poca == few therefore I am Muchahontas.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Date: June 18, 2009 05:55PM

>>And actually.. being without electricity would be the least of the problems.. imagine tampering with the data to the point where someone's utility bill comes out to the millions of dollars..

I'd expect people to tamper with their own meter if they have say a wind turbine or solar panel on their property. That way when meter runs backwards and power company pays them for their excess power, they can change the numbers so it appears they gave more power to the grid than they actually did. Thus profit$!

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: id
Date: June 18, 2009 07:22PM

The way the power rules in CA work (and most power authorities), is they only have to credit you back for power that you use from the grid, they can still suck as much as you're willing to give...so no $$

-id

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: Cagekicker
Date: June 22, 2009 06:16PM

/rant on
Like I said in another post, we have a saying in Corrections, "security is not convenient..." and it's ALWAYS going to take a back seat to whatever makes our lives "easier". It's the long-standing fight between good and evil, management and security- management finds ways to do things differently, security is there to mitigate the risks that come along with those changes. Doesn't matter if it's a change in technology or a change in methodology. And yes, we'll always be the red-headed step-child since it's our job to try to tighten down the nuts and bolts as much as possible. :)

Human beings are lazy, but companies are even more lazy. the more technological our advances, the lazier society as a whole gets. Is it more convenient, (read costly) to have software that can read and transmit utility usage while only having to train calling center personnel on how to use the software OR to have to pay the utility person, as well as cost of gas, wear and tear on the vehicle, etc. to go read the meters? Security versus saving money? Guess which one wins...and just like TJ MAXX and these other companies that get hacked, lose a crapload of customer data- the utilities are going to hate life when something happens. Especially when it happens to someone that has the money to pay out for the lawyers to rape them in court. And when it does, hopefully someone sees the article and finds this forum post so we can say, "I TOLD YOU SO"! LOL!!!

/rant off

Kind of off topic, but sorta goes along with the conversation. Does anyone remember the movie "The Gods Must Be Crazy"? It's about a tribe in Africa where a pilot tosses a Coke bottle out the window and the tribe uses it as a tool, things get all crazy so the chief of the tribe takes it to the end of the world to return it back to the gods. Ooooold movie, but I think it has some different ways of looking at what happens as we gain more tools that make life easier.

--------------------------------------------------------
Regarding gun carry laws: I'd rather be judged by 12 than carried by six...



Edited 2 time(s). Last edit at 06/22/2009 06:18PM by Cagekicker.

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 22, 2009 06:50PM

Quote

Does anyone remember the movie "The Gods Must Be Crazy"?

Yes, he decides to give it back to the gods because everyone in his village was fighting over it... suddenly everyone NEEDED it..

Taking what you said in consideration, I ask you the following. Which will be cheaper, having the guy go to your house to read the meter, or having the guy go to your house to do software upgrades every time a new bug is released? And of course, this will no longer be just a 'meter reader' wage.. he has to be an 'engineer'..

But as I said above, it would have been much simpler to just have the meter spew out all the info and making it look pretty in the office, just like mainframes did in the old days.. they just threw out information.. getting a new account added was a pain in the butt, but guess what? They were secure..

And I still want a pet badger.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: Cagekicker
Date: June 23, 2009 12:22PM

Oh, I agree that they should leave well enough alone, bud. My argument is that the more things advance, the more complicated they become, the harder they are to secure, the cost of providing services goes up exponentially. But, in management's eyes- "upgrading" will cost less and make them "more efficient"...they don't look at the security issues of things, and even if they had a CISO or CSO telling them the implications- they more than likely didn't see past the $$$ in their eyes. :)

I believe in K.I.S.S - the simpler, the better and the easier to account for and secure. Besides, that's taking jobs away! Like we need that...

--------------------------------------------------------
Regarding gun carry laws: I'd rather be judged by 12 than carried by six...

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 23, 2009 12:34PM

I had this quote yesterday:

There are more fools in the world than there are people.

Heinrich Heine (1797 - 1856)

How fitting. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: Cagekicker
Date: June 23, 2009 05:19PM

Admittedly, I do my time on both sides of the fence. :D

--------------------------------------------------------
Regarding gun carry laws: I'd rather be judged by 12 than carried by six...

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: clayfox
Date: June 30, 2009 01:29PM

This could be used for swatting too. If electricity usage goes above a certain threshold in certain areas, it is enough cause for a drug growing investigation.

-clayfox

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thrill
Date: June 30, 2009 02:00PM

@clayfox - Good point.. didn't think of that one.. of course, that's given that the excess lights don't cause a fire at the house and forces the fire department to come out to put out all your pot.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: thornmaker
Date: July 01, 2009 04:03PM

lower the thermostat setting in the summer by a couple degrees for everyone on a given grid... increase overall power consumption considerably... down goes grid... score free ice cream from stores giving it away before it melts!!!

Options: ReplyQuote
Re: Next Gen Utilities meters..
Posted by: clayfox
Date: July 01, 2009 04:43PM

@thornmaker - you win. I just checked, and hackingforicecream.com is an available domain name.

-clayfox

Options: ReplyQuote


Sorry, only registered users may post in this forum.