Open Source Smart Meter Hacking Framework Released 74
wiredmikey writes "A researcher specializing in smart grids has released an open-source tool designed to assess the security of smart meters. Dubbed 'Termineter,' the framework would allow users, such as grid operators and administrators, to test smart meters for vulnerabilities. Termineter uses the serial port connection that interacts with the meter's optical infrared interface to give the user access to the smart meter's inner workings. The user interface is much like the interface used by the Metasploit penetration testing framework. It relies on modules to extend its testing capabilities. Spencer McIntyre, a member of SecureState's Research and Innovation Team, is scheduled to demonstrate Termineter in a session 'How I Learned to Stop Worrying and Love the Smart Meter,' at Security B-Sides Vegas on July 25. The Termineter Framework can be downloaded here." As the recent lucky winner of a smart meter from the local gas company, I wish householder access to this data was easy and expected.
Not surprising. (Score:5, Insightful)
As someone who writes drivers for various smart meters to do AMR, I am surprised it took this long. Most protocols are childishly simple with little in the way of encryption or authentication. Often the passwords are sent in plain text. Check metering might be a simpler way to secure your meters. Catch them at it rather than get into an arms race...
Re:Hack the planet for ransom! (Score:0, Insightful)
Nobody is out to cheat you. The gas company gets cheated way more often than the customer does.
In other words, "the $FOSSILFUELCORP I worked at is honest, as far as I know, though I don't know everyone personally and didn't launch an investigation or anything ... therefore it should be obvious that every employee at every other $FOSSILFUELCORP is equally honest." Sheesh, with such impeccable logic I don't know why so many people just won't believe you...
Warning to those who want to try it out (Score:5, Insightful)
The meter is not your property and hacking it without authorization is illegal. You don't use Metasploit on other people's systems and you shouldn't use this on the utility's meter either. Buy your own meter if you want to run some experiments.
Re:Not surprising. (Score:3, Insightful)
I don't think the other AC mentioned anything about paying for power being a moral issue. Peripherally it is--as in, we build huge centralized fossil fuel power plants and can't seem to make solar power work right because it works best in a decentralized (read "local purchased hardware, non metered use) kind of way, which would totally be disruptive to the large megacorps' government and military backed business plans, but that's another story and not totally relevant here.
What is relevant is that there are tons of moral issues with deploying these things. First off, they do in fact enable different rates to be applied at different times. That would be a problem--since when is a profit-driven corporation going to actually save anybody any money? As in, when does metering anything (say, Internet usage) actually provide a better deal for customers? In this case, you're already metering things, but you're adding the ability to tune the metering to a level of detail that people just don't want. I don't really want to have to figure out what time of day to wash my clothes or do my dishes just because some jackass in a suit decided it would be best for me to have a "smart meter".
Second problem: usage analysis in aggregate is a good thing. Figuring out how much power to throw on a grid is not easy and if you get it wrong it can be wasteful or even damaging. I get that. However, in order to aggregate data you have to have data in the first place. Such data can be and has been used to try to look for "criminal anomalies" like people growing certain plants and stuff, and can be used to put together a pretty good dossier on how you live your life--when you wake up, go to work, come home, do laundry, cook dinner, etc. Cops and other nefarious agencies are already salivating over this because control freaks love personalized data.
If you have a job as a smart meter developer, here's how to get fired from it. Go in and tell your bosses that you want to develop code for the meters and their associated back end systems that completely anonymizes personally identifiable information from your statistics. Nobody, not even the power company, could see peoples' electrical usage details other than quantities used for billing purposes, but they'd still have their usage stats for running the grid more efficiently. In other words, give people the alleged benefits of these devices while retaining the relative privacy of the older meters. Watch as the guy in the room who cut a secret deal with the DEA or whoever and didn't tell you turns purple, or how the marketing team that was going to sell this data to advertisers breaks out in a cold sweat, and see how quickly you'll be out the door for "job performance issues" as soon as somebody has a hushed word with your boss.
Still think there are no moral issues here?