My current day job is working on ZigBee devices integrating with smart-grid power meters. So I follow the industry. If you want to keep up with the news of the day put FreakLabs Open Source Wireless into your RSS reader. They aggregate the news of the day.
They linked to Smarter hackers lurk in smart-grid future a post about smart-grid security from Greenbang. As a smart consumer, you and I both know the only way to sell security is by generating fear. We all buy virus protection because we fear our computer will get powned. We lock our doors at night because we fear a break in.
In the article they put up the straw man argument that a hacker could bypass multiple layers of security, understand unusual and proprietary wireless protocols, and then break into your house. I have to say “WHAT!?!?!?”.
Stop using the intruder argument for security. A sophisticated hacker decrypts RSA keys, then uses a crow bar to break down the door? Really? No, I mean really? How about just watch the house and see when you drive away. That seems easier than running a network sniffer and decoding keys.
To be fare, the article uses the intruder as an example, then warns that there a bigger security issues. Major things like mass power outages and Stuxnet viruses should be the focus of security. The “your not home so someone will break in” example over simplifies the issues and needs to stop. Please, please if you found this in your search to write a network security article do not imply that someone may break into my house because of my smart meter.
A better hack
This was in the back of my head while out walking yesterday. I thought, “if you could hack the network, what would you really know?” How often I run the dishwasher? BFD. That led me to a much better hack.
Please, do not come and arrest me for posting this. My point is not to enable crime, just to point out the folly of security theater. Schneier on Security is my role model here.
OK, so lets pretend we are real sophisticated crackers. We want to make money from the smart-grid role outs in our town. So we start hacking the utility systems. That seems hard and as a cracker, I am mostly lazy.
Instead, let’s send out some spam. Spam is easy. The spam says (I am paraphrasing here.):
I am the evil smart meter cracker that the utility warned you about. Do as I say or I will mess with your meter, cause a power outage and give you a giant electricity bill!
Pay me $5 per month and I will change your meter settings to save you $20 per month. The utility is just trying to screw everyone, so lets stick to the man. For $10 I will save you $30. More than that is dangerous and we may get caught. Don’t tell anyone, see above.
Send payment to my overseas criminal account (or use bitcoins) details here.
Smart Grid Cracker
Now, here is the beauty of it, don’t change a thing on the meter or smart grid. If the cracker actually has access, then they can send monthly emails saying “You bill is for X it was X+$20 before I changed it, we are sticking to the man!!”. This scam can work with absolutely no network access, just a spam email system.
Now, please tell me how much encryption to use inside the network to fix this huge security hole?