At the 28th Chaos Computing Congress (28c3) hacker conference in Berlin, Germany researchers presented a talk titled “Smart Hacking for Privacy” where they looked into the privacy implications of “smart” electricity meters.
In Germany consumers who wish to contract with independent smart meter providers are able to have one installed in their home via a similar style of subscription you might agree to for a free cellular handset from a mobile phone company.
The researchers, Dario Carluccio and Stephan Brinkhaus, signed up with a company called Discovergy to see what type of information these meters collect, whether they were as secure as the company promised and what they might be able to determine from consumption patterns.
Discovergy’s website made three promises about the security of their devices. The web interface to access your consumption data used HTTPS to ensure no one could snoop on your sessions, the data relayed back to Discovergy was encrypted and signed to prevent forged data and that this had all been confirmed by independent experts.
These claims mysteriously vanished from their website before the presentation was delivered on December 30, 2011.
The Discovergy website’s SSL certificate was misconfigured and presented them with an invalid certificate warning, then proceeded to redirect them to an HTTP url where the data and password were transmitted in clear text across the internet.
The web interface only allows customers to see the last three months of data, but because of the insecurity of the communications, they were able to demonstrate that data from the entire life of the device was in fact being stored on Discovergy’s servers.
Since the encryption and signing of traffic was untrue, they were able to intercept the communications using their router and forge incorrect readings back to Discovergy which at one point showed their minimum consumption to be -106610 kWh.
The last concern they expressed was that these smart meters were monitoring their power usage in two-second intervals. They were curious what type of information they could determine about someone with such fine grained measurements.
They tested different appliances to demonstrate the unique signatures their power consumption show on the two second interval graphs. This data could identify when the refrigerator was running, when you may be home or away or even sleeping.
They then looked at electrical usage of plasma, LCD and CRT televisions and could see differences in power consumption based on the brightness levels displayed for different scenes in TV shows and movies.
You can clearly see a discernible pattern of power usage that uniquely fingerprints this film. The researchers conclude that two seconds is a bit intrusive to privacy and unnecessary for the stated goals of the smart meter companies.
During the question and answer period the CEO of Discovergy, Nikolaus Starzacher, stood up and came onto the stage. He expressed his appreciation to the researchers for drawing attention to the problems they found and vowed to resolve them as quickly as possible.
He explained that one of the reasons for using the two second polling interval was to provide services like notifying you if you left the house with the iron or stove on by accident. He promised to make the data collection interval configurable in the future for more privacy conscious consumers.
One of the reason I enjoy conferences like Black Hat, DefCON and Chaos Computing Congress so much is the opportunity for industry to learn from their mistakes and consider the hacker mindset.
It appears the outcome of this talk will be beneficial to the entire smart meter industry, if they are listening, and it appears that Discovergy are taking the feedback to heart.
Want to know more about smart meter privacy? Listen to this podcast where I interview Paul Ducklin about the privacy implications of this research.
(9 January 2011, duration 16:58 minutes, size 12.2 MBytes)
Update: I got my letter today from BC Hydro, the power utility for British Columbia, Canada. They will be installing my smart meter (like it or not) in the next two or three weeks. You can be sure I will be doing some “testing” to see what it is up to.Follow @chetwisniewski