Smart meters in your home are a target for hackers, says UBC researcher

    1 of 1 2 of 1

      Smart devices, tech companies suggest, are vital to powering the future. A number of items and accessories are now being built so they can connect to the internet, with objects such as fridges gaining the ability to sense products inside it and track how well-stocked it is, and door locks being designed to monitor who enters and leaves your home. Together, these digital pieces make up a network called the Internet of Things (IoT).

      One object that’s become a regular sight in Canadian homes is the smart electricity meter. As well as having the ability to allow energy utilities to efficiently track usage and allocate energy production, they’re also a boon to consumers, making it easy to see how much power they’ve drawn.

      Because those smart meters are linked to both other IoT devices and connected to a grid, however, UBC cybersecurity researcher and associate professor Karthik Pattabiraman suggests that they can serve as back doors for ill-intentioned hackers.

      “In a single household you can have multiple smart devices connected to electricity through a smart meter,” says Pattabiraman. “If someone took over that meter, they could deactivate your alarm system, see how much energy you’re using, or rack up your bill. In 2009, to cite one real-life example, a massive hack of smart meters in Puerto Rico led to widespread power thefts and numerous fraudulent bills. Hacked meters can even cause house fires and explosions or even a widespread blackout.”

      Unlike remote servers, smart meters are much more accessible to hackers because they are user-facing. Attackers can carry out an assault with equipment that costs less than $50 online, and doesn’t require any specialized training. As a result, each device must be carefully secured—and Pattabiraman believes he’s found the best way to do it.

      “Smart meters are vulnerable to what we call software-interference attacks, where the attacker physically accesses the meter and modifies its communication interfaces or reboots it,” he says. “As a result, the meter is unable to send data to the grid, or it keeps sending data when it shouldn’t or performs other actions it wouldn’t normally do.

      “My PhD student and I developed an automated program that uses two detection methods for these types of attacks,” he continues. “First, we created a virtual model of the smart meter and represented how attacks can be carried out against it. This is what we call design-level analysis. Second, we performed code-level analysis. That means probing the smart meter’s code for vulnerabilities, launching a variety of attacks on these vulnerabilities.”

      Both techniques were successful in discovering attacks on the system, but Pattabiraman determined that code-level analysis was more efficient and more accurate in rooting out the hacks—a conclusion that he hopes will  be passed on to vendors. Those who design the systems, he says, can use the findings to build in security from the manufacturing process, making smart meters much harder to crack.

      In the meantime, it's recommended that consumers set up strong passwords for any IoT-connected devices, make sure all software updates have been installed, and disable any features like remote access that the user doesn't need.

      Kate Wilson is the Technology Editor at the Georgia Straight. Follow her on Twitter @KateWilsonSays