Michigan GREEN - The Offense: Smart Meter + Slot Machine Security

January 06, 2010

When Tommy Carmichael -- the world's greatest slot machine cheat -- wanted to illegally coax coins out of Las Vegas slot machines, his first step was to get his hands on the machine he wanted to cheat. He was successful at beating the best electronic security that slot machine engineers could design and milked hundreds of thousands of dollars before he got arrested.

Coincidentally, Las Vegas was the scene last July where the supposed security flaws of smart meters were unmasked. That event still has meter makers, utilities, standards organizations and federal regulators talking or hard at work improving security.

At the Black Hat security conference, Mike Davis, a senior security consultant for IOActive, demonstrated how his security team simulated the hacking of 16,000 out of 22,000 smart meters over a 24-hour period. They used a worm, a software patch, that gave IOActive the control to turn power on and off at one-second intervals at 16! ,000 homes.

"We could have put anything in that worm we wanted as a payload," said Davis. "We did not have enough room in the smart meter to fit our code so we had to dump some functionality out for our worm to work. The functionality we dumped was the ability to wirelessly update the devices. That would have locked out the utility from wirelessly updating the devices."

Like Tommy Carmichael, IOActive had to get its hands on a meter before starting to compromise it. In 2008, the first meters they examined came via a penetration test for a utility. "This is how we initially found some vulnerability," Davis explained. Later, IOActive bought different models on eBay, and got others by dumpster diving at the back of utility meter shops. The discarded meters provided all they needed -- radio communications and firmware. Since Black Hat, Davis no longer sees smart meters on eBay and noticed that defective units are now being sent to secure recycling facilities.

"As much as I'd like to say I am a professional, I'm really a geek at heart. I'm only in it to play with the toys," Davis admitted. IOActive used two smart meters to build the worm and it did not take expensive equipment. Davis confessed that the most valuable tool he used cost $200, a JTAG interface.

Davis reflected on industry reactions since Black Hat. "I'm sure someone inside our company assumed that if we are talking about this we would be the go-to guys for this particular issue. A lot of the feedback we got was that we were not telling the truth about the vulnerabilities, or no meter vendor would ever release their devices without encryption enabled, or even if this were possible, the propagation rate of the worm would be so slow that it would not matter. When our research hit the news it was about the same time the stimulus package came out with funding for meters. People acknowledged us, but no one really wanted to work with us. They just wanted to get! their product out."

Of course, a malicious hacker would only have to rip a meter off a house to get started. And what could a criminal or terrorist with reverse engineering skills do? One feature in many devices is a remote disconnect that allows the utility to wirelessly disconnect an individual meter from the grid. "The nature of the worm we demonstrated is the danger that we were able to propagate it without the need for the utility. If we propagated it to hundreds of thousands of meters, we would have the ability to disconnect those," Davis said.

Hopping Mad

Because meters are wirelessly linked by radio frequency with a one- to two-mile range, worms or disabling viruses could hop from service area to service area on interoperable metering systems.

What are the consequences of hundreds of thousands without power? Someone would have to figure out how the meters are being exploited, create and test a corrective patch and, if firmware is ! compromised, individually deploy patches to every affected household. "We will continue our research as soon as I get my hands on another device. These devices were made to be sensors, not security devices, and that's what we are seeing in the state of hardware security everywhere, except for devices like XBox, or PlayStation(R) where they really care about tampering," Davis concluded.

But the major meter manufacturers are improving security. Philip Mezey, North American senior vice president and COO for Itron, had this to say: "Security of advanced metering and smart grid networks is very much something that Itron and the utility industry has taken, and will continue to take, seriously."

Respond to the editor.
Mike Breslin