They hack smartphones, smart TVs, smart cars and most every other connected thing in the service of crime. But will cybercrooks actually bother hacking a smart meter? According to one prominent Australian researcher, yes. And they’re not just looking to read your meter.
Two-way electricity meters, now mandatory in Australia, pose a number of security risks to customers and providers alike, according to Nigel Phair from the University of Canberra’s Centre for Internet Safety, who wrote a paper on the subject.
With the Internet of Things projected to have an economic impact of more than $11 trillion per year by 2025, hackers are fighting to breach what may become their most lucrative market yet. The mandatory smart meter rollout in Australia might be just the opportunity they are looking for, Phair says.
“Most of the devices are being built without any inbuilt security around them — and by that I mean password protection and no ability to update what we call the firmware as time goes on so they become safe devices,” Mr Phair told the ABC.
Hacking into a smart meter is easy, Mr. Phair elaborates in his paper. By monitoring power usage in a home, burglars can learn when it’s safe to rob the place. With a bit more tinkering, they can spread the hack to other appliances in the house, allowing bad actors to control things like the refrigerator, the heater and even the garage door.
The paper references a widely publicized case from 2012 in Puerto Rico where criminals used software readily available on the “underground” internet to hack smart power meters and reprogram them to report less consumption, saving their “clients” up to 75% off of their monthly electricity bills. An FBI investigation concluded that “the Puerto Rican electrical and power authority affected lost nearly $400 million in revenues annually as a result.”
But not only hackers can leverage this weakness. The report further reveals that it is possible to determine exactly what program is playing on the TV set in a household by analyzing the electricity levels required to play that program. This type of information, Mr. Phair implied, is like music to an advertiser’s ears.
The full paper includes a flurry of details on how this weakness literally opens the door to hackers. However, the key takeaway is that two-way meters are far more prone to hacking than one-way meters, which only relay information back to the provider (whether it’s electricity, gas, or water).
“Two-way meters, where the network can ‘push’ data to the meter, open significant security and privacy issues. Hackers can compromise the smart meter (and where part of a smart-home infrastructure, cause much more damage) causing financial and potentially physical damage for only a very small benefit to the consumer.”
So far, not many incidents of the sort have been reported – the Puerto Rican case being a lone blip on an otherwise almost empty radar. But this is just so far. If history is any indication, as smart meters continue to emerge with weak, hackable software – and no way to receive updates – users will be at an increasing risk of having their home hacked. Hackers, for their part, will grow bold and find new ways to capitalize on these weaknesses.