Researchers reveal vulnerability of smart meters to hacking

Out-Law News | 17 Oct 2014 | 3:29 pm | 1 min. read

Security researchers investigating smart meters widely used in Spain have said the devices can be hacked to under-report energy use.

The researchers told the BBC that “poorly protected credentials” inside the meters could allow attackers to take control of the devices.

The claims come as an increasing number of utilities are installing smart meters to help customers monitor and manage their power use and help them be more energy efficient.

Independent research Javier Vidal, who with Alberto Illera discovered the smart meter flaws, told the BBC: “We took them apart to see how they work. We suspected there could be some issues with them and we wanted to check. We feared the security would be easy to break and we confirmed that.”

According to the researchers, it was possible to “fool” the equipment into transmitting false data. The researchers did not name the Spanish utility deploying the meters, but said they had informed the company of their findings and work is under way to “close loopholes”.

Smart metering expert Chris Martin of Pinsent Masons, the law firm behind Out-Law.com, said: “The issue of system integrity and security is high on the agenda of those responsible for managing the UK’s roll-out of smart meters. The Department of Energy & Climate Change (DECC) has consulted widely on this issue and significant thought has been given to the issue as part of the development of the technical specification of the smart meters to be rolled out in the UK.”

Martin said: “Energy suppliers will be subject to a licence obligation giving them responsibility for taking steps to ensure that the end-to-end smart metering system is secure. This includes the devices installed in the homes of consumers. It is proposed that an industry security sub-committee will be established to monitor security arrangements and develop them to reflect the changing risk landscape.”

However, Martin said: “Whilst the risk is recognised and taken seriously, the bottom line is that these devices will be outside the direct physical control of DECC and the suppliers. It is an open question as to whether or not the proposed safeguards will be up to the challenge of minimising the risk posed by an ever-evolving cyber security threat, which ultimately has the potential to affect not only consumers, but also our national energy infrastructure.”