Cyber-researcher and self-described hacker Netanel Rubin has warned of serious security vulnerabilities in smart meters which are being rolled out around the world, claiming that in certain circumstances they can be made to explode.
Rubin was speaking at the 33rd Chaos Communications Congress in Hamburg in December 2016.
Describing the devices as “dangerously insecure”, the researcher claims they use weak encryption and protocols, and can be programmed to explode. "An attacker who controls the meter also controls its software, allowing them to literally blow the meter up," said Rubin.
Rubin claims blowing a smart meter up is trivially easy. Where most would argue that a normal fuse could prevent the fire, the researcher is convinced the hardware can be tricked into overheating and as a result exploding.
However, members of the audience accused Rubin of scaremongering once his presentation was over. A Dutch security engineer, who didn't identify himself, said he had been working in security on the Dutch digital grid and asserted that smart meters simply “don't have the components inside them” which could cause such an explosion.
Rubin replied that he is making these dire warnings in order to grab the attention of the public of explosions which he alleges have already happened in Ontario, Canada.
SC Media UK was not able to verify such claims, but there are stories online which claim that smart meters do explode, one coming from a local version of US news outlet CBS, which reported that thousands of electricity customers were left without power, sometimes for several days, when a power surge caused their meters to explode.
Rubin also claims that compromised smart meters can be used as a beachhead to attack and take control of other networked devices within the home such as air conditioning units and refrigerators through Home Area Network protocols.
The communications protocols in question are Zigbee and GSM which Rubin says are easily exploitable. These protocols are often left open, or at best secured with a GPRS A5 algorithm, which has been reported as broken for over five years.
Rubin said: "If an attacker could hack your meter, he could have access to all the devices connected to the meter. The smart meter network in its current state is completely exposed to attackers."
According to Rubin, it is also possible to force all units near a compromised unit to connect to malicious base stations as smart meters use hardcoded login credentials, known as ‘Access Point Names'.
This access gives criminals direct access to the smart meter firmware for exploitation, as he alleges that the network makes no effort to ensure that the device should be connected to it in the first place. To applause from the audience, Rubin declared, "One key to rule them all."
He says these security shortcomings would have been eliminated if proper encryption was used, and the network was segmented instead of being treated as one "giant LAN".
SC Media UK spoke with Smart Energy GB, the voice of the smart meter rollout in Great Britain, and they denied Rubin's claims.
Claire Maugham, director of policy and communications at Smart Energy GB, said: "Smart meters are very secure. They transmit meter readings from the home to an energy supplier, while consumption data is transmitted to a portable in-home display. Smart meters do not determine the load being fed through the meter or the in-home display, and their data is never sent across the Internet.”
Maugham added: “In future, data will be sent across the secure national network built specifically for smart meter data – the DCC.” The DCC is currently up and running, but no smart meters are connected to it.
“Smart meters and infrastructure in place to support the rollout across Great Britain has security at its heart, with encryption and other safeguards in place designed specifically by the government's security experts, GCHQ," she said.
SC Media UK contacted DCC (which is owned by Capita) for comment. DCC declined to comment except to say it is in charge of implementing the network which supports the rollout and has no influence on which smart meters are deployed nor the security methods used.
The UK's National Cyber Security Centre has released a document which outlines the security guidelines of smart meters in the UK. It has also written at length about assuring smart meters when the government project was initiated.
Likewise Ofgem, the regulator of the UK's energy sector, has written at length about security controls in relation to smart metering systems.
Rubin warned of a sharp increase in the spread of smart meters as billions of dollars are invested by electricity firms looking to better manage their grids in the Middle East, Australia, US and Japan.
“Europe is currently the leader in this,” Rubin explained, as the European Energy Commission aims to replace at least 80 percent of electricity meters with smart ones by 2020, at an estimated cost of €45 billion (£38bn).
Rubin quotes research by IMS Research which says, “100,000,000 smart meters are to be deployed in the next five years”. Rubin said that it is predicted 72 percent of all European citizens will be using ‘smart energy'.
As a consequence, Rubin expects a sharp increase in hacking attempts and is calling on utility companies to "step up" their cyber-security.
OVO Energy and British Gas were contacted for comments but did not respond.