[vz-users] 28C3: SMART HACKING FOR PRIVACY

Steffen Vogel info at steffenvogel.de
Thu Dec 1 15:18:33 CET 2011 

Vor ein paar Tagen ist der Fahrplan für den diesjährigen Congress
erschienen. Auch darauf zu finden ist ein Vortrag über die Sicherheit
von Smart Metern: "SMART HACKING FOR PRIVACY", der die Discovergy /
EasyMeter genauer unter die Lupe nimmt [1]:
Hier kurz der Abstract:

        Advanced metering devices (aka smart meters) are nowadays being
        installed throughout electric networks in Germany, in other
        parts of Europe and in the United States. Due to a recent
        amendment especially in Germany they become more and more
        popular and are obligatory for new and refurbished buildings.
        Unfortunately, smart meters are able to become surveillance
        devices that monitor the behavior of the customers leading to
        unprecedented invasions of consumer privacy. High-resolution
        energy consumption data is transmitted to the utility company in
        principle allowing intrusive identification and monitoring of
        equipment within consumers' homes (e.g., TV set, refrigerator,
        toaster, and oven) as was already shown in different reports.
        This talk is about the Discovergy / EasyMeter smart meter used
        for electricity metering in private homes in Germany. During our
        analysis we found several security bugs that range from problems
        with the certificate management of the website to missing
        security features for the metering data in transit. For example
        (un)fortunately the metering data is unsigned and unencrypted,
        although otherwise stated explicitly on the manufacturer's
        homepage. It has to be pointed out that all tests were performed
        on a sealed, fully functionally device. IN OUR PRESENTATION WE
        WILL MAINLY FOCUS ON TWO ASPECTS WHICH WE REVEALED DURING OUR
        ANALYSIS: FIRST THE PRIVACY ISSUES RESULTING IN EVEN ALLOWING TO
        IDENTIFY THE TV PROGRAM OUT OF THE METERING DATA AND SECOND THE
        "PROBLEM" THAT ONE CAN EASILY ALTER DATA TRANSMITTED EVEN FOR A
        THIRD PARTY AND THEREBY POTENTIALLY FAKE THE AMOUNT OF CONSUMED
        POWER BEING BILLED. In the first part of the talk we show that
        the analysis of the household’s electricity usage profile can
        reveal what channel the TV set in the household is displaying.
        We will also give some test-based assessments whether it is
        possible to scan for copyright-protected material in the data
        collected by the smart meter. In the second part we focus on the
        data being transmitted by the smart meter via the Internet. We
        show to what extent the consumption data can be altered and
        transmitted to the server and visualize this by transmitting
        some kind of picture data to Discovergy’s consumption data
        server in a way that the picture content will become visible in
        the electricity profile. Moreover, we show what happens if the
        faked power consumption data reflects unrealistic extreme high
        or negative power consumptions and how that might influence the
        database and service robustness.


viele Grüße

Steffen


[1]
http://events.ccc.de/congress/2011/Fahrplan/track/Hacking/4754.en.html


-- 
Steffen Vogel
Robensstraße 69
52070 Aachen

Mail: info at steffenvogel.de
Web: http://www.steffenvogel.de
Jabber: stv0g at jabber.ccc.de
ICQ: 236033
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://volkszaehler.org/pipermail/volkszaehler-users/attachments/20111201/46152956/attachment.pgp>

More information about the volkszaehler-users mailing list