Two German researchers have demonstrated security flaws in smart meters provided by the German utility Discovergy. Dario Carluccio and Stephan Brinkhaus, who demonstrated their findings in a presentation titled Smart Hacking for Privacy at the Chaos Computing Congress in Berlin, were prompted to look into the security issue after they learned that energy consumption data was sent unencrypted because the Secure Sockets Layer (SSL) was malfunctioning. The data was also sent to the utility’s servers over an insecure link. As a result, Carluccio and Brinkhaus intercepted information that revealed personal information.
The security problem is caused by Discovergy’s monitoring frequency, the researchers explain. The smart meters log homeowners’ electricity usage in two-second intervals, which Carluccio and Brinkhaus consider intrusive because of the amount of data it provides. By looking at the fingerprint of power usage they were able to tell whether the homeowners were home, out, or sleeping as well as what movie they were watching on TV. The information was accessed through HTTP GET requests.
Flaws in Discovergy’s Web interface also allowed Carluccio and Brinkhaus to send back rigged meter readings to Discovergy and to tap into the utility’s servers where they obtained a full record of all the information collected by a home’s smart meter.
Discovergy’s chief executive officer, Nikolaus Starzacher, attended the presentation in Berlin and told the audience the security issues would be fixed as quickly as possible. Starzacher defended the two-second intervals, explaining that the reasoning behind it was to provide services such as being able to notify homeowners if they accidentally left an iron plugged in or stove turned on. But in light of the researchers’ findings, Starzacher said the data collection interval would be made configurable and customers would have the option to disable the relay feature.