For a utility that’s in the process of installing smart meters, there are probably few things more terrifying than the simulation of a smart meter worm that IOActive’s Mike Davis showed off at the annual security conference Black Hat on Thursday. During Davis’ presentation, he showed how he and his team at the security consulting firm created a simulation in which over a period of 24 hours about 15,000 out of 22,000 homes had their smart meters taken over by a worm that could render the device under the control of the worm’s designers.
Davis showed off a time-condensed version of the simulation using an overlay on Google Earth. At the beginning of the simulation there were 22,000 green pins on the image of the satellite map to signify actual plotted address in a metropolitan area; after the introduction of the smart meter worm, the majority of the pins quickly turned a shade of red, rapidly spreading from the point where the worm was introduced. The image was reminiscent of the introduction of infectious diseases and Davis said in a real world scenario the rate of the spread of the worm could be slower or faster considering a variety of technical conditions.
Davis said the reason that the he could so easily hack and spread the worm in the simulation was because there was a fundamental design flaw in the specific meter model itself, though Davis wouldn’t name any individual manufacturers. Among other things, the meter he took over didn’t have the proper data encryption and didn’t know the difference between the meter next to it in the network or a device that was intended to wirelessly upgrade its software. “The guys that built this meter had a short term view of how it would work,” Davis said.
The manufacturer used in the simulation didn’t take kindly to being told their security wasn’t up to snuff. Davis explained to the audience how when he told the manufacturer about the capabilities of the worm simulation, the first response from the meter maker was: “that’s impossible, our meters can’t spread something like that.” When Davis told them he had personally done this in his company’s security lab, the next response from the meter maker was: “how can you even access our meters,” to which Davis says he explained he bought it on eBay.
