Dario Carluccio and Stephan Brinkhaus said they intercepted information sent between their smart meter devices and the servers of their energy supplier – German company Discovergy. Because the data was unencrypted the researchers said they were able to analyse the information, which they said was sent at two second intervals, and determine intimate details about their energy consumption.
The researchers said the information could be used to establish details such as when houses are occupied, what appliances were being used and even what TV programme was being shown as a result of the traits revealed in the smart meter data associated with the energy used.
Smart metering technology is due to be installed across the UK from 2014 with every UK household expected to have the technology by 2019. Smart metering enables a two-way flow of electricity and information that allows real-time information about demand for energy to inform the level of supply needed to meet that demand in a near-instantaneous fashion. The Government has said smart metering will slash unnecessary energy use, reduce emissions and cut consumers' energy bills.
In a presentation called 'Smart Hacking for Privacy' at the 28th Chaos Computing Congress in Berlin, the researchers said that Discovergy's smart meter system did not need to monitor energy consumption at two second intervals.
"Unfortunately, smart meters are able to become surveillance devices that monitor the behaviour of the customers leading to unprecedented invasions of consumer privacy," the researchers said in a statement prior to the presentation. "High-resolution energy consumption data is transmitted to the utility company in principle allowing intrusive identification and monitoring of equipment within consumers' homes (e.g., TV set, refrigerator, toaster, and oven)".
"During our analysis [of the Discovergy smart meter system] we found several security bugs that range from problems with the certificate management of the website to missing security features for the metering data in transit. For example (un)fortunately the metering data is unsigned and unencrypted, although otherwise stated explicitly on the manufacturer's homepage. It has to be pointed out that all tests were performed on a sealed, fully functionally device," they said.
Nikolaus Starzacher, chief executive of Discovergy, responded to the researchers' presentation and insisted that the company's "main motivation" for collecting smart meter data so frequently was "to help individual consumers to reduce their energy use".
The information was not used to find out what people watched on TV "but to see whether you have an old fridge or old washing machine or whether you forgot to turn of the light or iron," Starzacher said.
"Our product is voluntarily so ... you opt in if you become a customer. We will also give you the opportunity to opt out from this data collection," he said.
The researchers had claimed that they were able to send false details about their energy consumption back over the unencrypted Discovergy network. This could allow consumers to "potentially fake the amount of consumed power being billed".
Energy law expert Chris Martin of Pinsent Masons, the law firm behind Out-Law.com, said that the very granular nature of the data collected through smart metering means that privacy and data security issues are high on the UK Government’s agenda. He said putting “technical security measures” in place to prevent smart meter data being inappropriately accessed is vital to the successful operation of the technology.
Strict restrictions over how data is controlled and used will also be in place, Martin said. The detail of such arrangements are still under ongoing consultation in the UK, but indications are that consumers will need to give their “explicit consent” before smart meter data can be further processed beyond what is necessary for the fulfilment of energy supplier’s licensed purposes, essentially billing and settlement purposes, he said.
“Privacy and information security is one of the biggest issues up for discussion in the UK at the moment," he said. "It is the granularity of the data that smart meters can collect and the security of the system over which that data will be communicated and on which it will be stored that is causing concern."
"The data can reveal much about a household, such as the make and model of their TV, the times during which a house is occupied and the number of people staying in a household. This information is useful to energy suppliers but it is also potentially valuable to a whole host of other organisations too,” Martin said.
“On the one hand the Government is keen that smart meter data is used to its full potential to help reduce energy consumption. This may involve organisations having access to consumers’ smart meter data to help them manage their energy consumption and select the correct energy supplier and tariff," he said. "On the other hand the Government has taken on board a number of the concerns of the UK privacy lobby over smart metering and is well aware of the privacy and data security issues around the collection and use of the data."
"Energy companies are likely to need consent to process customer data for any purposes other than to deliver its service or calculate billing. The Government very much sees the individual consumer as the ‘owner’ of any smart meter data collected from his or her home," he said.
“Of course, the issue of unauthorised access to data, which seems to have been the problem in the Discovergy case, is less to do with privacy regulation and more to do with the technical safeguards that are implemented on the smart metering system," said Martin. "Robust technical security measures will need to be in place, not only within the smart metering system, but also on the systems and networks of any third parties who are given the right to access and use smart metering data."
"Any specific smart metering privacy and data security requirements implemented by law or regulation in the UK will sit alongside the existing data protection and privacy laws that are administered by the UK Information Commissioner. These laws will apply to the collection and use of data, including personal data, using smart meters," he said.
Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory told Out-Law.com that the Government's smart meter plans are "set to become another public sector IT disaster".
In a joint paper Anderson, and fellow academic Shailendra Fuloria, previously outlined (6-page / 119KB PDF) what he believes is a "strategic vulnerability" in how smart metering operates. He said if hackers were able to break into a "head-end" hub where smart metering data might be collated they could cut the supply of energy across "tens of millions of households".
The reliance on software and applets to deliver smart metering successfully also exposes the technology to risks that those aspects of the systems could be hacked and tampered with, Anderson said. The way the 'keys' to this technology work, and who has access to that information, must be openly scrutinised by as many "eyeballs" as possible prior to being introduced to minimise the risk of attack, he said.
"The introduction of hundreds of millions of these meters in North America and Europe over the next ten years, each containing a remotely commanded off switch, remote software upgrade and complex functionality, creates a shocking vulnerability," Anderson said.
"An attacker who takes over the control facility or who takes over the meters directly could create widespread blackouts; a software bug could do the same," he said. "Regulators such as NIST and Ofgem have started to recognise this problem. There are no agreed solutions as yet ... possible strategies include shared control, as used in nuclear command and control; backup keys as used in Microsoft Windows; rate-limiting mechanisms to bound the scale of an attack; and local-override features to mitigate its effects."