Smart meters, dumb security? Hacking the Internet of Things

Red pixel skull.

This post was originally published on October 23, 2014.

According to the UK’s Department of Energy and Climate Change, almost 100,000 smart meters were installed in homes through the second quarter of 2014 — in Spain, millions of these energy monitoring devices are on tap to be installed by 2018. As noted by a recent BBC article, however, leveraging the Internet of Things (IoT) isn’t without risk: despite their “smarts”, meters and other types of home automation technology can easily be hacked.

Home Sweet Home?

Independent researchers Javier Vidal and Alberto Illera took apart a smart meter to see if it could be compromised. They discovered encryption keys buried in the device’s firmware that were used to communicate with “nodes” further up the power distribution system. With the keys and a meter’s unique ID number in hand, Vidal and Illera found they could send false messages to the power company, either under or over-reporting the amount of energy used. They also warned that it might be possible for criminals to spoof user IDs and avoid paying altogether, or even cut off power to specific homes. The pair took their findings to the manufacturer, who is now working to solve the problem.

But as Kaspersky Lab analyst David Jacoby discovered, smart meters aren’t the only connected machines at risk in your home. In August, Jacoby attempted to hack devices in his house and found that “two popular network-attached storage (NAS) devices contained more than 14 vulnerabilities that could enable remote system command execution under the highest administrative privileges.” In addition, passwords for the devices were both weak and unencrypted, providing an easy way for attackers to install malicious tools or perform attacks on his home network. Jacoby’s DSL router and smart TV were also vulnerable: the router had hidden functions named “web cameras” and “access control,” while the television didn’t use authentication or encryption when downloading content such as thumbnails or widgets, making it susceptible to man-in-the-middle (MitM) attacks.

On the Road Again

If connected devices in your home are under siege, you can always escape by jumping in the car and driving off into the sunset, right? Unfortunately not. The Economist notes that “modern cars are essentially a collection of computers on wheels,” and researchers have already shown that it’s possible to hack these systems and take control. This includes minor annoyances such as changing the radio station or adjusting the temperature to more dangerous activities like wrenching the wheel to one side or cutting power to the engine. Luckily, most of these attacks require direct access to the car itself, but the speed of IoT adoption is starting to outpace even this kind of physical security.

And yes, it gets worse. Security expert Jay Radcliffe found it was possible to hack his wireless insulin pump and change the amount of insulin administered, effectively making him a target for a kind of wireless murder. Billy Rios of security firm Qualys says “there are just super simple flaws in some medical devices.”

Back to the Stone Age?

It’s not all doom and gloom — companies tend to be receptive when researchers discover flaws and many obvious issues with wearble and connected home IoT devices have already been remedied. But what can end users do to limit risk?

One option is to pass on IoT altogether, but with governments rushing to wirelessly connect critical infrastructure and monitor domestic power usage, this will get progressively more difficult. Part of the solution comes from social pressure: users must demand that the devices they use come with built-in security that never skips encryption or offers administrative backdoors. For enhanced control, take charge of your own connection — at home and on your mobile devices, opt for a fully encrypted, anonymous connection that effectively hardens your home against attackers. They’re looking for an easy way in through “dumb” meters or not-so-smart televisions; make it difficult and they’ll go somewhere else.

The Internet of Things offers real benefits for homes, vehicles and even medical devices but when personal data meets wireless connections, things can get complicated. Keep it simple — stay protected.

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Johnny 5 is the founding editor of the blog and writes about pressing technology issues. From important cat privacy stories to governments and corporations that overstep their boundaries, Johnny covers it all.