The TV show “America Now” actually raised a few questions about smart meters.
It seems innocent enough. It makes no noise.
Your utility meter just churns away at the side of your home, but the information it’s cranking out has computer science graduate students at the University of South Carolina talking.
“They’re not widely deployed, so we wanted to study what type of utility meters are deployed now,” said Wenyuan Xu with the USC Department of Computer Science. “Are they secure?”
Most are AMR or Automatic Meter Reading.
SCE&G uses more than 570,000. Their website claims it’s simple. Wirelessly, they send usage data to a truck riding through neighborhoods, using what they claim are secure radio frequencies.
How much data?
“They actually send out a consumption reading once every 30 seconds,” said Xu. “So that’s kind of a lot of data. If someone is peeking on you once every 30 seconds, I wouldn’t feel comfortable about that.”
Wanting to know more, students went to Google. They didn’t get far.
“How do they communicate? Is there any standard?” asked Xu. “It turns out they all use proprietary communications, protocol.”
Meaning the details are hidden. The students didn’t stop, eventually getting a meter and creating their own receiver.
“Let’s just go out, use our device and capture some packets and try to figure out what they mean,” said Xu.
That’s exactly what they did, hiding in bushes outside homes.
“One of my student’s neighbors was not happy about that,” said Xu. “[She] came and said, ‘What are you guys doing? I have kids that live here.'”
She should be concerned. In a short time, students captured “secure” information and moved on to another part of town.
“So we actually did set up an eavesdropper, or a sniffer, tried to find out how many meters we can receive,” said Xu. “So at one single spot we were able to receive almost 500 meter readings.”
They gathered information from several homes over a week, randomly picked one house, and easily learned details of the owners’ lifestyle.
“We found out that the owner has a job, because he left home at 9:00 a.m. every day, came back home at 6:30 p.m. and weekday consumption pattern is totally different from weekend consumption pattern,” said Xu.
Different enough to give any cunning thief a good idea of when to break in. They also could manipulate the numbers, inflating a neighbor’s bill.
“Maybe you can even tell the utility company, ‘Oh you owe me money, actually I supplied utility electricity to the power grid,'” said Xu.
Using a louder signal, they drowned out the signal coming from the meter.
“Our handheld meter was fooled by our system,” said Xu. “That was a little bit surprising to us.”
It’s easy if you’ve got a little bit of knowledge in computer science. Easy, because we discovered the utility companies aren’t protecting your personal information.
“The meters should have been designed that all the transmissions should have been encrypted,” said Xu. “No personal information should be sent out in plain text.”
Xu says it’s scary, but at the same time notes that any person who designs wireless systems should remember to encrypt everything.
USC shared what they found with the utilities.
“We talked with utility companies,” said Xu. “They’re aware of the issue. We hope they can fix the problems soon.”
A statement received from one company read:
“We realize that information security is top of mind with a lot of folks here in South Carolina these days. I can assure you there is no risk whatsoever of the personal information of our customers – names, addresses, social security numbers, etc. – being compromised through our use of automated meter reading technology.”
When we raised questions about gaining access and being able to tell that no one was home, they had this to say:
“It might also suggest that someone simply turned off the TV and the computer and is quietly nestled up reading a book or a magazine.”
Students know it could be costly for utility companies to fix systems already installed either with new meters or by changing the system’s software or firmware, they but worry without encryption that information could be compromised.
In the US alone, 1,000 private and public utility companies have or are implementing AMR systems. They say it improves the quality of work, making them more efficient.