New smart energy meters that are set to be installed in 27 million homes across the UK have been flagged by GCHQ for featuring vulnerabilities that could easily be hacked by criminals to expose millions of Britons to cyber attacks.
Smart energy meters being offered by the government could be hacked by criminals to inflate energy bills, falsify readings, or could be used by hackers to gain access to other smart devices they are connected to.
Last year, the UK's largest energy providers such as British Gas, E.on, Npower, Scottish Power and EDF announced that they were either testing or rolling out SMETS 2 meters, the second-generation smart energy meters that the government wanted to be installed across all 27 million households in the UK.
SMETS 2 smart energy meters solved various problems that both consumers and energy firms faced with first-generation SMETS 1 meters. Unlike the older meters, 8 million of which are already installed in the UK, SMETS 2 could send meter readings electronically to suppliers, thereby saving them from sending employees to every household to check readings.
Secondly, SMETS 2 meters were configured to be universal, with the ability to record consumption and generate readings no matter which electricity or gas supplier was chosen by a consumer. As such, consumers did not need to buy new meters once they change suppliers.
Despite their advantages, the new smart energy meters have now come under fire from the UK's premier intelligence agency for not being secure enough to be installed in millions of homes in a hurry. According to a recent Telegraph report, the GCHQ may have 'raised concerns over the security of the meters, which could enable hackers to steal personal details and defraud consumers by tampering with their bills'.
The report cites several cyber security experts to state that if such meters are made universal, which is basically the government's aim, they will become prime targets for hackers looking to gain access to sensitive details of millions of Britons. if they succeed in hacking into these devices, they will be able to inflate energy bills, falsify readings, or use them to gain access to other smart devices they are connected to.
“This smart meter technology has created a Trojan horse. My understanding is that GCHQ was not best pleased when it realised how insecure these devices could be and is still not happy. The big problem is that the smart meter project is being blindly driven forward by career civil servants who do not have a clue about cyber security and who do not care as the taxpayer is footing the bill," said wireless technology expert Nick Hun to The Telegraph.
Even though the GCHQ is yet to release an official statement about the security of SMETS 2 meters, many cyber security experts agree that the threat is very real. For example, in September last year, security firm Armis revealed the existence of BlueBorne, a new attack vector that was then used by hackers to infect, penetrate and take control over millions of smartphones, laptops and Internet-connected devices.
BlueBorne allowed hackers to stage cyber-attacks by leveraging Bluetooth connections in all kinds of smart devices. An attack could be carried out on a device even if it was not paired to the attacker’s device or was not set on discoverable mode.
BlueBorne traveled in the air and infected devices whose Bluetooth connections were turned on and which featured poor security credentials. Once it penetrated a device, it exploited the high privileges that the Bluetooth process enjoyed on all operating systems to fully control the device. A similar attack vector could easily compromise millions of smart energy meters across the UK, especially if such meters are manufactured by a single vendor.
“IoT devices are attractive to attackers because so many are shipped with insecure defaults, including default administrative credentials, open access to management protocols, and shipping with insecure, remotely exploitable code. A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all," says Kirill Kasavchenko, principal security technologist for EMEA at NETSCOUT Arbor.
“With smart meters in particular, they’re a risk to households across the UK for a few reasons. They’re generally always turned on, they mostly reside on residential networks which aren’t monitored for either incoming or outgoing attack traffic, and the networks where they’re deployed increasingly offer high-speed connections.
"Everyone needs to take responsibility for their role in protecting our connected world against criminal activities, which is why all players need to assess how they can make it harder for criminals to exploit devices. From the utilities companies, to the manufacturers of these devices, to consumers – we all need to come together to create a more cyber aware culture," he adds.