Hacking water meters is easier than it should be

The smarter water meters become, the easier they’re getting to hack. Like many things in electronics, water meters become easier for hackers to break into and misuse when they are upgraded to include wireless and computer technology.

John McNabb, a security expert who has focused on protecting drinking water, told the audience at the Defcon hacker conference in Las Vegas today that, despite a $40 billion-dollar water economy, it’s still far too easy to hack into water meters used by utilities around the country. He concluded that nation’s 150,000 water utilities have a number of well-known vulnerabilities to cyber attacks and they should fix them on behalf of the 250 million consumers they serve.

“The energy theft when it comes to water theft is billions of dollars a year,” McNabb (pictured) said. “Electric utilites assume they use about 10 percent losses to theft each year. Water could be similar, and it winds up increasing the rates for others.”

Lots of water meters are still mechanical devices. Water companies lose revenue when those meters get old and sediment builds up in them so that they measure lower water usage. Utilities have started to put in wireless water meters that are easier to read and less costly. For instance, some meters broadcast a wireless signal so that a meter reader can simply drive by, detect the signal, and record it electronically. That reduces the cost of reading meters. Here’s McNabb’s white paper on the topic.

Adding computer technology throughout the infrastructure helps bring down costs. It’s easier for utilities to monitor usage on any given day and send bills more frequently. They can also detect water leaks more precisely, based on water usage patterns throughout the population. Water meters with wireless attachements can become sensors for the utility and two-way communications systems. Utilities can also resolve billing disputes better, provide more customer service, enforce water conservation, and identify illegal water connections.

Smart water meters are the new thing. The smart water meter market is expected to total $4.2 billion between 2010 and 2016, according to market researcher Pike Research. And Pike predicts that the worldwide installed base of smart water meters will increase from 5.2 million in 2009 to 31.8 million by 2016. The market researcher defines a smart meter as a component of a smart grid, with two-way communications between the meter and the water utility that allows the utility to get readings on an hourly (or more frequently) basis and issue commands to the meter. California in particular is racing ahead in deployment, and 25 manufacturers are making the smart meters now.

“It’s like an electronic cash register for the utility,” McNabb said. “But it could also be a tool for Big Brother,” a reference to the totalitarian figurehead of George Orwell’s novel, 1984.

The problem with the wireless water meters is that they are vulnerable because of the wireless medium they use. Communications are not encrypted (largely due to higher costs) and so they are easily intercepted, faked or even jammed. The sensors are unattended and hang on the meter, outside the house, and so they are easily tampered with. The cyber attacks against them can be active, where commands are issued to them, or passive, where the data is taken.

If people want to reduce their water bills, they could hack the sensors. They could also increase the bill paid by a neighbor they don’t like, or evade restrictions on the amount of water used. And since the usage of water indicates the presence or absence of the homeowner, the hacked water meters can be used for surveillance purposes.

Last year, Greek hacker Thanassis Giannetsos demonstrated how it was possible to introduce a worm to the smart electrical grid (similar to water grids) on a simulated network. Ioactive, a security penetration testing firm, also did something similar. But McNabb said that the concern about Big Brother is also a big one. He said that the water department’s staff could learn what time of day you take a shower, when you are at home, and when you’re on vacation.

“Are we being paranoid?” McNabb asked. “It’s already established that law enforcement is using electricity use and thermal imaging,” where the heat generated by indoor marijuana-growing farms has been measured.

McNabb also noted that the Hydrosense device created by researchers at the University of Washington in Seattle can be attached to water faucets to determine the usage coming out of a particular fixture in the home.

McNabb said his research showed that vendors don’t use frequency hopping spread spectrum (FHSS), which could stop eavesdropping on wireless signals, or encryption with their smart meters. One utility used a default password system which used a generic password on its web site (where users would log in and view their water usage) that was easily hacked. Transceivers for sending commands to the water meters can be purchased on eBay.

But some manufacturers are starting to build 128-bit encryption and spread spectrum security into their meters. McNabb, who was an elected water commission and managed a small water system for 13 years, described the vulnerabilities in some detail, including how to inexpensively “sniff” the wireless water meter readings, and has described them in a white paper. He said he will put it online in the near future.

Sniffing wireless water meters should’t be too difficult, he said, but there are some technical hurdles. Most U.S. meters broadcast in the 900 megahertz band of the wireless spectrum. That is the same frequency as cell phones, and there aren’t any off-the-shelf devices to sniff packets from them. Also, most of them scramble the signal by using spread spectrum, which sends out part of the message on one frequency, the next part on another, and so forth. However, other researchers have shown how to unscramble the spread spectrum code, so McNabb plans to build a device to sniff the 900 megahertz spread spectrum signals to show how it can be done and why it needs to be more secure.

0 comments