Free UK utility company smart meters are inherently insecure
via Flickr © James Burrell (CC BY-ND 2.0)
- Gas and electricity providers get the benefits
- Users get the worry
- Home security all too easily compromised
- A problem for the entire ecosystem, not just device manufacturers
UK residents in various parts of the the country are currently being bombarded with marketing emails and snail mail shots from their gas and electricity utilities cajoling them into making 'survey' appointments to have a free smart meter installed. The things are not compulsory and there is no legal requirement to have one fitted but you wouldn't know that from reading the disingenuous bumph cascading into inboxes and onto doormats. Smart meters are of real and tangible benefit to the utility companies operating in Britain's deranged gas and electricity markets but those accruing to individual households are much less tangible. What's more, smart meters are inherently and dangerously insecure.
Last year a malware attack resulted in more than 100,000 connected devices being taken over by a botnet that initiated a denial of service attack that briefly took down important sites and services such as Amazon, Netflix, PayPal and Twitter. It was a sharp and salutary reminder to IoT device manufacturers and those industries (such as the aforementioned gas and electricity utilities) that their handy little gizmos can easily be perverted into compromising home security.
Gone are the days when the modem and/or home router was the only electronic entry point into the domestic environment. Today the attack base has broadened to take in computers, remote servers, cloud services providers and on through to appliances such as fridges, ovens, washing machines, TVs and smart meters. Most systems are still entirely unable to tell the difference between a legitimate user or a botnet bent on causing a DDOS attack or stealing private data. It is no exaggeration to say that unless security is mightily tightened as IoT goes mainstream the infrastructure of the entire Internet could be open to compromise and collapse.
All this is very well known and has been for a long time, but now, even as smart meters and IoT devices are increasingly being installed in UK homes, the manufacturers of smart home devices have been very slow to address the problems inherent to unsecured smart home equipment. It's not just smugness behind the manufacturer's laggardly approach to security (although that does play a part), it's more that the sector is moving so quickly that security measures fall well behind the arrival of new devices and simply do not keep pace with the latest developments.
A problem for all concerned: who pays for security?
This problem is compounded because for manufacturers, ever keen to maximise their margins whilst attracting more and more customers with inexpensive devices, security has often been regarded as an expense that no one wants to pay for. Another militating factor is that IoT security is a complex matter because a wide variety of different technologies software and methods of connectivity are applied across complex networks and that makes security even more difficult. It is a problem that must be addressed. Research house Gartner calculates there will be 20.4 billion connected devices in situ by 2020.
Certainly parts of the problem can be addressed at semiconductor level. Silicon chips have security feature inbuilt (protected execution mode) but not all of them are 'turned on' or activated. They need to be. Then there are passwords; all too often default passwords are stored somewhere within a manufacturer's website and experience has shown that these can be all too easy to hack. It should also be possible to partition a device or system memory so that a part of it securely holds sensitive confidential data. But again, this costs money that manufacturers have been unwilling to spend.
Those are some of the problems at device level but, important though they are, they pale into comparative insignificance when compared to the dangers inherent in connectivity. Domestic smart home networks are made up of at least two and often more systems and that makes it all the harder to connect devices securely to connect to cloud services.
What is needed is some serious joined-up thinking on the part of all members of the ecosystem. Certainly the device manufacturers have a major role to play in ensuring that smart devices are secure but so too do other players such as ISPs, data centres and cloud providers. What is needed is secure chips, secure on-device communications, secure networks and secure clouds and until that happens the threats not only remain, they multiply. It's a disaster waiting to happen.