Few things are as scandalous at computer-hacker conferences as the presentations that don’t happen.
Hackers face constant legal threats for their discoveries. So when someone plans to disclose an important security hole, but is forced to cancel the talk because of legal pressure, the episode is almost always mythologized. It’s remembered as another skirmish between “white hat” hackers who are trying to make technology safer, and companies and governments that want to protect their parochial interests.
On Wednesday, a security expert who has been investigating problems with smart power meters will get to explain his research that was abruptly shelved in January.
Don Weber, with security consultancy InGuardians, has developed software called OptiGuard that helps identify weaknesses in smart meters via their optical ports. It looks for ways that the data on the meters might be stolen by an attacker, or whether the devices can remotely be turned off by unauthorized users.
When Weber planned to unveil details of his software in January at the ShmooCon hacker conference in Washington, D.C., some power-meter industry executives got nervous and pressured him to cancel the talk, according to Jimmy Alderson, chief operating officer for InGuardians. More than 36 million smart meters have been installed at homes and businesses around the U.S., according to the Edison Foundation, an organization focused on the electric industry. The rollout has been bumpy, with protests over the accuracy of the meters and concerns about security and privacy.
InGuardians agreed to postpone the presentation to explain to industry insiders how the technology will improve the safety of their products, said Alderson, who would not disclose which smart meter companies were involved. Those meetings have gone well, he said, and now Weber has been cleared to present his findings this week in Las Vegas at Black Hat, one of the hacking world’s biggest events.
The technology is designed to aid legitimate security research, not to help criminal hackers, Weber said in an interview.
For the software to work, a researcher must be standing right in front of the meter, which limits the effectiveness for attackers. It solves a time-consuming problem by reducing the need for researchers to manually pull apart meters and inspect their insides, similar to how a mechanic might hook up your car up to diagnostics computers to figure out what’s wrong without disassembling the vehicle.
Weber said the technology is misunderstood, as there are limitations to what it can do.
“A lot of people are concerned that we can walk up to any meter and communicate with any meter with our tool,” Weber said. “We can initiate the conversation, but without the password, we’re not going to get anywhere.”
One dynamic working in Weber’s favor is that smart meter protections are improving. InGuardians, which has done more than 100 smart-meter assessments, has seen a marked improvement in the security of the devices, Alderson said.
That’s different from two years ago, when one of its researchers found “egregious” issues in meters being deployed by three unidentified utilities, in one of the few public studies done on the meters at the time. In 2009, another researcher showed how a computer worm could hop between smart meters in a power grid, giving criminals control over those meters in the same way they can control virus-infected PCs.
“It’s nowhere like it was in the first generation of things,” Alderson said. “Two or three years ago it was a much different scenario. I wouldn’t say we’d use the word egregious in 2012. Those extreme issues are becoming much fewer and far between.”