Smart electricity meters provide power companies with an accurate and streamlined method of monitoring, reading and controlling a home's power usage. That convenience, however, comes at a steep price and could put homeowners' safety in jeopardy.
Researchers examining the privacy implications of smart-meter technology found that one German provider's devices contained vulnerabilities that allowed them to snoop on unencrypted data to determine whether or not the homeowners were home.
After signing up with the German smart-meter firm Discovergy, the researchers detected that the company's devices transmitted unencrypted data from the home devices back to the company's servers over an insecure link. The researchers, Dario Carluccio and Stephan Brinkhaus, intercepted the supposedly confidential and sensitive information, and, based on the fingerprint of power usage, were able to tell not only whether or not the homeowners were home, away or even sleeping, but also what movie they were watching on TV.
The problem, the researchers explained, stems from Discovergy's monitoring frequency; the devices log homeowners' electricity usage in 2-second intervals, a timeframe they deemed unnecessary and intrusive. The two-second reporting interval provides so much data that they were able to accurately chart power usage spikes and lulls indicative of times a homeowner would be home, asleep or away.
Carluccio and Brinkhaus presented their research in a presentation titled " Smart Hacking for Privacy" at the Chaos Computing Congress in Berlin on Dec. 30.
Flaws in Discovergy's Web interface also enabled the researchers to send back rigged meter readings to the company, and to tap into the company's servers and obtain a complete record of all the information collected by a home's smart meter.
During the presentation, the chief executive officer of Discovergy, Nikolaus Starzacher, came on stage and vowed to resolve the security glitches "as quickly as possible," the security firm Sophos reported. Starzacher explained that his company used a two-second monitoring interval to provide services to the homeowners such as notifying them if they left an iron or stove on by accident. He said he would make the data collection interval configurable in the future.