Proving the Business Case for the Internet of Things

UBC researchers hackproof smart meters

Steve Rogerson
June 18, 2019


Researchers at Canada’s University Of British Columbia (UBC) have found ways to make smart meters hackproof.

Smart electricity meters are useful because they allow energy utilities to track energy use efficiently and allocate energy production. But because they’re connected to a grid, they can also serve as back doors for malicious hackers.

Cyber-security researcher Karthik Pattabiraman, an associate professor of electrical and computer engineering at UBC, has made a breakthrough aimed at improving the security of these devices and boosting security in the smart grid.
More than 588 million smart meters are projected to be installed worldwide by 2022. In a single household, there can be multiple smart devices connected to electricity through a smart meter. If someone took over that meter, they could deactivate the alarm system, see how much energy they’re using or rack up the bill.
Hacked meters can even cause house fires and explosions or a widespread blackout. Unlike remote servers, smart meters can be relatively easily accessed by attackers, so each smart meter must be quite hackproof and resilient in the field.
“Smart meters are vulnerable to what we call software-interference attacks, where the attacker physically accesses the meter and modifies its communication interfaces or reboots it,” said Pattabiraman. “As a result, the meter is unable to send data to the grid, or it keeps sending data when it shouldn’t or performs other actions it wouldn’t normally do.”
Pattabiraman and his PhD students have developed an automated programme that uses two detection methods for these types of attacks. First, they created a virtual model of the smart meter and represented how attacks could be carried out against it. This is what they call design-level analysis. Secondly, they performed code-level analysis. That means probing the smart meter’s code for vulnerabilities, launching various attacks on these vulnerabilities.
Although both techniques successfully discovered attacks against the system, code-level analysis was both more efficient and more accurate than design-level analysis. Code-level analysis found nine different types of attacks within an hour, while design-level analysis found only three.
All of the attacks can be carried out by an attacker with relatively low cost-equipment purchased for less than $50 online, and do not require specialised expertise.
Vendors can use the findings to test their designs before they are manufactured, so they can build in security from the get-go.
“This can make smart meters much harder to crack,” said Pattabiraman. “By using both approaches – design-level and code-level – you can guard against software tampering on two different fronts.”
The findings can be applied to other kinds of devices connected to a smart grid as well, and that’s important because homes and offices are increasingly more interconnected through devices.
“Like all security techniques, there is no such thing as 100 per cent protection,” said Pattabiraman. “Security is a cat-and-mouse game between the attacker and the defender, and our goal is to make it more difficult to launch the attacks. I believe the fact that our techniques were able to find not just one or two vulnerabilities, but a whole series of them, makes them a great starting point for defending against attacks.”