Millions of network connected electricity smart meters installed all over Spain could be easily attacked by hackers as they lack sufficient cyber protection.
According to cyber-security researchers Javier Vazquez Vidal and Alberto Garcia Illera, the smart meters, rolled out by one of the three Spanish utility companies are equipped with reprogrammable memory chips and running a flawed code, allowing hackers to remotely shut down power supplies to households and tamper with meter readings.
The attackers could also insert malicious worms into the meters, possibly causing widespread blackouts, taking advantage of the Internet connectivity.
"You can just take over the hardware and inject your own stuff," Vazquez Vidal said, referring to the threat that hackers could insert malicious code into one box and use it to control nearby meters, and thereby cascade an attack across the network.
The researchers declined to identify which of the three major utility companies in Spain has rolled out the faulty meters.
Speaking ahead of the Black Hat Europe hacking conference in Amsterdam next week, Vazquez Vidal said he believes the utility may be able to patch the problem remotely, without having to send repair staff to upgrade each box manually.
Vazquez Vidal and Garcia Illera said the meters use relatively easy to crack symmetric AES-128 encryption. The limited security appeared to be designed largely to prevent tampering with billing systems by fraudsters, they said.
Once through this first level of security, they said they were able to take full control of the box, switching its unique ID to impersonate other customer boxes or turning the meter itself into a weapon for launching attacks against the power network.
"Oh wait? We can do this? We were really scared," Vazquez Vidal said. "We started thinking about the impact this could have. What happens if someone wants to attack an entire country?" he said.
They say they tested the devices in their own lab, where they were able to reproduce various attacks in miniature using several of the smart meters.
The same researchers last year uncovered weaknesses in computer chips found in many automobiles, which they said could boost performance or be used to hotwire a car or cause crashes.
Mike Davis, a top security researcher with cybersecurity consulting firm IOActive, identified similar threats in US smart meter devices five years ago.
"It was strange. Pretty much none of the utilities deploying smart meters at the time were considering the meters themselves as part of their threat problem," Davis said.
Disclosure of his findings was a wake-up call for US utilities, leading to increased government scrutiny and industry action to better secure the devices against cyber-attacks.
Davis said the vulnerabilities described by the Spanish research team sounded feasible given the slow response by utilities and meter makers to overhaul their meters' security.
However, an expert with Spain's markets and competition regulator, which oversees the smart meter mandate, said the agency was finishing a study on the threat of meter hacking and had not found any evidence it was taking place or at risk of occurring.
Traditionally, energy utilities have kept power plants and mechanical electricity meters safe from cyber-attacks by keeping them insulated from the open Internet.
Smart meters are connected over power line networks to give customers and utilities instant data about when, where and how much energy households use, enabling energy providers to monitor and adjust energy flows.
The European Union wants more than two thirds of Europe's electricity users to have smart meters by 2020 in a bid to improve energy efficiency by three percent.
Over the last decade, most countries in Europe have mandated that smart meters be installed in homes and businesses. But as nationwide deployments have taken place in Italy and Sweden and are now in progress across France, Spain and the United Kingdom, experts have begun to uncover cybersecurity threats posed by the technology.