Automatic meter reading (AMR) systems currently deployed may be vulnerable to spoofing attacks and privacy breaches, according to a recent study led by University of South Carolina researchers.
Further, these AMR meters continuously broadcast their energy usage data over insecure wireless links every 30 s, even though these broadcasts can only be received when a truck from the utility company passes by, the researchers claim.
The study, which was presented at last month’s Association for Computing Machinery’s annual Conference on Computer and Communications Security, reports a security and privacy analysis of AMR technology investigating the reverse engineering of the communication protocol and the possibility of spoofing attacks.
The meters tested were a selection of “electric and gas meters that have been widely deployed throughout the United States.” In addition to meters installed in the researchers’ neighborhood, second hand electric and gas meters were acquired to conduct experiments both in the lab and outdoors. A generic handheld AMR ERT module reader used by meter inspectors for handheld interrogation was also obtained.
According to the researchers, reverse engineering of the meter communication protocol required modest effort using off-the-shelf equipment. The absence of encryption algorithms makes it possible for anyone to eavesdrop on the real time consumption of customers with ‘bubble-up’ meters. For customers with ‘wake-up’ meters, it is foreseeable that their consumption data can be eavesdropped on at arbitrary rates using activation signals. As the ‘wake-up’ meters immediately transmit a packet after receiving an activation signal, they are also vulnerable to battery drain attacks.
The researchers also found that the ERT reader accepts any AMR transmission with a proper packet format. When receiving multiple packets with the same meter ID but conflicting meter readings, the ERT reader accepts the packet with the strongest signal without reporting any warning. This could allow an adversary to jam and block packets sent by a legitimate meter and replace them with spoofed packets for the reader to collect.
The researchers say the results indicate that the millions of AMR meters that have been installed are at risk. To cope with the issues, they recommend upgrading the meters to incorporate standard security remedies or redesigning the communication protocol. Alternatively a potentially easier solution to deploy is a privacy preserving jammer, which would prevent continuous RF eavesdropping by masking the meter transmissions. The device could be secured to the meter and would be temporarily deactivated remotely by the authorized meter reader for a period just long enough for the meter reading to take place.
The team of researchers included Ishtiaq Rouf, Hossen Mustafa, Miao Xu and Wenyuan Xu from the University of South Carolina, Rob Miller from Applied Communication Sciences, and Marco Gruteser from Rutgers University.