Hacking Into Your Smart Meter: There’s a Lot You May Not Know

Free content

By Mike Shiloh, The Texas Energy Report

June 25, 2021 — Electricity smart meters provide a lot of information on power usage — now at least one computer hacker is finding ways to tap into that info, including the data on who had their power turned off during the February Texas power crisis, and who didn’t.

Vaguely similar to the bar codes on the products you buy at a supermarket, which can be fed into a database to track your purchasing, smart meters keep data on an electricity consumer’s consumption — but also a lot more.

Smart meters are being used increasingly for homes and businesses, giving Retail Electricity Providers (REP — the company to which you pay your bills) detailed information about your usage, including whether you used your air conditioner, how much power your refrigerator is consuming — and how long it’s been since your power was shut off.

Information can be gathered in such detail that some REPs are now notifying customers that their air conditioners are using slightly more power than normal, then reminding those customers that forgetting to change filters may be the problem.

Smart meters have proven to be the most accurate measuring device for electricity use and their increasing applications correspond with the US technology revolution that’s changing America faster than many people realize.

Discussions about the devices, however, seldom mention the Achilles heel of smart meters: They are not hard to hack.

Thanks to their interior links to home devices and their exterior connection to the electricity grid, they have the potential to become “back doors” for hackers with bad intentions.

“In a single household you can have multiple smart devices connected to electricity through a smart meter,” UBC cybersecurity researcher and associate professor Karthik Pattabiraman told Straight.com two years ago.

“If someone took over that meter, they could deactivate your alarm system, see how much energy you’re using, or rack up your bill.

“In 2009, to cite one real-life example, a massive hack of smart meters in Puerto Rico led to widespread power thefts and numerous fraudulent bills. Hacked meters can even cause house fires and explosions or even a widespread blackout.”

An “ethical hacker” who calls himself Hash (who also says he’s a security researcher) found a few years ago that smart meters are widely deployed in the Dallas area, so he began looking into ways to retrieve information from them. In many of these cases, data is sent out from each meter using extremely low-power radio broadcasting from each meter (though there are several other ways to send the information, including Wi-Fi and cellular).

Hash says he’s been studying smart meters, their systems and data since about 2018 and has even put together a video of his exploits to familiarize others with the information he’s gathered and how it’s done.

He says he found that neighboring smart meters work in a kind of co-operative system in which one meter will pass along information to nearby meters — information that eventually is collected at specified locations, often at power substations, for integration into the REP’s database.

Retail electricity providers like the smart meters for several reasons, among them their ability to remotely turn on and off electricity at any one location without having to send a company representative to the location, as was done in the past.

And the gathering of broad data about customers has been an overarching trend in marketing for many decades, something smart meters provide in abundance.

Now, a large number of power providers offer apps that allow customers to access some data from their smart meters.

But the meters also have the potential to be used by providers to reduce electricity usage by a customer and if the meter is connected to a “smart” air conditioning thermostat, the provider could also change the temperature setting to reduce the customer’s electricity consumption.

Such a tactic gained public attention recently when used by Smart Savers Texas in mid-June, while the Electric Reliability Council of Texas called for energy conservation.

New York’s EnergyHub runs the Smart Savers program, in which customers allow EnergyHub to raise (or lower) thermostat settings in some circumstances, such as power shortages.

While Smart Savers Texas does not use the smart meter (it uses the home or business thermostat) to change settings, the concept is the same — manipulation of home appliances by outside controls through what experts have for years been calling “the internet of things,” which means the hooking together of computer-equipped appliances.

EnergyHub says participants in its program can drop out at any time and it’s possible some who signed up for the program didn’t anticipate that it could result in the raising of thermostat settings “up to four degrees.”

Similar programs aimed at cost savings have been tried in several states with varying degrees of success through the use of smart thermostats made by Alarm.com, Lux, Google’s Nest, Radio Thermostat, Sensi, Vivint, and ecobee, but in almost every one there was compensation for joining, as in the case of EnergyHub’s offering of participation in a sweepstakes upon signing up for Smart Savers.

It is, of course, possible for anyone who has or can manipulate access to smart thermostats to raise or lower home and office temperatures, but it’s also possible for smart meters to control air conditioners by simply shutting them off.

Air conditioners, by virtue of their power consumption, usually require a dedicated circuit, which are serviced by smart meters.

Former California Assemblyman Rick Keene said publicly in 2008 that he was appalled that utilities have the ability change home temperatures.

The onetime vice chairman of the California Utilities and Commerce Committee, said he turned down the offer of a smart thermostat in his home, not wanting others to control his interior temperature, removing it from his wi-fi system, Accuweather reports.

“It kinda goes against the whole point of having a Wi-Fi thermostat, but that lets you control it and no one else can tap into it,” Rogers said.

It’s not just the AC — water heaters and washing machines, as well as other appliances, can be fashioned with smart circuit boards that can communicate with the home smart meter, and perhaps each other, to feed information on usage through wi-fi.

But everything can be hacked, it seems, and there are now increasing concerns that, in the aftermath of recent computer program hacks such as the Colonial Pipeline event in May that had Georgians waiting in gasoline lines, smart meters can be hacked and, in a worst case scenario, shut off.

Dallas hacker Hash has been reverse-engineering some of the data he’s picked up from smart meters using just his laptop and some programs, knowledge and curiosity and has shared videos of his efforts.

As part of his efforts, as documented in the video above, Hash used a form of mathematical reverse-engineering to decode data to find GPS coordinates in each meter.

He says he was angered, as were many Texans, when he had to spend days in the freezing dark in February, and began to wonder how power shutoffs were prioritized. When he read that public utility Austin Energy refused to divulge who had power shut off and who didn’t, he decided to see if he could find out through monitoring smart meters in the Dallas area.

It turns out, he says, that smart meters carry information about the last time they were shut down, so it’s easy to tell who lost power in February and who didn’t.

Somewhat ironically, Austin Energy has said it won’t reveal specific information from the February blackouts because it might invite cyberattacks on critical infrastructure.

Hash has said he believes that his own ability to hack into smart meters indicates that the meters are significantly less safe than many think; so hacking the systems will delineate the weaknesses in the systems and provide system designers with information to plug the security holes.

“I think people expect companies to do the right thing but forget the right thing to them is shareholder value,” Hash told the Daily Dot. “If we want a secure system that’s resilient against attack then it must be openly attacked, otherwise nothing will be done.”

One of Hash’s motivations is the social justice aspect of the fallout from the February storms, including the possibility that some minority neighborhoods were prioritized for power blackouts, a topic explored by the Daily Dot’s Thursday report on Hash’s efforts to gather information from smart meters using his laptop as he drove the road between Dallas and McKinney.

The Public Utility Commission of Texas said last week that it’s going to require more transparency in the release of information about power shortages in the future.

And while smart meters are becoming increasingly common for home electricity tracking, their use is also widening — they’re now being used for natural gas and waterline consumption tracking.

So if Hash is correct in his assumptions about vulnerabilities in the smart meter systems, it makes sense that perhaps a hacker with good intentions should expose those flaws soon, before a bad-intentioned hacker does the same, with disastrous results.