Source: Daily Dot

Power companies won’t disclose who was protected from blackouts—but smart meters may be leaking insights.

By Mikael Thalen

Power companies across Texas have refused to disclose which areas of the state were exempt from controlled blackouts after a devastating snowstorm crippled the power grid in February—but one hacker has found that smart meters, the electrical devices on the sides of homes and businesses that monitor energy consumption, are quietly broadcasting data that could be used to determine what infrastructure may have been protected.

In the days following the historic freeze, companies tied to the state’s privately-run grid were met with pressing questions from citizens and lawmakers alike over how it was decided who would and who wouldn’t be plunged into darkness.

A Dallas-based hardware hacker and security researcher known as Hash first noticed one such refusal in early March from Austin Energy, a publicly-owned utility provider in the Texas capital.

Austin Energy has continually argued that disclosing what infrastructure it allowed to remain operational, such as hospitals and 911 call centers, could make the city and by extension its more than 1 million residents vulnerable to cyberattacks.

“We are not able to provide that information since it’s protected critical infrastructure information,” Austin Energy spokeswoman Calily Bien told the Austin American-Statesman at the time.

Yet Hash, who has been reverse-engineering the inner-workings of smart meters since 2016, says the argument contains one major flaw: Smart meters used by Austin Energy and other power companies throughout Texas quietly emit data that shows how long businesses and residences have gone since their last power outage. Such information could potentially reveal whose power was shut off and whose wasn’t.

Hash’s discovery was made following extensive analysis of smart meters produced by Landis+Gyr, a multinational corporation that develops both smart meters and related software for electricity and gas utilities.

From his home workshop, complete with an array of smart meter components purchased from eBay, Hash spent weeks in the wake of the snowstorm collecting, analyzing, and deciphering the data streams that travel across the massive smart meter network blanketing Dallas.

Hash noticed a sudden change in the data values given off by the smart meters in his neighborhood as power was being restored following the snowstorm. Analyzing the data further, Hash determined that the readings represented the number of seconds each smart meter had been operating since coming back online.

Many utility providers offer customers access to smart phone apps that detail their home’s power usage statistics, including any periods when no electricity was used. Several days after the power to his mother’s home was restored, Hash compared the data from the app to the data being broadcasted by the smart meter on the home. The uptime listed by the smart meter, a little over five days, matched perfectly down to the minute with the amount of time that had passed since the power at his mother’s home came back on.

In a technique known as war driving, Hash—complete with a laptop in the passenger seat and antennas on the hood of his vehicle—reproduced his findings on a larger scale in late May. Driving along a 30-mile stretch of U.S. Route 75 from Dallas to the city of McKinney, Hash was able to siphon data off of more than 7,000 smart meters operated by Oncor, the largest energy delivery company in the state. Like Austin Energy, Oncor, which has also declined to release outage data from the snowstorm, uses smart meters produced by Landis+Gyr.

Video posted by Hash to YouTube shows the data from the drive laid out over Google Maps. Represented by red dots, each smart meter operated by Oncor reveals how many days have passed since its last outage as well as its GPS coordinates and unique meter ID. The higher off the ground the dot is, the longer the smart meter has gone without a significant power interruption.

One smart meter highlighted by Hash, which appears to be connected to a Chase Bank, had been running continuously for 1,783 days, or nearly five years, as of late May. The uptime listed by other smart meters clearly showed that they had last regained power in the aftermath of the snowstorm.

Hash’s own experience during the catastrophic weather event, which may have killed four to five times more people than the 151 deaths acknowledged by the state, is what ultimately prompted him to bring his discovery forward.

“I seriously wondered whether it was going to be Armageddon around here as we froze inside my house,” Hash told the Daily Dot. “It definitely scared me and made me realize that no one cares more about my well being than me.”

An armageddon-like scenario was much closer than many realized at the time. A March report from the Wall Street Journal revealed that the electric grid “came within five minutes of a complete collapse” after backup generators designed to revive it were knocked out of commission. Such a catastrophe, according to grid operators, “could have caused weeks or even months of outages.”

In a statement to the Daily Dot, a representative with Oncor declined to address Hash’s findings and instead defended the company’s smart meters as “safe, secure and encrypted.”

“We take a proactive approach to data security and have a dedicated team of experts continuously monitoring and ready to address any possible issues,” the spokesperson said. “We also work closely with leading information technology experts to develop best practices and ensure safe and secure services for our customers.”

Being just one man, Hash has only been able to capture smart meter data across a small portion of Dallas, representing only a fraction of the information many are seeking throughout the state. Hash’s meter-scanning techniques also only apply to devices being operated by a handful of power companies using products from Landis+Gyr. And as new power outages occur, information broadcasted by the smart meters about their uptime no longer reflect the time period from the snowstorm. Nonetheless, Hash says his ongoing work raises serious questions given the refusal by both private and public groups to provide outage data—especially in light of allegations that minority populations were more likely to experience power loss regardless of income.

A recent study published by the Lawrence Berkeley National Laboratory, Colorado School of Mines, and University of Massachusetts-Amherst asserted that minority areas were over four times as likely to suffer from an energy blackout than white-majority areas.

“Income status of areas did not appear to be a strong factor in the share of blackouts…” the study stated. “The presence of hospitals or police and fire stations—critical facilities—in a CBG [Census block group] reduces the chances of blackouts by around 0%-6%, a small difference that does not otherwise explain the disparity among communities.”

When asked by the Daily Dot for access to outage data, Austin Energy once again stated that its information was exempt from public disclosure due to “security concerns.” The company also claimed that its smart meter network was “not open to the public” when presented with Hash’s analysis.

“We understand the security landscape is getting more complicated and therefore, we’re continually looking at areas where we can provide additional security measures,” the spokesperson said. “Creating a smarter, safer grid is always at the forefront of our operations.”

Hash argues that the corporate secrecy surrounding smart meters, which discourages ethical security researchers such as himself from probing the devices for vulnerabilities, makes the public significantly less safe.

With malicious hackers breaching everything from fuel pipelines to water treatment facilities, Hash fears a day when smart meters become the next piece of critical infrastructure to be targeted by brazen ransomware gangs.

“I think people expect companies to do the right thing but forget the right thing to them is shareholder value,” Hash said. “If we want a secure system that’s resilient against attack then it must be openly attacked, otherwise nothing will be done.”

Landis+Gyr, the company which designed the smart meters used by Austin Energy, Oncor, and countless other power providers across the globe, did not respond to repeated inquiries from the Daily Dot.

Hash is now encouraging his fellow hardware hackers to take an interest in smart meters as well, publishing a wiki online that details how his discoveries were made. And although power companies are remaining tight-lipped, Hash says he is increasingly being contacted by both former and current power company employees regarding his analysis.

Continuing his work, Hash is now analyzing the smart meter mechanism responsible for remotely disconnecting a home’s power. If vulnerable, Hash warns, such a discovery in the wrong hands could potentially lead to devastating outcomes similar to those seen during the snowstorm.