Tom Olzak

If you build it, they will crack it…

In Access Controls, Cybercrime, Hacking, Physical Security, Risk Management, Security Management on September 21, 2010 at 14:56

By this time, we should all get it… If you build an electronic device, someone will figure out how to crack it.  The other important principle we should all understand by now is if you don’t ensure physical security of a device, either the user or someone else will be able to find a way to misuse it.  Many people do understand these vulnerabilities, but the message hasn’t seemed to make it to ScottishPower.

Figure A shows an electricity meter in Scotland.  According to an article in Evening Times (the source of the photo), criminals have found a way to crack the key used to increase the prepaid amount customers can load into their meters.

“The pre-paid power meters use a key system. Normally people visit a shop to put credit on their key, which they then take home and slot into their meter.

The conmen have cracked the system and can go into people’s houses and put credit on their machine using a hacked key. If they use this, it can be detected the next time they top up their key legitimately.”

And that isn’t all.  Apparently the criminals correctly tell the owner of the meter that the hacking will be detected the next time they want to “legally” recharge the prepaid amount; they don’t seem to care if they can save a few bucks–or pounds.  It just means that the customer is tied to the criminal for power updates.

This is simply a bad idea waiting to make a victim of the power company.  The utility placed an unprotected device into the homes of their customers and relied on customer behavior to protect the interests of the utility.  Something is very wrong with this picture.

No, it isn’t right that people steal power.  But human nature being what it is, what did ScottishPower expect.  This is a good lesson for anyone who has to deploy systems, whether meters or desktops.

%d bloggers like this: