def con 18 - getting social with the smart grid
DESCRIPTION
Presentation given by Justin Morehouse and Tony Flick on August 1, 2010 at the DEF CON 18 Information Security Conference.TRANSCRIPT
Getting Social with theSmart Grid
Justin Morehouse & Tony Flick
1
About usJustin Morehouse
• Lead assessment team @ large retailer
• Collector of Hawaiian named Basenjis
• Avoid conversations that start w/ "Instant Replay"and end w/ "World Cup"
Tony Flick
• Principal @ FYRM Associates, Inc.
• Known as the "Baby Face" of INFOSEC
• Denies being banned from Duke University's campus
2
Why we’re presenting
• Firm believers in "just because you can...doesn't mean you should..."
• We understand the potential benefits of a marriage between the Smart Grid and social networking...but...
• Just like everything else related to INFOSEC, we need to think about the risks/consequences before we just start tweeting, status updating, and whatever you call it when you post to myspace...if that still exists...
3
About this presentation
• Somewhat technical; somewhat theoretical
• An exercise in evangelizing common sense
• 2 main goals
• Raise awareness of where the SmartGrid and Social Networking are going(and why)
• Catch the attention of the SmartGrid decision makers so thatthey involve security pros NOW!!!
4
Obligatory Disclaimer
• Everything said, showed, implied, etc. is not the opinion of our employers, friends, dogs, Syngress, DEF CON, etc.
• These tools are for auditingyour own energy usage,not illegal behavior
• This disclaimer is notendorsed by our lawyers
5
• Conversations over NFL Sunday Ticket aboutthe press the Smart Grid was getting led toTony's Black Hat and DEF CON talkslast year
• Those talks led to "Securing the Smart Grid"book we wrote for Syngress
• A chapter in the book is dedicated to Social Networking and the Smart Grid -> The basis for this presentation
How we got involved
6
Smart Grid PrimerVia WikiPedia1
• Delivers electricity from suppliers to consumers
• Utilizes bidirectional communications
• Save energy
• Reduce cost to produce energy
• Increase reliability
• Increase transparency
Goals
7
The media’s Smart Grid
• My dishwasher will talk to the utility company and decide when is the best (cheapest for me) time to run
• My phone uses its GPS to tell my air conditioner when I leave work so it will automatically set itself to the pleasant 76 degrees that I enjoy with my welcome home glass of Maker's
• My neighbor will be busted for his growing operation based on his relatively large energy consumption when compared to the rest of his neighbors
...oh wait...that wasn't in the press...yet
8
Smart Meter deployments
165,000 as of 20092
2.3 million+ in California by the end of 20113
1 million in Miami-Dade county in 20114
9
Social Networking Primer
• Facebook has over 500 million usersas of 7/21/105
• 57 Million unique US usersSTILL use MySpace(OMFG...WTF?)6
• Twitter sends out 600+ tweets every second7
10
So why Smart Grid + SocNet?
11
How they make more $$$
• The global Smart Grid market in 2010is $23 billion8
• $3.4 billion in grants awarded byWashington in 20099
• Matched by $4.7 billion from the private sector9
• Facebook worth ~$11 billion10
• $2.2 billion spent on social networking advertising in 200911
12
How we save more $$$
• Leverage familiar platforms we already use
• It doesn't cost us anything (monetarily)
• The more we use social networks to monitor and share our energy usage, the more we will do to minimize usage and save us money
(in theory, of course)
13
Why we’ll really use it
Look how green I am = Look how cool I am + I want to save $$$
14
Why they’ll support it
Look how green we are = We have a conscience + Buy our stuff ($$$)
15
• German utility company
• Manages meters directly via consumers'home broadband connection
• Each "Yello Sparzähler" communicates withGoogle PowerMeter and has its own Twitter account
• Thought process is to be commended...but implementation needs to beensured (secured)...
• Anyone played with these yet?
How’ll they do it...
16
Commercially available
• PICOwatt
• The Energy Detective(TED)
Do-it-Yourself
• Tweet-a-watt
Social Smart Devices
17
• By Tenrehte Technologies
• Allows consumers to setup homemonitoring w/o Smart Meter
• Wi-Fi enabled embedded Linux boxesthat talk to your PC
• PC talks to Facebook or Twitter
• Won ‘Best of CES 2010 Green Tech’
• Waiting on UL and FCC approval = NOT AVAILABLE YET
• Hits shelves by the Holidays
PICOwatt
18
TED 5000
• By Energy, Inc.
• Home monitoring w/o Smart Meter byhooking up to your electrical panels
• Running AIX 4.3.2 (according to Nessus) box usesZigbee, PLC, and Ethernet
• Makes it a juicy target
• Can store up to 10 years of data
• Google PowerMeter Compatible (more to come on this...)
• Tout the ability to be accessible via the Internet (w/ some PAT of course)
19
AnalysisThe Good
• Only two ports (80/tcp & 443/tcp) running on the gateway
• Google PowerMeter setup is simple and relatively secure (ty Google)
• Some input validation
• Pretty much “READ ONLY” device
The Fail
• This !*$%king thing DOESN’T work!
• High failure rate (lmgtfy.com)
• DoS’d w/ multiple Nmap scans
• Input validation fail (...but limited attack surface)
20
Tweet-a-Watt
21
How it works
22
The Good
• Relatively inexpensive DIY ~$100
• Easy to develop for (adafruit scripts written in python)
• Won’t be hard to write secure code/fix issues
The Fail
• Each tweet passes Twitter creds in the clear
• No encryption on Xbee link
Analysis
23
Where’s the data going?
24
25
26
Where this preso becomes relevant...
If you've been paying attention, I'm sure you know where we're about to go
27
Because you can = People will
Go ahead, search Twitter for #tweetawatt...
28
If that’s not enough...
Courtesy of kjake(bet you didn’t think you’d end up on a defcon slide)
29
How about...
A house that tweets?
30
Or a Facebook app...
WattsUp (apparently not Derek)
31
Universities <3 Facebook
University of Colorado's Fiske Planetarium
32
...and Twitter too!
University of Mississippi’s Lyceum Building
33
So what’s the big deal?
Oh right...maybe sharing some type of info isn't the best idea
34
Risky Business• The more data we provide, the better able others are to
profile our behavior
• Simple profiling may allow others todetermine if you are home or not
• Criminals to steal stuff
• Law enforcement to determine your whereabouts
• Comparative profiling may provide law enforcement with probable cause
• Grow house, speakeasy, etc.
35
• As technology advances, the risk to information providers increases
• Remote controlling of devices
• Trigger based device settings
• Just think of the fun one could have!
• May not seem like a big deal now, but withjust a little bit of energy usage data harvestedfrom SocNets we had some pretty alarmingresults...
Future Implications
36
• Downloads energy usage tweets
• Profiles their energy usage to determine
• When they are home
• When they are not
37
Identifying Location
38
Identifying the Owner
39
Identifying the Owner
40
Energy Profiling
41
Energy Profiling
Home and awake
Away or asleep
42
iNrob• Predict the best time to rob the owner
• Based on historical average energy use
• Predicts when they are not home or sleeping
43
iNstalk• Predict the best time to find someone in their home
• When the person is either home and awake, or sleeping (i.e. best time to stalk them)
44
Demo
45
Future Improvements
• Support for Facebook, MySpace, etc.
• Link multiple social networking accounts to improve accuracy
• Location-based searches
• Version 1 available this week from fyrmassociates.com
46
So what now?Smart Grid Social Networking Security Checklist
• It’s all about COMMON SENSE
• 5 categories of controls
1. Identity (Account Name & Personal Information)
2. Authentication (Secure Login, Unique Password, Password Sharing, & Security Questions)
3. Information Sharing (Privacy & Third-Party App Sharing)
4. Networking (Segmentation)
5. Usage (Browsing)
47
What else?
• Get involved!
• Research, blog, tweet, smoke signal, etc.
• There are a lot worse (security) issues w/ the Smart Grid, but this one seems like an easy one to fix (prevent)
48
Thanks & QA
49
References1. http://en.wikipedia.org/wiki/Smart_grid
2. http://en.wikipedia.org/wiki/Smart_meter#United_States
3. http://www.pge.com/about/news/mediarelations/newsreleases/q2_2009/090414.shtml
4. http://www.fastcompany.com/blog/ariel-schwartz/sustainability/1-million-smart-meters-energy-smart-miami-program
5. http://www.bbc.co.uk/news/technology-10713199
6. http://www.web-strategist.com/blog/2010/01/19/a-collection-of-social-network-stats-for-2010/
7. http://mashable.com/2010/02/22/twitter-50-million-tweets/
8. http://www.visiongain.com/Report/496/The-Global-Smart-Grid-Market-2010-2020
9. http://www.csmonitor.com/USA/Politics/2009/1027/obama-awards-34-billion-in-smart-grid-grants
10. http://www.portfolio.com/views/blogs/the-tech-observer/2010/03/04/facebook-value-estimated-at-more-than-eleven-billion-dollars/
11. http://www.emarketer.com/Report.aspx?code=emarketer_2000621
50