"We will talk about a device that is present in all houses, a smart power meter. This model is being installed in all houses and buildings, and it's already present in the 65% of the "paella" country."
Alberto Garcia Illera and Javier Vazquez Vidal are going to scare one big Spanish Electric Company with their presentation and their findings:
- Each device stores the same pair of symmetric AES-128 encryption keys
- With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices
- It is simple to spoof the identifier code on each device.
- Turn off and on the lights remotely
- Know power consumption in a house
Who could ask for more? Availability, Integrity and confidentiality broken in one movement.
Once again, an small team with not to much resources defeats a huge company security organization.
What are we doing wrong?. Are we reading the F... Manual in every project we start? I don't think so.
If we take a serious approach to security when designing architectures and solutions we didn't find later these kind of things.
In Madrid we still remember the BiciMad Penis Video on rental Kiosks for a whole weekend:
Both incidents have the same root causes: Lack of deep risk analysis and strong security requirements on Design Phase.
Time for a Paella.
