Though a little over a year old, this post concerning the security of smartmeters is particularly valuable considering the rapid adoption of the technologies throughout Canada. Particularly pertinent:
Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.
The FBI believes that miscreants hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.
“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert reads. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”
The bureau also said another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer.
So, this suggests that insider threats and poor shielding enable significant fraud. Can’t say it’s surprising given how often these meters have been compromised when deployed in other jurisdictions.
The same vulnerabilities that enable crime in the first place also give law enforcement a way to wiretap — when they have a narrowly targeted warrant and can’t get what they’re after some other way. The very reasons why we have Patch Tuesday followed by Exploit Wednesday, why opening e-mail attachments feels like Russian roulette, and why anti-virus software and firewalls aren’t enough to keep us safe online provide the very backdoors the FBI wants.
Matt Blaze and Susan Landau, “The FBI Needs Hackers, Not Backdoors”
You often hear that if you’ve nothing to hide then government surveillance isn’t really something you should fear. It’s only the bad people that are targeted! Well….sorta. It is the case that (sometimes) ‘bad people’ are targeted. It’s also (often) the case that the definition of ‘bad people’ extends to ‘individuals exercising basic rights and freedoms.’ This is the lesson that a woman in the US learned: the FBI had secretly generated a 436 page report about her on the grounds that she and friends were organizing a local protest.
What’s more significant is the rampant inaccuracies in the report. The woman herself notes that,
I am repeatedly identified as a member of a different, more mainstream liberal activist group which I was not only not a part of, but actually fought with on countless occasions. To somehow not know that I detested this group of people was a colossal failure of intelligence-gathering. Hopefully the FBI has not gotten any better at figuring out who is a part of what, and that this has worked to the detriment of their surveillance of other activists. I am also repeatedly identified as being a part of campaigns that I was never involved with, or didn’t even know about, including protests in other cities. Maybe the FBI assumes every protester-type attends all other activist meetings and protests, like we’re just one big faceless monolith. “Oh, hey, you’re into this topic? Well, then, you’re probably into this topic, right? You’re all pinkos to us.”
In taking a general survey of all area activists, the files keep trying to draw non-existant connections between the most mainstream groups/people and the most radical, as though one was a front for the other. There are a few flyers from local events that have nothing to do with our campaign, including one posted to advertise a lefty discussion group at the university library. The FBI mentions that activists may be planning “direct action” at their meetings, which the document’s author clarifies means “illegal acts.” “Direct action” was then, and I’d say now, a term used to talk about civil disobedience and intentional arrests. While such things are illegal actions, the tone and context in these FBI files makes it sound like protesters got together and planned how to fly airplanes into buildings or something.
You see, it isn’t just the government surveillance that is itself pernicious. It’s the inaccuracies, mistaken profilings, and generalized suspicion cast upon citizens that can cause significant harms. It is the potential for these profiles to be developed and then sit indefinitely in government databases, just waiting to be used against law abiding ‘good’ citizens, that should give all citizens pause before they grant authorities more expansive surveillance powers.
In the aftermath of the MegaUpload seizures we’ll hopefully learn more about how the FBI gained access to Skype transcripts. As reported by CNet,
TheFBI citesalleged conversations between DotCom and his top lieutenants, includinge-mailand Skype instant-messaging logs. Some of the records go back nearly five years, to MegaUpload’s earliest days as a cyberlocker service—even thoughSkype says“IM history messages will be stored for a maximum of 30 days” and the criminal investigation didn’t begin until afew months ago.
Sources told CNET yesterday that Skype, the Internet phone servicenow owned by Microsoft, was not asked by the feds to turn over information and was not served with legal process.
The U.S. Department of Justice told CNET that it obtained a judge’s approval before securing the correspondence, which wouldn’t have been necessary in the case of an informant. “Electronic evidence was obtained though search warrants, which are reviewed and approved by a U.S. court,” a spokesman for the U.S. Attorney for the Eastern District of Virginia said.
Skype saves chat records with contacts in a directory on the local hard drive, which could be accessed by FBI-planted spyware.
While it wouldn’t necessarily be surprising if spyware was used, it would be interesting to see more details of this come to public light. Moreover, was the spyware/electronic access authorization acquired in the US and then the malware implanted on computers in foreign jurisdictions, or did it target local (American) computers? If it was implanted on foreign computers, were local authorities aware of what was going on and did they have to give their approval?