Flawed encryption leaves millions of smart grid devices at risk of cyberattacks

The first rule of crypto club? "Don't invent your own."
Written by Zack Whittaker, Contributor
(Image via CNET)

Millions of smart meters, thermostats, and other internet-connected devices are at risk of cyberattacks because they come with easily crackable encryption, a study has warned.

A paper by Philipp Jovanovic and Samuel Neves published in late April analyzed the cryptography used in the Open Smart Grid Protocol (OSGP), a group of specifications published by a European telecoms standards body. The protocol is used in more than four million devices, and said to be one of the most widely used protocols for smart devices today.

The results? Not great.

The researchers found that the "weak cryptography" can easily be cracked through a series of relatively simple attacks. In one case, the researchers said they could "completely" defeat a device's cryptography.

The most common and trusted encryption standards use well-established, peer-reviewed cyphers that are open-source and readily available to inspect. Some have argued it's the "first rule" of crypto-club. The problem for smart grid devices is that they don't stand up to the scrutiny of the community.

The OSGP Alliance, the non-profit group behind the OSGP protocol, said last month it's preparing an update to the specifications to add new security features.

"The alliance's work on this security update is motivated by the latest recommended international cybersecurity practices, and will enhance both the primitives used for encryption and authentication as well as the key length, usage, and update rules and mechanisms," the post read.

We reached out to the OSGP Alliance, but did not hear back outside business hours.

Editorial standards