Skip to content
Naked Security Naked Security

If you connect it, protect it

Last week, we said that "Friends don't let friends get scammed." They don't let themselves get scammed, either!

If you connect it, protect it” is a short and simple slogan that we’ve taken straight from this year’s Cybersecurity Awareness Month (CSAM).
We wrote about CSAM last week, on the first of the month, to explain why we think CSAM is still worth supporting, for two main reasons.
The first reason is that it’s an annual prod to all of us to reach out to our friends and family who still think that “it’ll never happen to me”, or that “I’m too unimportant for the crooks to go after my data.”
The thing is, as we explained last week, that the crooks don’t have to “go after you” to get hold of your data.
After all, they might get hold of it, along with personal information about thousands or even millions of other people, as the side-effect of a blunder by a company that didn’t protect its customers’ data well enough.

And if they do get hold of any PII (personally identifiable information), there’s very little to stop them using it against you right away, or from passing it on as a “data dump” to other crooks to use for nefarious purposes.
Many cybercrimes that are dubbed targeted attacks happen the other way round to how many people think of them.
Simply put, sometimes the crooks come after you because you happen to be the next person on their list, not because they chose specifically to dig into your affairs in order to get you onto the list.


You can also listen directly on Soundcloud.

The second reason to support CSAM is that it’s a handy reminder to review all the cybersecurity precautions that you’ve already taken, or think you’re taking, to make sure that they’re actually working as you intended.
For example, wherever you’ve turned on automatic updating, why not take the time to go and review all your recent updates?
If you’ve been making regular backups throughout the year, do you still know how to mount and restore them safely and quickly if the need arises?
How about all those home devices you’ve installed recently, from internet-enabled doorbells to smart electricity meters and home thermostats?
For example, you may have enabled data collection features (what’s known as telemetry in the jargon) that you thought would be useful and that you’d use regularly, but that you haven’t used at all and therefore might as well turn off.

What to do?

You can use CSAM, which gets enough publicity that you are unlikely to miss it even if you don’t put it in your own diary, as an incentive to do all of the following:

  • Make sure your own cybersecurity precautions are up to scratch. Best-practice advice may have moved on since last year, so take the opportuntity to go and check if last year’s precautions are still considered good enough, or whether you ought to make any useful improvements.
  • Make sure your own cybersecurity precautions are working as you intended. Don’t just assume that your router has the latest firmware or that your Java Runtime Environment is up to date. Go and take a look and mark it off your list.
  • Make sure your own cybersecurity precautions are a good example to others. For instance, if your website still doesn’t have a TLS certificate, go and get one; if you’ve been putting off adopting 2FA or updating your passwords from secret99, go and do it now.

Remember: if you connect it, whether it’s a computer, an IoT device or an online account, protect it!
Even if you don’t think it’s necessary for “little old you”, please do it for the rest of us, because cyberinsecurity on your part affects everyone else, too.
Oh, and do it because friends don’t let friends get scammed.


All very well saying
How about all those home devices you’ve installed recently, from internet-enabled doorbells to smart electricity meters and home thermostats?
but …
In the UK (where there suddenly seems to be a lot of advertising of smart meters -“because it will help you save money”) there seems to be very little available to tell you about the security of these devices.
The “Official*” website says:
Security has been at the heart of the whole smart meter rollout programme from its very inception, and the system has been specifically designed to prevent hacking. Smart meters do not use the internet, and they have their own closed, dedicated communications system. Smart meters have been designed with top cyber security experts, including the government and GCHQ, to ensure that security best practice has been incorporated at every stage.
* = – although this could just be a contracted out government body or an energy company body
Apart from telling us that the government is a “top cyber security expert” (!), it tell us very little about the technology. Elsewhere I see that it runs on a dedicated radio network with over-the-air updates. Leaving aside all their privacy assurances (which can be swept away by a change in terms and conditions or a “bonfire of data protection regulations”) what are the chances of this system being hacked and used for instance to “disconnect” customers (pain in the arse) or worse to rapidly switch the supply on or off (which could cause some electrical items to over-heat).
We seem to have no way to audit these devices and – unlike Smart TVs – they are able to cause you to be billed (usually by direct debit!).
How long until someone (either inside a “buccaneering” energy supplier or outside) switches a whole lot of people to a more expensive tariff, bills them, takes the money and then switches them back to partially hide their tracks – or similar?


Smart Energy GB, as far as you can tell from its website, is a marketing body for smart meters: “[it is] our task to help everyone in Great Britain understand smart meters, the national rollout and how to use their new meters to be cleaner and greener with their energy use”. Who funds it – the public sector? the energy industry? – and how it was created – an Act of Parliament? an industry consortium? – is not stated.
Inside your home the data communication seems to rely on Zigbee. The data uploads to and downloads from your supplier seem to use an unspecified “long range radio network” in Northern England and Scotland and a mixture of “mesh wireless and mobile network” in the rest of England and Wales. Given that it is Smart Energy GB rather than Smart Energy UK, and that Northern Ireland isn’t mentioned, I assume that the island of Ireland is doing its own thing, as it understandably and conveniently does, say, for mapping.
The types of radio networks weren’t mentioned or even alluded to anywhere I could find. (Anyone know? I naively assumed they would use the electricity grid for data “backhaul”, given what you hope would be very low bandwidth needs… but that only works for electricity meters, of course, and not for other forms of energy such as gas, where the meters are explicitly not allowed to have any interconnection to the mains electricity system – they are battery operated by edict, AFAIK – for reasons that are somewhat obvious when you think about how even unplugging a mobile phone charger can produce a phat blue spark in the power outlet!)
My own thoughts are that the primary concern goes around “who gets access to the power usage data I upload” rather than “what if it gets hacked”, on the simple grounds that smart meters aren’t supposed to get hacked (and therefore it ought, at least, to be a rare event) whereas they are supposed to collect data and upload data continously- data that seems to have high marketing value.
AFAIK you can opt out of having your smart meter data being used for marketing (though the data is still collected and stored, one assumes) and you can reduce the frequency of the uploads to daily summaries instead of half-hourly, which sounds as though it would greatly reduce the inferences that anyone might make about your life and lifestyle from the data, whether they were authorised to see your data or it had been breached.


simple grounds that smart meters aren’t supposed to get hacked (and therefore it ought, at least, to be a rare event)
But neither were baby cams or Ring doorbells or Smart TVs or Alexa-likes!
I am slightly reassured, in one way, that you are finding Smart Meters and their infrastructure as opaque as I did. But on the other hand, I am concerned that you seem to be confirming that information is not available – we are just meant to accept the new technology – a bit like sub-postmasters were expected to accept Horizon [major, long going, scandal in UK].
The meter says, mam, that you used this electricity – the money IS due.
If the security is lax and account data transmissions are not kept separate could someone volunteer, for a commission, to flip usage off your meters and spread it across a whole lot of other accounts (bit like the old penny skimming bank fraud).
The privacy implications are down-played with warm words, but even downloading only daily usage data, a Man in the Middle could select homes where the inhabitants appear to be on holiday, but appear to be affluent enough to have high usage consistent with a swank lifestyle (and property). Rather defeats the claimed official objective of smart meters (to save the consumer money) if you have to program appliances to come on when you are out just to bring your usage up to the level of usage when you are home!


I hear you – I am not saying that hacking is a non-issue – just that the Smart Meter is *supposed* to collect data and send it to an energy provider “to green up Britain”, and that is when it is working normally. So I would start by minimising what gets collected, and opting out of allowing the data to be used for commercial purposes.


Electra, both your comments are interesting and raise valid questions, but even if they weren’t upvote-worthy due to that…
I’d have upvoted this comment for “Alexa-likes” and the other one purely because a nickname Electra discussing security in an electric-power grid context is 99% pure awesome.
Though it’s also no small feat to sneak a URL past moderation.
I hope this all works out–and not solely because in 25 years when it arrives in America we’ll get an inferior imitation of your system.
(e.g. credit card authentication chips).


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!