Smart meters that monitor electricity usage in homes in parts of Germany leak data that could reveal what programs are being watched on the digital TV, researchers there say.
The researchers tested smart meters made by German company Discovergy and found that someone with network sniffing skills and equipment could use a "man in the middle" attack to eavesdrop on data related to power use in the home.
The smart meters record high-resolution energy consumption of appliances every two seconds and transmit it to the server at the utility company over the Internet. The system gives utilities up-to-date information on power usage and allows customers to use a Web browser to get detailed data and statistics that can help them track usage and expenses. The data includes the amount of electricity used and the type of appliances used, but also granular information based on the lighting display of the digital TV, according to the researchers.
The household electrical usage profile reveals content displayed on a cathode ray tube (CRT), a plasma display TV, or a liquid crystal display (LCD) TV set with dynamic backlighting, the paper says. The lighting patterns, basically the amount of light and dark emitted on the display for individual frames, is unique for each TV program and movie. Someone would have to already know the light pattern "fingerprint" of the specific content to compare with samples coming from the smart meters at the homes to be able to look for a match to recognized content.
This technique of matching the light patterns could be used to determine what channels are being watched on TV and what TV programs, DVDs, or even downloaded videos are being viewed, said Dennis Loehr, a researcher at Muenster University of Applied Sciences who is getting a doctorate degree at Ruhr Universitat Bochum.
"Our test results show that two 5-minute chunks of consecutive viewing without major interference by other appliances is sufficient to identify the content," Loehr and his fellow researchers--Ulrich Greveler and Benjamin Justus--wrote in their paper, to be presented Wednesday at the Computers, Privacy and Data Protection conference in Brussels. (PDF)
The data is exposed because it is not signed or encrypted, Loehr said in an interview with CNET. "Anyone with access to your home network has access to this data," he said.
The researchers also are worried that the data could be collected and sold to advertisers. In addition, it could be used by entertainment companies to check that pirated content is not being viewed, Loehr said.
"With that kind of data a company could sell it to a marketing or promotion company and they can create detailed or personalized ads," he said. "And they could detect that someone was watching an illegal copy of a film."
"Unfortunately, smart meters are able to become surveillance devices that monitor the behavior of the customers," the paper concludes. "This leads to unprecedented invasions of consumer privacy."
The researchers contacted the maker of the smart meters and were told that encryption and data signing will be included in the next generation of the devices, but it could be as many as 10 years before devices already installed are replaced, according to Loehr.
Representatives from Discovergy did not respond to an e-mail seeking comment.
The researchers have not looked at other smart meters deployed in the U.S. and elsewhere, and have not analyzed what data, if any, could be gleaned from activity on personal computers. By comparison, smart meters operated by PG&E in California, for instance, record residential power usage in hourly intervals.
Karsten Nohl, a security researcher based in Germany who has previously analyzed mobile phone and smart card security, said privacy issues are just one worry with smart meters.
"It's crucial that privacy considerations of the smart grid are discussed before the technology is rolled out on a massive scale. Side-channel information about user behavior, however, would appear as a minor concern," he wrote in an e-mail. "The very utility companies that collect the power measurements also have the ability to remotely flash software on your meter, your electronic car, your refrigerator, and any other 'smart' appliance. Even if the utilities chose not to abuse this massive surveillance potential, will they be able to protect their systems so others can't either?"