Millions of thermostats and other smart devices could be under threat thanks to poor encryption, new research has revealed.
The Open Smart Grid Protocol (OSGP) is one of the most widely used smart grid networkings standards in the world, but in what could be a nasty blow for the future of the Internet of Things, it has been discovered that over four million devices worldwide that rely on it could be sitting on a ticking time bomb.
The flaw was uncovered in a paper, 'Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol' by Portuguese security researchers Philipp Jovanovic and Samuel Neves, which shows that weak, homegrown cryptography means the devices can easily be hacked.
> See also: Privacy, smart meters and the Internet of Things
The security researchers explains how the authenticated encruption scheme used in OSGP is 'extremely weak, and cannot be assumed to provide any authenticity guarantee whatsover.' They then demonstrated multiple attacks of different types that could easily be carried out, some of which were described as 'devastating.'
So where has OSGP gone so wrong? Some have accused the standards body of breaking 'the first rule of crypto-club' by using homegrown cyphers instead of peer-reviewed ones that are open to the scrutiny of the security community at large – a move that Adam Crain, security researcher and founder of Automatak described as 'a big red flag.'
It was way back in 1999 that prolific security blogger Bruce Schneier described new, untested cryptography as 'snake oil,' pointing out that 'no single company (outside the military) has the financial resources necessary to evaluate a new cryptographic algorithm – if you write your own, you will probably make mistakes.'
'It's hard enough making strong cryptography work in a new system,' said Schneier. 'It's just plain lunacy to use new cryptography when viable, long-studied alternatives exist… new cryptography belongs in academic papers, and then in demonstration systems.'
'In cryptography, there is security in following the crowd. A homegrown algorithm can't possibly be subjected to the hundreds of thousands of hours of cryptanalysis that DES and RSA have seen… by following the crowd, you can leverage the cryptanalytic expertise of the worldwide community, not just a few weeks of some analyst's time.'
Worrying then, that the better part of a decade later and industry bodies charged with securing such vital infrastructure as smart grids are still making the same old mistake. But now that we're beginning to enter the era thousands of interconnected devices, half-baked, untested encryption could get the whole concept of the Internet of Things off to a shaky start.