Flawed crypto endangers millions of smart grid devices

The cryptography used in the Open Smart Grid Protocol (OSGP), one of the most widely used smart meter and smart grid device networking standards, can be easily cracked, researchers have found.

Philipp Jovanovic and Samuel Neves have recently published a report in which they detailed a number of practical key-recovery attacks against the OMA digest, the authenticated encryption scheme deployed by OSGP.

“This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever,” they noted. “Since the encryption key is derived from the key used by the OMA digest, our attacks break both confidentiality and authenticity of OSGP.”

These findings have proved, once again, that protocol designers should opt for using already inspected, tried-and-true cryptographic algorithms instead of concocting their own.

OSGP has been approves as a standard by the European Telecommunications Standards Institute (ETSI) in 2012, and has since been deployed in over 4 million smart grid devices around the world.

The researchers have disclosed their results to the members of OSGP Alliance late last year, and they acknowledged the findings.

The Alliance has not commented them, but earlier last month they announced they are “preparing an update to the Open Smart Grid Protocol (OSGP) specifications to add additional security features to the existing security architecture currently defined in the specifications.”

“The alliance’s work on this security update is motivated by the latest recommended international cybersecurity practices, and will enhance both the primitives used for encryption and authentication as well as the key length, usage, and update rules and mechanisms,” they shared, and pointed out that “there have not been any reported security breaches of any deployed smart metering or smart grid system built with the current OSGP specifications, and that systems built with these specifications include a comprehensive multi-layer security system that has always been mandatory.”

Don't miss