In my blog about smart meters, I asked who is looking after the consumer’s interest in smart meters. Ethernet over Power adds a new dimension to the debate.
I received many private comments on the smart meter blog – manly commenting that security was being taken care of by ‘XYZ standard’, or vendor group ‘ABC’ take the issues seriously. But to me, they simply confirmed my view as everything seemed to be a supply-side driver, not the consumer side.
Ethernet over Power (or Internet over Power) would seem to raise the same set of issues: How far does my LAN extend, and what are the security considerations?
Taking the simple part of the question first. If I use Ethernet over Power, how far does my LAN now extend? Using Google, I could not find a satisfactory answer, so I placed a question on LinkedIn Answers (RIP).
Here is one of the replies:
It’s possible the signal can reach your neighbors. One example is if you live in an apartment, duplex, or condo with several units powered from the same transformer. Another example is two houses fed by the same transformer. If it’s above-ground you can identify the transformer that feeds a house by looking at the power lines that reach the house. Then see if any other nearby houses are fed by the same transformer. You may be sharing with them.
So I now need to go into the street and figure out how the electricity company wired at my house?
It was also interesting to note that I could not get a reliable answer if the Earth or Neutral cables was used to convey the signal. “Google” seemed equally confused.
My next question is how reliable is the security mechanism? One respondent answered:
Most of the devices come with encryption built-in (don’t forget to change default passphrases!), so it comes down to:
a) Whether you trust the algorithm(s) they provide (check the device specs);
b) Whether you trust the vendor to have implemented encryption properly; and
c) What cryptanalysis capability you think your neighbors have available to them.
Good advice – but on my device, there is not a password change option, I am stuck with the defaults.
I also got the reply:
There is no real specific security added to these, but it is not needed – the security is the same as the whole of the internet, using other “layers” on top of this. Interception of the basic signal is just not considered ANYWHERE in internet technology – you can tap conventional phone or data transmissions with a few $ of kit and knowledge available on the web.
I am not quite so sure about this reply. What about all those lower layer network activities like NetBIOS and ARP broadcasts etc, enabling the mapping of my network by my neighbour?
Some of the other replies did not really address the security part of the question.
So it seems, by this very simple, unscientific, item of research, there is room for improvement in the awareness of the IA issues related to Ethernet over Power. The poor, non-technical consumer does not have a hope of running a secure network at home.
It leaves me once again wondering, are we in danger of building complex systems in people’s homes, for which the basic principles of information assurance break down (because nobody fully understands IA impact the technologies in their house)? I fear the poor consumer (who has already lost pretty much all hope of privacy online) is sleepwalking into a security mess.
But then, I read figures that say 40% of homes are already infected by a virus in some way, so maybe I am worrying about something that most people simply don’t care about.