Case #14: Power company leaking personal info and usage data

Information about thousands - theoretically maybe hundreds of thousands - of customers could be stolen.

Published: Tue, April 10, 2018, 08:25
Security Monday
Information leak
Smart meter
Account takeover
OWASP 2017 A5

tl;dr 🔗

The electric power company Norgesnett had a security vulnerability that made it possible to get access to thousands of customers' personal info + their usage data. This was probably also the case for quite a few of the hundreds of customers of the company Enoro - the creators behind the vulnerable software.

Summary 🔗

Who: Norgesnett and Enoro
Severity level: Medium
Reported: February 2018
Reception and handling: Good
Status: Fixed
Reward: A thank you
Issue: Information leak with personal information, power usage data, audit reports, meter number

Background 🔗

All electricity consumers in Norway will receive smart meters by January 1st 2019. There has been a little bit of controversy in regards of the meters. The most extreme skeptics are afraid of the radiation from the new meters as they typically communicate back to the so-called distribution system operators (DSO) via radio or the mobile network. Then you have the ones that are afraid that the electricity will become more expensive - at least for families that don't have that much flexibility in regards of when they need to use electricity. And then thirdly, you have those concerned about data security and privacy because of the frequent readings done by the power companies.

The Norwegian Data Protection Authority (Datatilsynet) has written a bit about the new smart meters (Norwegian only) and how they can in theory be used to track individuals and both reveal and predict if people are and will be home at a certain point in time.

I also think the article from about smart meter security (Norwegian only) is pretty interesting in this context.

The new smart meters come with a Home Area Network (HAN) interface where you can get more details about your power usage. My house is a smart home and I want to integrate and use the data available through the HAN interface (which sends OBIS messages via M-Bus). So, around the time I got the new meter I logged into Norgesnett's site to get more information and see what kind of meter data that was available. I used this opportunity to check if Norgesnett protects my data..

Approach (technical stuff) 🔗

When logged in to Norgesnett's site I had the Vivaldi developer tools open and took the regular look at source code, network calls etc. Most of it looked pretty good.

Norgesnett has this feature where you can add other "customer relationships" to your main account. Using that feature you can easily switch between your different accounts. To add another customer you need their customer ID and 4 digit PIN. The customer IDs seem to be just an incremental integer. Maybe one could get hold of other users' PIN?

They have also have this online form where one can change one's own personal data. For some reason the customer ID is posted as part of the form. I asked for a friend's customer ID and quickly found out that I could post with his customer ID and an e-mail address of mine.

After that was done an e-mail was automatically sent with both my friend's PIN and a direct link to finish the connection between the e-mail address and customer ID. The link didn't work for some reason, but with the PIN I could add the account as a "customer relationship" to my own account.

If the other user had specified the e-mail address for getting alerts, one could even change back the e-mail address and no one would ever notice that the account was accessed. Of course, one can hope there is some kind of logging in place that potentially could catch up on this.

Using some of the wordings and URLs used for the login page it's easy to find other of Enoro's customers who have the same customer system in place. And there's a quite a few.

Security issues

One could systematically go through all customers and retrieve the following information:
  • Customer ID
  • Customer PIN
  • Meter number ("målernummer")
  • Meter ID ("målepunkt-ID")
  • Full name
  • Full address
  • Date of birth
  • Phone numbers
  • E-mail address
  • Historical power usage
  • Invoices
  • Audit reports

I hope they don't have unlisted and secret addresses available.

The power usage is not reported at near realtime on Norgesnett's customer faced website, but rather weekly + start of month. Hopefully they would have noticed that something was going on if this was to be taken advantage of in a large scale.

This is speculation as I have not tried to confirm the vulnerability for other Enoro customers than Norgesnett (and not more than one other customer), but a quick Google search makes me believe at least the following 14 power companies have the vulnerability:

  • Norgesnett (96,000 customers)
  • Agder Energi Nett? (195,000 customers)
  • Eidsiva Nett? (159,000 customers)
  • Los? (150,000 customers?)
  • Gudbrandsdal Energi? (>100,000 customers)
  • Glitre Energi? (90,000 customers?)
  • Oppdal Everk?
  • Orkdal Energi?
  • Smart Energi?
  • Polar Kraft?
  • Akraft?
  • Hålogaland Kraft?
  • Agder Energi Nett?
  • Hjemkraft?

There could absolutely be more companies than these as well.

In Norway we can have separate companies for electricity distribution ("nettselskap") and electricity retailing ("kraftselskap") which makes some persons appear multiple times in those numbers.

Reception and handling 🔗

Day zero 🔗

I wrote an e-mail to Norgesnett's customer support in the evening telling about the issue. I immediately got an automatic response.

Day 1 🔗

Around noon I got a reply back thanking me and telling me they had relayed the message to their system vendor (Enoro) and that it should be fixed shortly.

I never heard back after that, not even when I told them I was going to post this, but I got a confirmation from a journalist that Enoro said the issue was fixed.

Conclusion 🔗

I don't really want this to be a discussion about smart meter security. Unless someone hacks the firmware on your meter no one should externally be able to track individuals. In the case of Norgesnett it also would be hard to track if someone in a house is on vacation.

I think of this as yet another case showing that your personal data is not safe; it's long gone. Close to all your personal information is already in the hands of anyone who wants it. But I do hope that power companies in general have their security in order.

Get notified when there are new posts! :-)