Jump to content

512 bit RSA key factored gaining access to a large UK energy company

Anders155

Summary

 This researcher bypassed the authentication system because it was just protected by a 512 bit key. He gained access to 200MW of capacity that he could use whenever he wanted. It only cost him 70 dollars and the company in question fixed the issue quite fast. It uses OpenSSL.

 

Quotes

Quote

When Ryan Castellucci recently acquired solar panels and a battery storage system for their home just outside of London, they were drawn to the ability to use an open source dashboard to monitor and control the flow of electricity being generated. Instead, they gained much, much more—some 200 megawatts of programmable capacity to charge or discharge to the grid at will. That’s enough energy to power roughly 40,000 homes.

 

“My plan is to set up Home Assistant and integrate it with that, but in the meantime, I decided to let it talk to the cloud,” Castellucci wrote Thursday, referring to the recently installed gear. “I set up some scheduled charging, then started experimenting with the API. The next evening, I had control over a virtual power plant comprised of tens of thousands of grid connected batteries.”

 

My thoughts

 I feel that a smart home is already risky enough with the whole potential to be hacked and locked out of your own home but overcomplicating power is a step too far for me personally. 

 

Sources

 https://arstechnica.com/security/2024/08/home-energy-system-gives-researcher-control-of-virtual-power-plant/

Link to comment
Share on other sites

Link to post
Share on other sites

512 bit RSA keys were deprecated a long time ago. If you have a smart home appliance that hasn't switched to 2048 bit or greater, something is seriously wrong with its developer.

 

However, this is less about smart appliances and has more to do with the power company not protecting their web facing API properly. Not sure what you mean by "overcomplicating power" in this context.

Remember to either quote or @mention others, so they are notified of your reply

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Anders155 said:

I feel that a smart home is already risky enough with the whole potential to be hacked and locked out of your own home but overcomplicating power is a step too far for me personally. 

Virtual power plants can be a massive thing in regards to grid stability/green if done correctly.

 

Specifically, if the power companies are able to utilize virtual power plants [which you need the "overcomplicating" to do] in order to meet the quick demand it saves having to run additional power plants that are effectively doing nothing but keeping the momentum of the system.

 

Overall power is actually insanely complicated when we are discussing things at a power plant/electrical grid level...and things like battery walls are part of that.  It actually takes a whole lot of coordination to keep things running, and as the example of when the east lost so much of their power it shows how bad it can be when it fails.

 

It's a trade off, and really they just needed to make sure it was more secure but having things more automated and accessible is actually really a good thing.  Here with the smart meters, Hydro is able to know of an outage pretty much within minutes of an outage happening and can start the dispatch [as they will know the size, customers effected and maybe even guessing at the initial cause].

 

44 minutes ago, Eigenvektor said:

512 bit RSA keys were deprecated a long time ago. If you have a smart home appliance that hasn't switched to 2048 bit or greater, something is seriously wrong with its developer.

Depending which standard you are going by 512 bit RSA keys aren't deprecated [although they are labeled as weak and low security].  Albeit even in 2015 you could spend less than $100 to crack 512 RSA....so realistically it shouldn't protect anything except maybe internal stuff that really doesn't have a target but you don't want to be travelling unencrypted either

 

With that said, I do agree should be 2048; although 1024 probably still is at a point where it's out of reach of all but larger entities.

 

With that also said, I wonder how many companies have lets say export limitations imposed on them.  Like if you are a company in the US, selling/exporting devices, you are limited to 4096 RSA keys. [I always find it such a bizarre concept that encryption strength is such a strongly sanctioned area]

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, wanderingfool2 said:

Depending which standard you are going by 512 bit RSA keys aren't deprecated [although they are labeled as weak and low security].

That's what I meant by deprecated in this context. Weak and should no longer be used to secure anything. The first successful attack was back in 1999. Admittedly it did take seven months of supercomputer time, but that was 25 years ago. In 2009 time was down to three weeks and was achieved by hobbyists and in 2015 it was down to four hours using $75 worth of AWS compute time.

 

Imho there's no excuse the use anything less than 2048 bit unless you need to be backwards compatible to legacy software that can't be updated for whatever reason. In fact unless you're dealing with extremely weak hardware, no reason not to go 4096 bit (provided you aren't subject to export restrictions, as you mentioned)

 

Quote

Anticipating the inevitable fall of 1024-bit RSA, the US National Institute of Standards and Technology stopped allowing its use in 2013 and will stop allowing the use of 2048-bit RSA in 2031. Microsoft earlier this year announced the deprecation of 1024-bit RSA in Windows.

Remember to either quote or @mention others, so they are notified of your reply

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, Anders155 said:

 I feel that a smart home is already risky enough

Like so many things that depends on the implementation, which is like the current example more often than not is bad to put it mildly.......

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×