It is extremely strange they don't use even primitive encryption. I work for Russian company "Strizh Telematics", we are making smart resource meters. We take security very seriously here: all transmits are encrypted with 64 bit keys and data protocols are specifically protected from statistical and repeat-packet attacks.
That's great, but using a 64-bit key in 2017 isn't "taking security seriously". Especially if you are designing meters that will have a lifespan of 10+ years, therefore must be secure until 2027 and beyond.
Our most talkative meters are currently broadcasting 4 packets of data per hour. Water meters with autonomous power are limited to one or two (for central hot water supply) packets per day. With all the randomness added collecting data for successful key bruteforcing will take months or even years. On the other hand, using 64 bits allows us to use 16- or even 8-bit microcontrollers, which is beneficial to power consumption. Of four recources commonly metered in Russia - electricity, water, gas and heat - three should use autonomous power. We also making an autonomous plug-in modules for popular "dumb" electricity meters - to simplify installation. They broadcast once a day too so the battery could last for 6 years.
I can't speak to the specifics of your project, but 128-bit symmetric crypto on 8-bit microcontrollers is perfectly possible, at a low power budget and with relatively small code and RAM usage.
When we were looking at the task of creating autonomous battery-powered reasonably-sized device with 6 years lifespan - we took into consideration every single point where we could conserve power. Now we have what we have, not what you think we could have. Feel free to try and break our encryption with couple kilobytes of ciphertext on hands - you will have a prize of reading your neighbour's water consumption data on a daily basis)
> Of four recources commonly metered in Russia - electricity, water, gas and heat
When you say "heat" - is this steam from a combined heat & power plant? I was aware these were quite widespread in Russia but didn't know they were metered.
No, not steam, just hot water. Yes, mostly from heat & power plants, but sometimes from gas-powered local boiler plants. They are metered on per-building basis, but there's technical possibility to install individual meter and pay only for actual consumption.
It's fairly common in eastern and northern Europe too. In my building there is a single heat pipe from the city, however each unit has it's own meter for cold water, hot water (for taps) and hot water (for heating). The hot water meters are different in that the first measures the water flow, and the later measures the heat flow.
Every device has it's own unique keys - one for transmitting data and another for receiving commands. They are burned with firmware in production. If you are interested in bruteforcing - I can send you two weeks worth of my home water meters' data packets to play with :) See, the CRC is calculated for encrypted data, so there is no way to know if the guessed key is correct.
I'm curious, if someone finds a vulnerability in your algorithms somewhere, will you be able to quickly deploy updates to all the installed smart meters? Because, honestly, "taking security very seriously" doesn't mean anything anymore.
Everyone knows that in "IoT" letter "S" means "security" :) We do have an ability to burn updated firmware for most of the devices on premises using special hardware pieces, similar to ones used by factory staff. For less complicated devices we can just replace microcontroller modules, and reuse old ones later. That would be quite expensive, but we'll live. I heard there's some sort of insurance contract for that matter.
