
Smart meter crypto flaw worse than thought - niyazpk
http://rdist.root.org/2010/01/11/smart-meter-crypto-flaw-worse-than-thought/
======
seigenblues
I wish they mentioned any specific smart-meter vendors using those chipsets!
Maybe this will get picked up by some greentech bloggers & develop into a real
story.

~~~
tptacek
We've worked extensively in this field, primarily to help vendors ship these
products more safely --- so we're enjoined against publishing specifics. But
it's a real problem, and I'd refer you to IOActive (a competitor of ours) for
details.

Two things to remember about embedded RF devices and security:

* The boards themselves are a hostile environment for developing crypto, because they're solid state (low entropy), severely power constrained, and have very little headroom for code storage; the difference between supporting SHA1 vs. MD5 could come down to blowing the instruction store budget.

* RF is a hostile place to deploy crypto, because it's group based, severely rate limited, slow, and every individual bit of message encoding is precious.

Very smart developers never get crypto right even in environments where a
shift from an MD5 MAC to a digital signature is just a line of code, without
regard to message sizes, and where the only constraint against adding protocol
steps is breaking compatibility with software that can be upgraded in minutes.
Draw your own conclusions about how hard this problem is.

(As Nate pointed out a year or two ago, the exact same problem exists with
tolling systems).

~~~
cperciva
_they're solid state (low entropy)_

That doesn't necessarily follow. It's easy to put a real RNG into silicon; the
problem is simply that very few people bother.

~~~
tptacek
It's not as simple as you make it out to be, but you have me at a disadvantage
as I've actually worked on products like these and can't rebut with specifics.

In the meantime, I'd dispute the idea that embedded developers even understand
the relationship between secure random number generation and cryptography,
outside of the abstract.

It's also the case that amongst security practioners in _general purpose code_
there is still precious little best-practice understanding of how to groom and
maintain secure RNGs; a Black Hat talk from just a few years ago busted up a
bunch of RNGs on security products, both with algorithmic attacks and things
like cold-start entropy.

~~~
cperciva
_I'd dispute the idea that embedded developers even understand the
relationship between secure random number generation and cryptography, outside
of the abstract._

Sure, of course. My point was that, compare to issues such as power
constraints, code size, bandwidth, et cetera, the problem of getting entropy
was more of a "people are doing things wrong" issue and less of a "laws of
physics get in the way" issue.

------
gourneau
Goodspeed is not just an awesome hardware hacker, he and I are the world's
finest belt buckle engineers. We created a printed circuit board in the shape
of our home state Tennessee , unquestionably the best shaped state for a belt
buckle. The perimeter of the PCB is encrusted with LEDs, and when a button
labeled "PARTY MODE" is pressed a MSP430 will blink the lights.
([http://www.flickr.com/photos/travisgoodspeed/3471776770/in/p...](http://www.flickr.com/photos/travisgoodspeed/3471776770/in/photostream/))

It turns out that chicks also dig it, see <http://tnbelt.com> for more.

