Utility companies around the country are in the process of installing millions of smart meters in homes to better manage energy consumption, respond to demand better and eventually offer tiered rating plans based on a consumer's energy use habits.
The problem is that there are no publicly available tools for testing the security controls of these systems, McIntyre said. Poorly configured and poorly protected smart meters can allow attackers to take control of the system and manipulate the data that they collect and transmit, he said.
"They can read and modify any data, they can reset usage tables, they could change the rate type," and commit other types of fraud, he said.
Most meters provide low-level access to the device, mid-level administrative access and super-user privileged access to the device, he said. Without the proper tools there is no way that utility companies and others can verify the strength of the access control and authentication mechanisms the device maker might have put in place for controlling access, he said.
McIntyre downplayed concerns about tools such as Termineter giving malicious hackers easy access to something they can use to attack smart meters. The same sort of open source tools that were used to build Terimenter is available to anybody that wants it so there's no telling if similar tools haven't already been built by malicious attackers, he said.
The tool as it exists today also requires the attacker to have a fairly good understanding of how smart meters work. To get it to communicate with a smart meter, users need to get physical access to the device he said.
Meanwhile, according to a description of InGuardian's presentation at Black Hat next week, the company will show how criminals can gather information and authentication credentials from smart meters. The company will also show how a smart meter's IR port can be used to interact with the device.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.