So this one is the best! Researchers from Positive Security (Fabian Bräunlein and Luca Melette) have just discovered a totally crazy security flaw in the control system of a large part of the European electricity network. And hold on tight, this all relies on radio signals… not encrypted! 🤦♂️
The initial idea of our two friends was quite fun: to reproduce the spirit of Project Blinkenlights (a legendary project from 2001 in Berlin which transformed the windows of a building into a giant monochrome screen), but this time on a city scale, by remotely controlling the street lamps of the German capital. No bad intention at the start, just luminous tinkering. Except that while searching a street lamp whose casing was open, they came across a radio receiver (“Funkrundsteuerempfänger”) used to turn on or off lighting… and realize that it is the same system which also manages certain renewable energy installations throughout Central Europe! Just that.
The official name of the thing is Radio Ripple Control (Or Funkrundsteuerung to make it local). It is managed by a single box, EFRbased in Munich, which operates three large low-frequency transmission stations (two in Germany, one in Hungary) to shower all of Central Europe with radio signals. Gold, these signals are not encrypted and are not even authenticated, meaning that anyone can not only listen to them but potentially send them (and therefore, replay or forge commands).
According to researchers’ estimates, this represents in practice:
- 40 gigawatts renewable production in Germany (wind, solar, etc.)
- 20 gigawatts “controllable” consumption (heat pumps, wallboxes for electric vehicles, etc.)
Or until 60 gigawatts potentially manipulated via radio signals 😱and of course 450 million of people affected across Europe.
This archaic radio protocol, used for ages, is used not only to light street lights or control charging stations, but also to broadcast weather forecaststo transmit thehouror to switch the day/night rates on your meter. Suffice it to say that it’s a nice multi-function tool… but with the safety of a strainer.
To understand how they did it, imagine an improvised lab with a ESP microcontrollera waveform generator, the coil of a wireless charger as an antenna and some capacitors (yes, MacGyver would be proud). For almost a year, they reverse-engineered two protocols: Versacom And Semagyr. And after having dissected the DIN standards, gone through configuration software for technicians, played with infrared receivers and plugged in probes everywhere, they ended up mastering “the language” of these boxes.
Result ?
Not only were they able to flash a street light (basically, a Streetlight-B-Gone), but they actually sent pirate commands towards a real photovoltaic installation of 40kWcausing it to stop producing electricity for the grid. 🎉 Boom : no more food!
And for gadget lovers, know that they even managed to DIY a “Flipper Zero” capable, via its small 125 kHz RFID antenna, of transmitting FSK at 139 kHz over a radius of one meter! In short, nothing could be simpler to turn off a street lamp under your nose or to cut off a small solar installation. 🤯
Now, the real angry question is: can we “turn off Europe” like we would cut the neighbor’s Christmas garland? Theoretically, on paper, these famous 60 GW could create a sufficient imbalance to panic the network frequency (50 Hz) and trigger a domino effect on distribution (protection mechanisms, cascade disconnections, etc.). The authors explain that if we manage to turn everything on or off at the same time (production + load), we could, in the worst case, affect a significant portion of the network.
But… (there is always a “but” 😏) according to several specialists, such as Professor Dr. Albert Moser or Jan Hoff, the network is designed to constantly “rebalance” itself. And as we act here “at the end of the chain”, far from the transformation stations, the network can react and adapt accordingly. Not to mention that it would be necessary to surpass the legitimate power ofEFR or take physical control of it, which is not so simple. For example, deploy XXL pirate transmitters, like a weather balloon or a kite with 500 meters of antenna + a 10 kW amplifier, to cover large areas. It sounds crazy… but the researchers point out that a motivated nation-state could do it (hello Russia).
That said, the existence of this unencrypted and unauthenticated system frankly raises eyebrows, especially when we know that it is used for critical piloting. EFR had well developed an encrypted version of the protocol in 2015, but no one wanted it (cost, complexity, etc.). And today there is even a more modern system called iMSys (Intelligent Messsystem) which goes through 4G and encryption. Regulators even plan to use a dedicated 450 MHz LTE band for this. The problem is that its deployment is slow, and worse, the large installations that need it the most risk being migrated last. Additionally, some cities like Hamburg have only just installed the old system instead of the new one. 🤦♂️
So should we panic?
No, because to trigger chaos on a large scale, you would have to:
- Master a large volume of installations (gigawatts in a mess).
- Overwrite the legitimate signal or take complete control of the EFR transmitters.
- Choose the ideal time (peak sunshine, strong presence of renewables, etc.).
Suffice to say that we are far from a little kiddie script launching a “hack-my-centrale-electric.sh”. But the threat remains plausible for a highly organized actor, and researchers have reported it to authorities. Besides, Der Spiegel confirms that, according to some experts, a coordinated blackout scenario “is not impossible”.
There were even tense exchanges because the EFR company threatened the researchers with legal action, then officially declared that all this was exaggerated… even though they had previously admitted to being aware of the problem for years.
In short, no immediate stress if you imagine total chaos, but this discovery clearly highlights (haha) the fragility of certain parts of our critical infrastructure. In short, the researchers hope that with the media coverage of their discovery, we will finally accelerate the deployment of safer solutions (like iMSys) and the replacement of these receptors. Funkrundsteuerung archaic.
For those who want to delve in more detail into the technical aspect and the very complete analysis of the duo, you can read the original article, in English, on Ars Technicaor watch their conference given at 38c3 (Chaos Communication Congress) available here.
Source link
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments