A paper warned designers that a stronger encryptation architecture is needed in the smart grid network.
The study by Philipp Jovanovic of Germany’s University of Passau and Samuel Neves of Portugal’s University of Coimbra, found that "weak cryptography" puts at risk millions of smart meters, thermostats, and other internet-connected devices.
They analysed the cryptography used in the Open Smart Grid Protocol (OSGP), a group of specifications published by a European telecoms standards body.
Researchers tested several devices, and said hackers can easily break into most of them, and in one case, the authors said they could "completely" defeat a device’s cryptography.
The researchers said: "The authenticated encryption scheme deployed by OSGP is a non-standard composition of RC4 [Rivest Cipher 4] and a home-brewed MAC [message authentication code], the OMA digest.
"We present several practical key-recovery attacks against the OMA digest. The first and basic variant can achieve this with a mere 13 queries to an OMA digest oracle and negligible time complexity. A more sophisticated version breaks the OMA digest with only four queries and a time complexity of about two to the power of 25 simple operations.
"A different approach only requires one arbitrary valid plaintext-tag pair, and recovers the key in an average of 144 message verification queries, or one ciphertext-tag pair and 168 ciphertext verification queries."
The OSGP Alliance said: "The alliance’s work on this security update is motivated by the latest recommended international cybersecurity practices, and will enhance both the primitives used for encryption and authentication as well as the key length, usage, and update rules and mechanisms."