[Eduard]

TL;DR: by law, German power stations are required to "turn off" (taken off the energy grid) when they receive specific radio messages. This is intended for energy grid load balancing.

Unfortunately, the message protocol is completely flawed security-wise, which allows malicious actors to control the power station.

It would require only a handful of strategically placed senders to control an estimated 20 gigawatt of load Germany-wide, causing havoc on the European energy grid (brown-out, cascading effects, etc.).

The security researchers followed a responsible disclosure towards the vendor, EFR, who reacted with sending letters from their lawyers.

Today's SPIEGEL online news magazine pre-talk report ( https://archive.is/p66as ) on this topic cites EFR that the proposed attack vector is not possible.

The security researchers therefore made the last minute decision to go full disclosure with today's talk to press on the urgency of the topic.

[jdiez17]

Just read the SPIEGEL article and I think it’s a pretty balanced report on the positions of both sides. Basically, it comes down to the assertion that you can’t reach a large number of electricity generation plants with “simple radio equipment”. That is the position of EFR, and sadly, the Bundesnetzagentur (the radio communications regulator in Germany).

I haven’t watched the talk yet but I think it’s pretty clear to all of us on this website, that sending a specific short radio transmission to a large area is not an insurmountable challenge for our favorite terrorist state.

What I don’t understand is why there is such a reluctance to admit that these problems exist and work towards fixing them. Instead we pull the Ostrich maneuver every time. One day it’s going to really bite us in the ass.

EDIT: after watching the talk, the funny thing is that all of the “business secrets” that EFR is accusing our fellow hackers of leaking, are actually mostly DIN standards. In other words, they are just upset that someone is talking about the fact that no efforts have been made to proactively secure these receivers. Peinlich.

[semi-extrinsic]

IANAL, and didn't watch the full recording yet. But if the EFR lawyers are threatening the hackers with "leaking business secrets", they have to be wildly incompetent. I won't give those guys any ideas, but I'm certain there are much more scary parts of DE/EU law that you could threaten with.

[Etheryte]

Ass covering, so much ass covering everywhere. I've done a fair bit of consulting for the public sector and figuring out their office politics is often the only real way to get anything done, the actual technical discussion is often secondary.

[trebligdivad]

I think they kind of have a point; they were talking about needing a 10kW transmitter - that's a heck of a lot of power for a transmitter, not easy to make at all. And at those frequencies, the antenna is a challenge. Having said that, a bunch of few-hundred W transmitters in convenient places would be a lot easier, and there are probably easy but inefficient antenna hacks (drop a wire down a cliff/across a park/out of the top floor of a tower block?)

[grumpy-de-sre]

I beg to disagree, 10kW at ~140khz is actually relatively straight forward with modern semiconductors and LiPo's. Eg. the inverters in a Tesla Plaid can do up-to 750kW, so I think two orders of magnitude more power is theoretically possible.

And then they left out that at such long wavelengths there are some unconventional antenna topologies available. Some of which are a lot more feasible than anything that was discussed in the talk.

The dismissal is quite concerning IMO.

[Eduard]

Also, IMHO instead of a few strong senders, an attacker could use more low-powered senders placed in proximity to power stations.

[randunel]

Insurmountable? How many russian citizens live in Germany? And how many russian fanboys with a non-russian citizenship? Now extend that to neighbouring countries, or the Schengen area.

[jdiez17]

You may want to reread my post.