72

I have 2 Zyxel PLA407 powerline adapters. Router is downstairs connected to one adapter, other adapter is upstairs about 30 feet away connected to a desktop. I have a house, not an apartment or townhouse.

I've noticed the speed is much faster when i just plug and play, rather than going through the encryption process - it's a little difficult.

So my question is, on a closed loop system - electricity inside my house - do I really need to set up the encryption? Or is it secure by the nature of the system itself?? How much of it 'leaks out' without encryption?

This question was IT Security Question of the Week.
Read the Mar 15, 2012 blog entry for more details or submit your own Question of the Week.

Community
  • 1
v15
  • 1,741
  • 4
  • 16
  • 18
  • 4
    What country/state are you in? Electrical standards differ, so I doubt there is a generic answer to your question. What might be secure for you, might be insecure for someone else... –  Dec 13 '11 at 19:10
  • I live in the U.S. – v15 Dec 14 '11 at 14:34

8 Answers8

42

You do get some security from the way your fuse box is connected to the mains.

In principle you should get a good signal across any part of the wiring in your house that is on the same phase, and you shouldn't get any on the other phases.

In reality though, that isn't quite true - depending on your fuse box, you may get some bleed over onto the other phases, and you will almost definitely get leakage outside your 4 walls.

This is why encryption was put in place on these types of things - a neighbour may be able to sniff your traffic.

Things that help with security, because they hinder signal strength - surge protectors, UPS's etc. but those don't prevent an attacker.

tl;dr

Encrypt, because you will be leaking signal. Not so much wirelessly (it can be done but it is tricky) but just across the existing mains wiring.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/106459/discussion-on-answer-by-rory-alsop-are-powerline-ethernet-adapters-inherently-se). – Rory Alsop Apr 08 '20 at 08:45
39

I live in a detached family home in Texas. I have a pair of Trendnet TPL-303E powerline adapters and have experienced the signal bleed from my next door neighbor. I ran the Powerline utility that came with the adapters and could identify two other powerline adapters using the same network name. I got anywhere between 10 to 20Mbps of throughput between their adapters and mine. I even seperated my powerline adapters from my router and connected them direct to my pc to see how bad the bleed was. I was able to access their router, watch streaming video and see the computers on the network. I also noticed they had gotten IPs on my router also. I've since enabled security.

Damien
  • 391
  • 3
  • 2
20

I realize that this isn't what you're asking, but it's important enough that I decided to write it anyway: If security is important to you, then you should, as a rule, assume that ALL networks are insecure. (because in the end, they all are)

Many of the more expensive network security disasters in IT have come from the assumption that "behind the firewall" everything is safe. Then when an external influence leaks in, as always eventually happens, it runs rampant and unchecked. I've witnessed this happen several times working for companies that that should have known better, like IBM.

Instead of relying on a secure perimeter, each node should be its own island of security with proper authentication and permission checks happening at each step along the way. Your system should be as secure in its home environment as it is out on the open Internet. Obviously you don't want to expose your systems to more risk than you have to, but that also means that you don't let your guard down behind the firewall.

Also, to answer your real question: yes, these systems are inherently insecure, especially in an apartment. Generally the signal can't reliably get past your power meter because the equipment installed there isn't friendly to that kind of signal. But that's usually expressed more as a "don't expect it to work when you want it to" sort of warning rather than an assurance of security. Field reports from users frequently suggest that they can see other people's network if they're physically close enough.

tylerl
  • 82,225
  • 25
  • 148
  • 226
10

It seems that powerline ethernet adapters are often, formally, a breach of your contract with your power supplier, because the power lines have not been designed and normalized for that kind of usage. You won't get into problems if you have the right kind of converter between your house and the main power line. If the converter is old, it is possible that you are actually broadcasting your data to every house in the street...

Chances are that your converter is fine and you do not broadcast data that way. However, your are sending high-frequency signals through wires which are not shielded for that. Consider alarm clocks with FM radios: many use their power cord as antenna. So power cords must be workable hardware for picking up 100 MHz signals. And 100baseT ethernet has a base signal clocked at... 100 MHz ! So the powerline adapter is sending your precious data bytes into a big structure of wires (all the power lines in the house) which is likely to act as a big antenna. This cannot be hard to pick up remotely.

If the adapters are bad at crypto, you should be able to activate it on the machines themselves, at the OS level (IPsec is supported by many OS, including Windows since Windows 2000).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
10

There's a lot of good general security practice information in the other answers, but as I've just been researching for myself the implementation of security in the HomePlug AV spec (used by the devices you mentioned, and many others), I thought I'd add a little more specific info not covered yet.

First, there's no such thing as unencrypted data transfer under the HomePlug AV spec (with some non-security-related exceptions). All data transmission is secured with AES-128. (Reference) What the encryption/securing/pairing process does is set up a new network key (referred to in the spec as the NMK, Network Membership Key) to replace the default key that the devices ship with. In other words, out of the box, your communications are encrypted, but not private (since any other device would be able to connect using the same default key). So it seems odd to me that you see a performance difference before and after going through the devices' "encryption" process.

With that in mind, the biggest security concern in a powerline network seems to be how to have two devices agree on a NMK, and how to distribute it to new stations joining the network. The spec supports a few methods for doing so, but ultimately leaves the implementation up to the manufacturers. The common one-button pairing scheme in a lot of the consumer powerline networking equipment seems to be consistent with a procedure that uses a protocol called UKE to transfer the NMK. UKE in itself is not secure. However, the properties of the physical layer of the HomePlug AV spec make it difficult for one station to eavesdrop on communications between two other stations. (Reference)

Some devices come with a utility program you can run to configure some advanced properties, which may include manually setting a Network Password (NPW). This is like a Wifi password... it is hashed to produce a NMK. If you have this option, and can manually set the NPW on each of your devices (and set a suitably strong NPW), then I would consider that a secure system. (see update below) If you can't, then you have to decide just how likely it is that someone with the proper equipment and knowledge will be close enough to be able to listen in on the key exchange when you pair a new device to the network. If you're really paranoid, you might be able to try to do the pairing over some isolated power network (like a generator or an inverter in your car) and then move the devices into the main network.

UPDATE: Scratch that. Looks like there's a demonstrated weakness in one of the keys used in HomePlug AV. It's not actually a flaw in the standard itself, but in one method that a lot of the vendors use to implement it. So not all devices are affected, but the list looks pretty big. (Reference)

glibdud
  • 233
  • 2
  • 6
2

PowerLAN adapters are basically low power spread spectrum shortwave transceivers that use your power cable as an antenna system. With sensitive receivers you can hear their "noise" more than four kilometers away. In terms of security, don't assume that your fusebox stops the signal completely. The only way to obtain some kind of security is encryption... By the way, a simple Cat. 3 cable is much cheaper, much faster and extremely secure compared to a PowerLAN network....

Anton
  • 21
  • 1
0

I am not familiar with Zyxel's product but overall the PLC signal is basically a radio signal and should be treated as such. This is why adapters work on different phases in your house.

It would take some sophisticated and sensitive equipment to pick the PLC signal up out of the air, but it can be done, and if someone can plug into your homes electrical system that process would be easier.

Transformers block the PLC signal, so you don't have to worry about it traveling down the line to your neighbors.

  • I have tested different powerline adapters - you do get bleed in a lot of scenarios. – Rory Alsop Dec 13 '11 at 20:21
  • I worked for a startup that was doing inbuilding PLC commercially, and we actually split/injected the signal into all phases. –  Dec 13 '11 at 20:41
  • I haven't seen one split across phases - I guess essential if you use all 3 phases across a site. Did they interfere at all, or was the system well segregated anyway? – Rory Alsop Dec 13 '11 at 20:59
  • 2
    "_Transformers block the PLC signal, so you don't have to worry about it traveling down the line to your neighbors._" So you have a transformer just for you? Is it highly unusual. – curiousguy Aug 13 '12 at 21:18
-5

I'd say you would be looking at being about as secure as a standard Ethernet wire. That's what WEP originally stood for, Wired Equivalency Protocol so what that was saying is the security is as good as you have being on a wire (requiring someone to physically tap in to get your signal). While that was total BS as far as the Wireless went... the concept here should match up rather nicely. IE... unless someone is physically tapped into your closed home electrical system then you are secure with zero need for encryption.

  • 5
    Arguably though, this makes it still less secure than your common home Ethernet setup. Now, any power outlet can be a conduit for data leakage or intrusion. With Ethernet, the ports are fewer and further between - and, in a home setup, intrusion to those can be more noticeable. Further, most Ethernet networks these days are switched. I believe powerline adapters are more like hubs, which are in fact *inherently less secure*. – Iszi Dec 13 '11 at 19:54
  • That's assuming someone get's into your house. In that case you would be no more secure with a wire. –  Dec 13 '11 at 20:10
  • 5
    Connecting something to a receptacle in the end of your Christmas lights in your front yard is a bit easier than plugging something into an Ethernet port inside your house. –  Dec 13 '11 at 20:15
  • Powerline adapters are more like switches than hubs. –  Dec 13 '11 at 20:18
  • 4
    As I popped in my answer - there is bleed between adjacent houses - do not rely on your physical perimeter. – Rory Alsop Dec 13 '11 at 20:19
  • I've never seen any evidence of such bleed. Perhaps you have some stats to site? –  Dec 13 '11 at 20:26
  • 4
    I have tested various devices - found it very difficult to get RF, but relatively straightforward to identify signal on powerlines outside the house. It was dependent, on distance, obviously, and also on getting the same phase, and it depended on the fuse box / breaker (but I don't have stats on which ones were worst) – Rory Alsop Dec 13 '11 at 20:48
  • 1
    @dbasnett - Across the Ethernet network, they may operate as switches. But any data that goes across the powerline side of things is still broadcast to all of the outlets in the house. In this respect, they operate as hubs just the same as a Wi-Fi AP does. It is for this very reason that Wi-Fi networks have encryption, and so powerline networks should also. – Iszi Dec 13 '11 at 20:58
  • @Iszi "_I believe powerline adapters are more like hubs_" which standard? The recent ones do not operate like that. – curiousguy Aug 13 '12 at 21:19
  • @curiousguy Really? How, then, do they restrict reception of signal by unintended recipients, across a shared transmission medium - aside from encryption? – Iszi Aug 13 '12 at 21:23
  • 1
    @Iszi Good question! Like DSL, they begin with a training phase: they emit standard signals and measure signal strength. Then they come up with a tone map just like 2 DSL modems talking to each other, but for each pair of PLC modems, and a broadcast tone map. It is not possible to decode signals without the tone map, so it is like a cryptographic key, but it isn't one. I think that MITM attack is still possible by forcing a retrain. (The retrain sometimes happens spontaneously, and nobody would take one as a security alert.) – curiousguy Aug 13 '12 at 22:03
  • 1
    The goal of maximizing the bit-rate (like DSL) is considered a security feature in itself: because the bit-rate is maximum for the signal to noise ratio, decoding the signal from a "worse" place (not between the modems) is *expected* to be very difficult. It is also **unlawful to even try to implement such remote receiving device** (because of licence restriction), so it is difficult to know if this is true. But I would not bet my money on some "safe" which says "trying to break me in lab condition is illegal". – curiousguy Aug 13 '12 at 22:15