Well, this is a good one! Researchers from Positive Security (Fabian Bräunlein and Luca Melette) have just discovered a ridiculously serious security flaw in the control system of a large part of the European electric grid. And hold on tight, it all relies on… unencrypted radio signals! 🤦♂️
The initial idea of our duo was pretty fun: to recreate the spirit of Project Blinkenlights (a legendary 2001 project in Berlin that turned the windows of a building into a giant monochrome screen), but this time on a city scale, by remotely controlling the streetlights in the German capital. No bad intentions at first, just some light tinkering. However, while investigating a streetlight with an open casing, they stumbled upon a radio receiver (“Funkrundsteuerempfänger”) used to turn the lighting on and off… and realized it’s the same device that also manages some renewable energy installations across Central Europe! Just that.
The official name of the gadget is Radio Ripple Control (or Funkrundsteuerung in local terms). It is managed by a single company, EFR, based in Munich, which operates three large low-frequency transmission stations (two in Germany, one in Hungary) to flood Central Europe with radio signals. The problem is, these signals are unencrypted and even unauthenticated, meaning that anyone can not only listen to them but potentially send them (thus replaying or forging commands). According to the researchers’ estimates, this practically represents:
- 40 gigawatts of renewable production in Germany (wind, solar, etc.)
- 20 gigawatts of “dispatchable” consumption (heat pumps, wall boxes for electric vehicles, etc.) So up to 60 gigawatts potentially manipulable via radio signals 😱 and of course, affecting 450 million people across Europe.
This archaic radio protocol, used for ages, is not only used to turn on streetlights or control charging stations but also to broadcast weather forecasts, transmit the time, or switch day/night tariffs on your meter. One could say it’s a neat multifunctional tool… but with the security of a sieve. To understand how they proceeded, imagine an improvised lab with an ESP microcontroller, a waveform generator, a wireless charger coil as an antenna, and some capacitors (yes, MacGyver would be proud). For nearly a year, they delved into the reverse engineering of two protocols: Versacom and Semagyr. After dissecting DIN standards, sifting through technician configuration software, playing with infrared receivers, and connecting probes everywhere, they finally mastered “the language” of these devices.
The result?
Not only were they able to make a streetlight blink (essentially a Streetlight-B-Gone), but they outright sent rogue commands to a real 40 kW photovoltaic installation, causing it to stop producing electricity for the grid. 🎉 Boom: no power!
And for gadget enthusiasts, they even managed to assemble a “Flipper Zero” capable, via its little 125 kHz RFID antenna, of emitting in FSK at 139 kHz over a one-meter radius! In short, it’s nothing more straightforward than turning off a streetlight right in front of your eyes or cutting off a small solar installation. 🤯
Now, the real burning question is: can one “turn off Europe” as easily as switching off a neighbor’s Christmas lights? Theoretically, on paper, those infamous 60 GW could create enough imbalance to disturb the grid frequency (50 Hz) and trigger a domino effect on the distribution (protection mechanisms, cascading disconnections, etc.). The authors explain that if one manages to switch everything on or off at the same time (production + load), one could, in the worst-case scenario, impact a significant portion of the grid.
But… (there’s always a “but” 😏) according to several experts, like Professor Dr. Albert Moser or Jan Hoff, the network is designed to constantly “rebalance.” And since we are acting here “at the end of the chain,” far from substations, the grid can react and adapt accordingly. Furthermore, one would need to surpass EFR’s legitimate power or physically take control of the transmitters, which isn’t so simple. For instance, deploying XXL pirate transmitters, like a weather balloon or a kite with 500 meters of antenna + a 10 kW amplifier, to cover vast areas. It sounds insane… but the researchers point out that a motivated nation-state could manage it (hello, Russia).
That said, the existence of this unencrypted and unauthenticated system is genuinely alarming, especially knowing it is used for critical control. EFR had developed an encrypted version of the protocol in 2015, but nobody wanted it (cost, complexity, etc.). Today, there’s even a more modern system called iMSys (Intelligente Messsystem) that uses 4G and encryption. Regulators even plan to use a dedicated LTE band at 450 MHz for that. However, the deployment is slow, and worse, the large installations that would need it most are likely to be migrated last. Additionally, some cities like Hamburg have just installed the old system instead of the new one. 🤦♂️
So, should we panic?
No, because to trigger chaos on a large scale, one would need to:
- Control a large volume of installations (tons of gigawatts).
- Overpower the legitimate signal or take complete control of EFR transmitters.
- Choose the ideal moment (peak sunlight, high renewable presence, etc.). In other words, we’re far from a small script kiddie executing a “hack-my-power-plant.sh.” But the threat remains plausible for a very organized actor, and the researchers have alerted the authorities. Moreover, Der Spiegel confirms that, according to some experts, a coordinated blackout scenario “is not impossible.”
We even had tense exchanges since EFR threatened the researchers with legal action, then officially stated that all of this was exaggerated… while they had previously acknowledged being aware of the issue for years.
In short, no immediate stress if you envision total chaos, but this discovery clearly highlights (aha) the fragility of certain aspects of our critical infrastructures. Ultimately, the researchers hope that with the media attention on their discovery, the deployment of safer solutions (like iMSys) and the replacement of these archaic Funkrundsteuerung receivers will finally accelerate.
