Yorkshire Water supplied me some useful information for those interested in the technology, protocols and security / opsec about their automated meter readers / AMR devices, which can be found below.
"I can confirm that the individual data collected from our AMR’s is not shared externally. We take security and use of our customers personal data very seriously and we are committed to complying with the Data Protection Act 1998. I assure you that your data will only be used in connection with billing. The data collected is not subject to The Regulation of Investigatory Powers Act 2000.
It's good to know it's not using SmartDCC Ltd (Capita) like Gas/Electricity suppliers will be moving to.
"The AMR uses the Cyble RF radio. The Cyble RF radio is a low power two way receiver/transmitter. It operates at 433.82 MHz at <10mW. This is a government approved open frequency. The unit is in a dormant state for 2 seconds then switches to receive mode only for 2 seconds. If in that time it does not receive any signal it turns back to dormant mode. Only if it receives the 9 digit unique code does the radio switch to transmit mode. This is for a period of 18 seconds to transfer date, time and readings and then it reverts to its cycle of dormant/receive only. The coded message is transmitted by a hand held radio unit operated by our meter readers from outside the property and this transmitter has limited range due to the low power output the regulations state. As we are currently only reading every 6 months it means that the radio unit is only in transmit mode for 36 seconds per year. This enables the unit to have an expected battery life of between 12 and 15 years."
Definitely beyond my present RF / RTL-SDR skills set to sniff over such a long period or try brute force, but hopefully useful to someone as I failed to find much online.
Example AMR device: http://www.itron.com/eu/-/media/itron/integration/brochure/cyblesensorpben1211.pdf