Your smart air conditioner could contribute to mass power outages

In March, the US blamed Russia for attacks on the power grid. The Department of Homeland Security (DHS) and the FBI called it a multi-stage effort by “Russian government cyber actors” who targeted small facilities’ networks with malware, spear-phishing and remote access into energy sector networks.

Nation states using sophisticated cyber weaponry to attack: it’s like a Hollywood plot. In fact, experts believe that the 2015 and 2016 Ukraine power outages were the work of cyberattackers, and that they were a dress rehearsal for doing the same to the US.

But perhaps Russia or other hostile nation states aren’t the threats we should be worried about – we should be more concerned about attacks from our air conditioners.

As in, smart air conditioners, along with other internet-connected, high-wattage appliances such as smart hot water heaters that can be looped into a botnet, or zombie network, and forced to amp up their electrical demands, thereby overloading the power grid and causing mass, cascading blackouts.

As Wired reports, researchers from Princeton University – Saleh Soltan, Prateek Mittal and H. Vincent Poor – will be presenting their findings this week at the Usenix Security Symposium.

They’re calling the theoretical attack BlackIoT: an Internet of Things (IoT) botnet that would give adversaries the ability to launch large-scale, coordinated attacks on the power grid.

Rather than an attack on the supply side of the grid, the researchers have flipped the tables to describe attacks on the demand side: what they’re calling manipulation of demand via IoT (MadIoT) attacks.

They studied five variations of these attacks, in which cyberattackers would control a botnet comprising thousands of consumer IoT devices – most particularly, ones that gobble power, such as air conditioners, water heaters and space heaters.

After running five varieties of software simulations to see how many of those devices an attacker would need to simultaneously hijack in order to disrupt the stability of the power grid, they came up with a scenario that Wired called disturbing, if not yet quite practical:

In a power network large enough to serve an area of 38 million people – a population roughly equal to Canada or California – the researchers estimate that just a 1% bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners.

Saleh Soltan, a researcher in Princeton’s Department of Electrical Engineering and the lead author of the report, told Wired that the energy grid is OK as long as nobody throws a two-ton elephant on one side of the seesaw:

Power grids are stable as long as supply is equal to demand. If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want.

The researchers didn’t detail specific vulnerabilities that would have to be exploited in order to hijack a critical mass of appliances, but really, did they need to? News of IoT device vulnerabilities is abundant. We’ve already seen the havoc caused by the Mirai botnet, for one – a vast array of home routers, webcams and other low-powered IoT devices that launched a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.

As Naked Security’s Paul Ducklin has framed it, the unfortunate fact is that many IoT devices are designed, built and delivered with scant regard for security, and are installed without much care, often with well-known default passwords unchanged, and with access left open to anyone who cares to come knocking.

IoT devices that cost 5% as much as your laptop tend to get 5% as much security love-and-care, or even less, although they can do 100% as much damage in a [distributed denial of service, or DDoS] attack.

The danger of power outages is particularly acute: when power goes out, so too do life-support devices that depend on electricity, for example. That includes home dialysis or breathing machines. If everybody’s power blinks out at once, that means that our hospitals, our police departments and our emergency responders all go dark.

From the report:

Insecure IoT devices can have devastating consequences that go far beyond individual security/privacy losses. This necessitates a rigorous pursuit of the security of IoT devices, including regulatory frameworks.

We couldn’t agree more.