In March, the US blamed Russia for attacks on the power grid. The Department of Homeland Security (DHS) and the FBI called it a multi-stage effort by “Russian government cyber actors” who targeted small facilities’ networks with malware, spear-phishing and remote access into energy sector networks.
Nation states using sophisticated cyber weaponry to attack: it’s like a Hollywood plot. In fact, experts believe that the 2015 and 2016 Ukraine power outages were the work of cyberattackers, and that they were a dress rehearsal for doing the same to the US.
But perhaps Russia or other hostile nation states aren’t the threats we should be worried about – we should be more concerned about attacks from our air conditioners.
As in, smart air conditioners, along with other internet-connected, high-wattage appliances such as smart hot water heaters that can be looped into a botnet, or zombie network, and forced to amp up their electrical demands, thereby overloading the power grid and causing mass, cascading blackouts.
As Wired reports, researchers from Princeton University – Saleh Soltan, Prateek Mittal and H. Vincent Poor – will be presenting their findings this week at the Usenix Security Symposium.
They’re calling the theoretical attack BlackIoT: an Internet of Things (IoT) botnet that would give adversaries the ability to launch large-scale, coordinated attacks on the power grid.
Rather than an attack on the supply side of the grid, the researchers have flipped the tables to describe attacks on the demand side: what they’re calling manipulation of demand via IoT (MadIoT) attacks.
They studied five variations of these attacks, in which cyberattackers would control a botnet comprising thousands of consumer IoT devices – most particularly, ones that gobble power, such as air conditioners, water heaters and space heaters.
After running five varieties of software simulations to see how many of those devices an attacker would need to simultaneously hijack in order to disrupt the stability of the power grid, they came up with a scenario that Wired called disturbing, if not yet quite practical:
In a power network large enough to serve an area of 38 million people – a population roughly equal to Canada or California – the researchers estimate that just a 1% bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners.
Saleh Soltan, a researcher in Princeton’s Department of Electrical Engineering and the lead author of the report, told Wired that the energy grid is OK as long as nobody throws a two-ton elephant on one side of the seesaw:
Power grids are stable as long as supply is equal to demand. If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want.
The researchers didn’t detail specific vulnerabilities that would have to be exploited in order to hijack a critical mass of appliances, but really, did they need to? News of IoT device vulnerabilities is abundant. We’ve already seen the havoc caused by the Mirai botnet, for one – a vast array of home routers, webcams and other low-powered IoT devices that launched a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.
As Naked Security’s Paul Ducklin has framed it, the unfortunate fact is that many IoT devices are designed, built and delivered with scant regard for security, and are installed without much care, often with well-known default passwords unchanged, and with access left open to anyone who cares to come knocking.
IoT devices that cost 5% as much as your laptop tend to get 5% as much security love-and-care, or even less, although they can do 100% as much damage in a [distributed denial of service, or DDoS] attack.
The danger of power outages is particularly acute: when power goes out, so too do life-support devices that depend on electricity, for example. That includes home dialysis or breathing machines. If everybody’s power blinks out at once, that means that our hospitals, our police departments and our emergency responders all go dark.
From the report:
Insecure IoT devices can have devastating consequences that go far beyond individual security/privacy losses. This necessitates a rigorous pursuit of the security of IoT devices, including regulatory frameworks.
We couldn’t agree more.
Mike Schwab (@maschwab63)
You’ll never get the British to give up their Electric Tea Kettles or stop them from turning them all on at the end of East Enders at 3pm.
Jim Gersetich
What is needed (beyond this) is an independent list of IoT devices, with regards to security. Consumers generally have no idea that they should even ask security questions.
A good place to start that list would be analyzing NakedSecurity’s articles over the years since the IoT became a thing.
What this article shows is that the problem is much more critical than someone being able to hotwire your car or break into your house.
Or, perhaps, something like Underwriter’s Lab certifications for IoT devices.
There are many possibilities, but SOMETHING must be done to rein in these devices until security becomes a top priority.
Paul Ducklin
A classic example of “but security surely doesn’t matter in the average device” is the fact-weirder-than-fiction internet kettle story:
https://nakedsecurity.sophos.com/2015/10/20/internet-of-things-do-you-really-need-a-kettle-that-can-boil-your-security-dry/
OK, so if a crook hacks your internet kettle (apart from knowing that you *have* an internet kettle and threatening you with hipstortion, where you pay $100 or else everyone finds out you’re a secret hipster), what’s the worst that could happen? He could try to boil it dry, but that won’t work because modern kettles have ultra-reliable thermal cutouts, by law. He could set your coffee water to boil at 100 degrees instead of 82, and riun the taste of your next cafetiere. So, what’s the harm?
Well, this kettle could be tricked into coughing up your Wi-Fi password. In other words, by ignoring the fact that it was a kettle entirely, and just treating it as a cheap-and-cheerful, unpatched computer, a crook could essentially use it as a free and open portal to your LAN.
The kettle had just one security job to do: don’t leak the Wi-Fi key. And it failed.
Jeff
Kudos to the researchers to think outside the box and look at attacks on the demand side of the grid.
Tim Boddington
I am not in the least bit surprised at anything I read regarding IoT problem propagation. We will never get users to do the right thing – there are far too many of them and the vast majority have no IT or security understanding or interest, and never will. It is therefore time to legislate on the supply side – we must make it illegal to manufacture, supply, sell and fit or install any electronic device that has not been security certified to be safe on the net. That means that new products will have to be rigorously reviewed and tested before they are introduced to the market. It also means that there will need to be significantly improved methods and techniques for the safe connection of a new device, a connection that can be made by any person who has no knowledge of these concerns, and who will not be required to read pages of non-understandable techy nonsense to be able to do so. As Churchill regularly wrote when faced with a crisis – action this day!