The Not So Bright Future of Unsecured IoT Devices

If you thought that IoT devices coming online would present a force multiplier for cybersecurity breaches, imagine what it might be like if you started looking at the world through the other end of the telescope.

How about instead of a group of hackers breaking into the poorly defended infrastructure of our power grid and wreaking havoc across the nation, a different and smarter group of hackers decided to come at it from the other direction and simply attacked the end-user devices attached to the power grid?

Like home air conditioners and water heaters.

A fun-loving group of Princeton University security researchers will present a study at the 27th Usenix Security Symposium this week in Baltimore, that considers the following question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side instead? In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters.

Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid. The results point to a disturbing scenario: In a power network large enough to serve an area of 38 million people, like say California, the simulation of only a 1% increase in demand would be sufficient to take down the grid.

That demand increase could easily be created by a botnet of only a few thousands of hacked electric water heaters or air conditioners.

A botnet-induced imbalance of that order would create cascading blackouts, overloading the current on power lines, damaging them and triggering devices called protective relays, which turn off the power when they sense dangerous conditions. Switching off those lines puts more load on the remaining ones, leading to a chain reaction causing collateral damage all along the power grid until every power line is damaged or destroyed.

We have seen presentations at the Kaspersky Analyst Summit in 2016 describing security flaws and vulnerabilities in air conditioners that could easily be used to pull off the sort of grid disturbance that the Princeton researchers describe, and real-world malicious hackers have shown us repeatedly that they can compromise everything from refrigerators and coffee machines to fish tanks and thermostats.

In simulations using power grid software MATPOWER and Power World to determine the size of the required botnet and using models of a similarly sized (38 million people) power grid, the researchers found they could cause a cascading blackout of 86% of the power lines with just a 1% increase in demand.

This would only require 210,000 hacked air conditioners, or 42,000 hacked electric water heaters.

Since we all recall the Mirai botnet in 2016 that took most of the U.S. web offline for 7 hours, we know that 600,000 hacked IoT devices (security cameras and home routers) can have a paralyzing impact on access to a broad collection of websites. Fast forward a couple more years and imagine what that might do to a society and culture that will be almost entirely dependent on the web for day-to-day operational survival.

Now, instead of several hours, imagine an outage of several months. Puerto Rico anyone?

The Princeton researchers also modeled more devious techniques that their imaginary IoT botnet might use to mess with power grids. They found it was possible to increase demand in one area while decreasing it in another, so that the total load on a system's generators remains constant while the attack overloads certain lines. That could make it even harder for utility operators to figure out the source of the disruption.

If a botnet did succeed in taking down the grid, the researchers' models showed it would be even easier to keep it down as operators attempted to bring it back online, triggering smaller scale versions of their attack in the sections or "islands" of the grid that recover first.

The researchers point out that since the source of the demand spikes would be largely hidden from utilities, attackers could simply try them again and again, experimenting until they had the desired effect. Their version of product-market fit.

Just as utilities today carefully model heat waves and increased TV viewing times and maintain a stock of energy in reserve to cover those demands, they will also need to account for tomorrow’s hackable high-powered devices on their grids. As high-power smart-home gadgets multiply, the consequences of IoT insecurity will soon result in more than just a hacked thermostat and the theft of some data off a connected corporate network.

And when your water heater starts acting up, who are you going to call? Probably not the utility company. In fact, you may not be able to call anybody.