Engineers plan for the worst if the household Internet of Things is hacked

Anna Godeassi
Cyberattacks on the power grid have long been regarded as a nightmare scenario in cybersecurity, leading researchers and electric companies to combine efforts to protect the computers that control our energy infrastructure. But recent findings by a team of University researchers suggest that a cyberattack on the electric grid may not be the only way to cause large-scale blackouts. 

Instead, hackers might be able to transform the growing numbers of high-wattage Internet-connected appliances, such as air conditioners and water heaters, into bots of destruction that can suddenly and simultaneously increase their demand for power. A deliberate electricity surge from the so-called “Internet of Things” (IoT) could overload the power grid and potentially cause rolling blackouts, according to a paper by electrical engineering postdoc Saleh Soltan and electrical engineering professors Prateek Mittal and Vincent Poor *77. The paper was presented at the USENIX Security Symposium in August.

The researchers were inspired by the Mirai botnet, a collection of hundreds of thousands of infected Internet-connected consumer devices — including security cameras and wireless routers — that launched massive attacks two years ago in the United States, orchestrated by three young American cybercriminals who have pleaded guilty to the hack. Among the attacks, the Mirai botnet targeted the internet service provider Dyn, overloading the company’s servers, making many websites inaccessible for several hours on the East Coast. 

“We had been talking about the Mirai botnet, and I just realized: What would happen if all of these devices had high-wattage power uses?” Soltan says. “When we looked at some of the consequences of these attacks, it turns out that not that many devices are really needed to cause serious harm. If the grid is not prepared properly, then 200,000 compromised devices are enough to cause some damage to the grid.”

“If the grid is not prepared properly, then 200,000 compromised devices are enough to cause some damage ... ” — Saleh Soltan, electrical engineering postdoc
Courtesy Saleh Soltan

That is not a very large number of compromised machines for a hacker to amass, given that in 2017 an estimated 8 billion smart devices were connected to the IoT worldwide — that number is projected to more than double by 2020. As manufacturers increasingly offer web-connected devices, the security settings and standards for those gadgets have not kept pace with the industry. 

Unlike personal computers and smartphones, many IoT devices — such as security cameras, routers, light bulbs, and air conditioners — do not have screens, keyboards, or other user tools that enable owners to set passwords, adjust the default security settings, or install software-security patches. Moreover, manufacturers are loathe to drive up costs of these devices by designing and implementing additional security features; typically, IoT devices are protected by a simple default password, common to all of the devices a manufacturer sells, which could be easily guessed by hackers and exploited to amass an enormous network of bots.

The researchers have found that these bots could be used to initiate what they call “manipulation of demand via Internet of Things” (or MadIoT, pronounced “mad-I-o-T”) attacks. Using publicly available data about the Polish power grid from the mid-2000s, the researchers found that hackers could manipulate sufficient wattage to cause blackouts or increase the operating cost of the grid through unpredictable surges in power demand using as few as 200,000 high-powered devices like air conditioners or home water heaters.

Soltan says the researchers hope to collaborate with power companies to run similar simulations for recent, U.S.-based power-grid models to determine our domestic infrastructure’s vulnerability. Stronger security requirements for the IoT devices could remediate this threat, he says, but he also sees a need for power companies to design their systems to automatically detect compromised devices and shut off or disconnect them from the grid if they exhibit suspicious behavior.

“These threats are not critical now, but if you look at the trend of these IoT devices, this could become very critical five or 10 years from now,” Soltan said. “So it’s a good time to be preparing for these types of threats with regulation. We need minimum security requirements for these devices — most of them simply do not have enough security.”