22 August 2018

Princeton University researchers: causing power outages with IoT botnet

Researchers from Princeton University claim that IoT devices can be used by threat actors to cause local power outages and even large-scale blackouts. The method involves exploiting Wi-Fi enabled high-wattage devices, such as air conditioners, ovens, water heaters and space heaters.

Authors of the report point out that such devices could be manipulated in order to control (increase or decrease) power consumption and cause power supply disruptions. This type of attack has been named “Manipulation of demand via IoT” (MadIOT).

Diagram showing a MadIOT attack
(source: https://ics-cert.kaspersky.com/away?url=https%3A%2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fconference%2Fusenixsecurity18%2Fsec18-soltan.pdf)

According to the researchers, the normal operation of a power grid relies on the balance between supply and demand. They believe that the balance can be disrupted using an IoT botnet of air conditioners and heaters that are simultaneously switched on or off by the attacker.

The experts have tested their theory using state-of-the-art simulators of real-world power grid models. They have analyzed two attack scenarios, one of which involves frequency instability and the other is based on causing line failures.

According to the researchers’ calculations, implementing the first scenario would require a botnet of 90,000 air conditioners and 18,000 electric water heaters within the targeted geographical area. An attack based on the second scenario would require 210,000 compromised air conditioners.

Source: SecurityWeek