Hackers Could Use IoT Botnets To Manipulate Energy Markets (wired.com) 39
An anonymous reader quotes a report from Wired: At the Black Hat security conference on Wednesday, [researchers at the Georgia Institute of Technology] will present their findings, which suggest that high-wattage IoT botnets -- made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats -- could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags.
"Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he's basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. "The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack," the report adds.
"Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. [...] The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed."
The researchers say market manipulators could take home as much as $245 million a year, and cause as much as $350 million per year in economic damage.
"Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he's basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. "The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack," the report adds.
"Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. [...] The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed."
The researchers say market manipulators could take home as much as $245 million a year, and cause as much as $350 million per year in economic damage.
Hackers could launch nukes (Score:3, Interesting)
No, your eBay thermostat is not (Score:2)
I've been hacking computer systems for a few decades now, so I'd qualify as "hackers", as would my more junior teammates. As "hackers", we we have something to tell you:
That "smart thermostat you bought on ebay, or the made-in-China for $4 one you got at Home Depot, are NOT secured like the launch control center at Cooperstown.
Actually your IOT crap isn't't secured at all. We walk right in, bypassing the whole NAT thing with some JavaScript or even HTML that looks like this:
IMG src=http://192.168.1.2/temp=9
Re:Hackers could launch nukes (Score:4, Insightful)
The point, you moron, is that IOT is shit.
and the obvious implication is that there should be severe civil AND criminal penalties for manufacturers who fail to secure the shit that they build (and, IMO, especially for those who compromise security in order to facilitate surveillance)
and, as usual, marketing and advertising vermin should be lined up against walls and shot - they're the ones spruiking the miniscule benefits of IOT (who the fuck needs to monitor or control their fridge on a phone? or allows their TV's manufacturer to spy on them? what kind of fucking moron thinks that's useful? or acceptable?) while hiding and obscuring the massive risks.
Re:Hackers could launch nukes (Score:4, Insightful)
Why do you need an internet connected thermostat or refrigerator?
Those are easily done manually with a simple independent controller....no external connections required.
You toaster does not need to be able to connect and bring in the latest weather forecast.
That then brings up even more serious questions:
Why are parts of the utilities' infrastructure hooked to the greater internet?
That should have been a national security red flag decades ago....
Re: (Score:2)
Why are parts of the utilities' infrastructure hooked to the greater internet?
Perhaps too cheap to use point to point leased lines, and/or pay people to configure their infrastructure? Why pay several hundred to possibly > $1000 /mo for 1.5mbit/s T1 when you can pay $250/mo for Comcast "Business Class" cable?
Re: (Score:2)
Well, will it prove to be worth that "extra" money and investment, after some adversarial country or private entity brings down the entire power grid, throwing the entire US into chaos....likely turning very violent within a week?
You think the anarchy going on in some cities
it's a tough attack (Score:4, Interesting)
To pull off this attack, where you cause a device to change its power draw, you would need to know specific things about the device, which probably means actually buying one. It is quite a bit more money, and quite a bit more effort required for a speculative attack.
Also, the SEC is going to be after you, so make sure you live in a country without an extradition treaty.
Re: (Score:1)
For style points . . . (Score:3)
After much consternation (Score:4, Interesting)
I broke down recently and bought a few wifi smart plugs based on the ESP-866. While I did flash open source firmware and put them in a VLAN jail, they still scare the shit out of me as a general rule. But, it did get me interested in all the things you can do with an ESP-32 dev board for a few dollars. Boy, electronics nerds today really have a lot of crazy tools at their disposal.
I still have a really hard time understanding how people think it is a good idea to connect their refrigerator, water heater, or a handful of other devices to the internet. Looking at these controllers you are just asking for problems...
Re:After much consternation (Score:4, Informative)
The ESP boards are great for hobby stuff - and quite probably for consumer stuff too. However, they're still very limited, and so can't withstand a proper attack without possibly crashing or otherwise suffering. They also probably can't run a full suite of IP stack, fail2ban type blocking, self-updates, SSH with long keys, etc etc. So beware anywhere they're being used - especially if they're using upnp to open a port on your firewall to accept connections from outside.
These days, IMHO if you're using much less than a Raspberry Pi to connect to the Internet, you're probably going to fail at it. You just can't run the software you need, get the updates you're going to need and ward off all the crap that comes at you. If you use a lesser system for your IoT solution, then you'll need to tighten up elsewhere to make up for the compromises you just made.
FWIW, IoT on a private wifi network, on a private vlan probably isn't all that much of a risk. Internet access to end-devices is where the problem comes up - if your product requires a "hub", then the hub can do all the hard stuff and each device can be pretty dumb, so you stand a chance of being able to do it safely (although just because there's a hub is no guarantee of quality, of course). The trouble is, "hubless" products are more convenient and probably cheaper than the hubbed variety, and "control via app from anywhere in the world" sounds great, so I wouldn't expect this sort of problem to be solved any time soon.
Re: (Score:2)
I wonder just how well a Pi is suited to the task though, naked on the Internet. Debating about putting my NextCloudPi out there right now...
The problem isn’t just “inherent security”, but also the ability to monitor the device proactively, and somehow filter the data to get logical and actionable information. Automated updates can be your enemy as well, especially when working across many different packages.
It is so much easier to keep everything behind a VPN, but some of this cloud stu
Re: (Score:2)
It would be great if you could buy a USB controlled mains extension cable with a few outlets. Then you could use any random device with USB ports, securing it as it should be.
The closest I have found cheaply are cables that turn off power to the outlets when USB power is cut. Unfortunately most computers do not support turning USB power off. However, I believe that I believe the Raspberry Pi can do so, albeit not per port.
Re: (Score:2)
There's a whole list of hubs somewhere which support power options, although you need a host to be able to tell them to do their thing.
And yes, the RPi can turn off power to the USB ports - it depends on which model of RPi you use as to which capabilities you get though.
Simple Way To Avoid... (Score:5, Insightful)
Don't buy stuff that requires somebody's app and server, and a wifi connection, for the device to work. I got a EV charger without wifi (the car manages all the scheduling) - and saved over a hundred $$ from what the same thing with wifi and an app would have cost. I got new AC with thermostats that are 1) not Google; and 2) work just fine as standard programmable thermostats without the wifi connected. I have now and want to find as a replacement a "smart" TV that doesn't require (or even support) control via an app; a normal remote is adequate, and universal remotes are available (sometimes come with TVs and media players) that know or can learn the commands for devices connected to the TV. My water heater is gas, no wifi and no electric connection needed. The refrigerator is completely "dumb" but still keeps stuff cold just fine. Of course, I can't change thermostat settings from the other side of the world - but then neither can the hackers. IOW no IoT with heavy loads (really, no IoT for now - though I'm approaching the point where doorbell and other surveillance cameras, connected if possible to a server in the house rather than Amazon or Google, might just be interesting.
Does anybody still make drapes and shades you can just pull across windows, rather than using an app to control a motor using somebody's remote server? /luddite
Re: (Score:2)
For my Tv, the app replaces the physical remote, so I didn't install it.
Got a 2019 smart Tv. Plugged it in and first step was FTA channels. Then it demanded a wi-fi password which I provided. Third was a ToS screen: I unticked 'updates', (remote control on your phone) 'app', and 'voice', then clicked 'Agree'. It works fine with the supplied remote-control and the internet Tv mode (mostly pay-to-view, eg. Netflix) accesses YouTube without using a Google log-in.
Re: (Score:1)
a normal remote is adequate, and universal remotes are available (sometimes come with TVs and media players)
That sounds like a security risk to me. Someone could from outside your house use IR to change your TV channel. That is a weak effort, a diet coke of Luddites. Come join our club of people who eschew modern convenience when your TV has actual buttons.
Re: (Score:3, Funny)
Real buttons? My problem is sourcing good contact cleaner for the rotary mechanical tuner. Tuner bath isn't that easy to find in the post Radio Shack world. And the knob is wearing out. I don't want to have to revert to using a pliers to change channels.
This must be 10 years old now (Score:2)
I did read a paper on synchronized switching of PC power (via CPU load, for example) and power of Internet connected devices back then to destabilize the grid. If I remember correctly, just manipulating the energy market was includes as a side-remark, because it is blatantly obvious as a secondary possibility. May also have been 15 or 20 years ago. So this is _old_ news.
Re: (Score:2)
Re: (Score:2)
Should be easy to trace (Score:2)
To be sensitive to market changes in price fluctuations of power you would need to be a damn large user paying wholesale rates for power. It should be easy to note who the beneficiary of these campaigns are and trace the activity to them.
Re: (Score:3)
you would need to be a damn large user paying wholesale rates for power
Or just an investor betting a relatively small sum on futures contracts on wholesale power.
From Within The Utility Companies (Score:3, Interesting)
These hackers could even be employees from within the utility compamies. A team dedicated to pump greater revenue from unsuspecting utility customers.
No need to give them ideas! (Score:3, Funny)
Evil hackers for hire (Score:4, Insightful)
Isn't it a bit stupid by these scientists to assume hiring hackers to do the evil bidding for companies is a common scenario?
At this point will many market analysts have software, possibly AI-based, to analyse markets and to detect even small manipulations. So I don't believe the damage of their chosen scenario is very significant.
I wish they would look into how much damage a single 14-year old teenager can cause, who wants to have fun and "blow shit up". How high could the damage be there? How much extra CO2 could it cause, how many devices could drop out or get destroyed, and how expensive could this get?
I don't care for scenarios where hackers are assumed to be evil, greedy, unethical, immoral for hire criminals and it's companies doing the hiring. Half of all politicians match this description. I am more concerned about kids doing it, which is not uncommon.
Profit via electricity futures (Score:2)
Instead of "hackers", why not enlist the public?
If you allow the firm access to your AC, the firm can use your devices to manipulate demand, thus affecting the price of electricity futures, The firm trades on those futures, and all profits will flow back to the people who are under control. Win/win!
After all, why hack in when you can just share the wealth?