How to Hack the Power Grid Through Home Air Conditioners
Now researchers have found another way to take down the power grid: by remotely manipulating home and office air conditioners to create a surge.
The devices, which can be installed on both central air conditioning systems as well as window-installed units, can be easily manipulated by hackers, say Vasilios Hioureas of Kaspersky Lab and Thomas Kinsey of Exigent Systems, who conducted their research as part of the Securing Smart Cities initiative. The two presented their findings today at the Kaspersky Security Analyst Summit.
The way the system works is that operators at regional power centers send a command via radio frequency that gets amplified through repeater stations installed throughout a city to reach the devices and shut down air conditioners. But because the systems Hioureas and Kinsey examined don’t encrypt that communication and don’t use authentication to prevent unauthorized parties or systems from communicating with them, anyone in the vicinity who can emit a stronger signal than the one the utility company sends out through the repeater stations can manipulate the devices as well.
“Anyone with $50 can generate a signal that can trump a repeater [to take out a few air conditioners]; and anyone with $150 can generate that through an [amplifier] and presumably take out a whole neighborhood,” says Kinsey. “And obviously you can scale that up as much as you want to [depending on the strength of your signal].”
A hacker could directly attack a specific home or office by taking advantage of the fact that the systems have unique IDs and can be singled out.
A hacker could cut air conditioners during a heatwave—creating a potentially fatal condition for the elderly and sick—or turn air conditioners on during peak energy periods, causing a surge that creates a widespread blackout. Or a hacker could directly attack a specific home or office by taking advantage of the fact that the systems have unique IDs and can be singled out.
The attack against the devices requires little skill. All a hacker would need is to be on the same radio frequency as the utility company, and then they could monitor and record the commands the company sends to the devices (a technique known as sniffing). From there, they could just play back those recorded commands to other devices to get them to turn on or off (a so-called “replay” attack).
“This is the funny part, to show how ridiculously insecure it really is, you don’t have to even know anything or reverse-engineer anything and you can reproduce the result [by doing a replay attack],” says Hioureas.
An attacker could also simply jam the RF traffic with noise to prevent the power company from communicating with the devices to turn air conditioners on or off, simply preventing them from shutting down the devices during peak hours.
The two researchers wouldn’t identify the devices they examined since they’re still in the process of reaching out to vendors. But Kinsey says that the chips used in some of them are so out-dated and limited—one system they examined used a chip made in 1995—that even if the vendors wanted to add authentication to make the devices more secure he doubts they could do it.
“It doesn’t look like there’s room [to add authentication]…it looks like the hardware is not capable of doing something like that,” he says.