“Alexa, use IoT to kill the power grid”

I first started thinking about IoT as an attack weapon last year, when we realised that uncommanded synchronous switching of compromised smart thermostats could create significant load on the power grid.

Today, I read a really interesting article relating to a talk at SHA2017 about exploitation of solar panels. We looked at something similar with solar panel inverters a while back but had never considered that powering off, then turning on large numbers of panels could create similar enormous power spikes. Easily enough to create a Black Start event.

That got me thinking: what other IoT devices out there could be exploited to kill the power grid?

Suitable IoT would have to have a significant power draw, or have a very large number of devices that draw less power. All you need to do is switch all on, then off, then back on again. The UK grid is quite resilient to ‘on’ or ‘off’ spikes, but not to ‘on/off/on’ and vice versa.

My favourite is of course the smart kettle.

2.5kW per device and the latest versions have an API. All you need is a flaw in the web service, and you have everything you need.

There are plenty of different smart kettles to choose from, though the most popular in the UK as far as I know is the one from Smarter. The latest version has an API, though is a whole lot more secure than their earlier efforts.

Larger power draws

Consumer IoT usually seems pointless to me. It does have its places though: saunas take a long time to warm up, so I can see the point in being able to remotely control the heater from the train en route home. Sauna heaters, such as Huum’s Drop, draw a LOT of power – 6kW plus…

Your oven has a pretty significant power draw – 3kW and up; there are plenty of smart ovens on the market, including one that we had a crack at in DEF CON 25’s IoT Village. We took out the mains supply at 44con 2016 whilst testing a different smart oven too; proof that spikes are possible, even when you don’t intend to!

However, by far the most significant draw in the consumer space has to be charging of electric vehicles. I have a Wi-Fi enabled  smart car charger on order from a mainstream manufacturer, but like lots of IoT promises, it appears to be vapourware.

My existing car charger switches 32 Amps at 240 Volts; 8kW ish. I’m planning to add a second also. Consider the enormous load if you could either trigger the chargers synchronously OR you could tamper with the charging profile of the vehicle via the mobile app API?

There are around 27,500 Outlander PHEVs in the UK currently – they only consume 15 Amps when charging, but find an API flaw and you could trigger around 100MW when they’re all plugged in overnight. Off, on, off. Grid experiences stress.

We already achieved this against the Mitsubishi Outlander. The saving grace was that the attack was local over Wi-Fi.

Or you could hit the chargers instead, where there is more commonality. There are over 100,000 chargers installed at private homes in the UK already.

Charger manufacturers and suppliers need to be very sure that their control systems are secure. Most government subsidised chargers in the UK have a reporting feature over GSM. Imagine if that could be turned against us; a breach of the vendor leads to take-down of the power grid?

Electric vehicle manufacturers also need to be certain that their APIs are secure.

Going larger still: industrial IoT

Domestic power draws are usually limited to around 25kW on single phase or more on three phase.

Commercial applications can draw MUCH more power. Industrial Control Systems are often inadvertently exposed on the public internet. Go surf shodan or follow Random Robbie’s shodan safari to find interesting ICS without any authentication.

What about sidestepping the need for a vulnerable API? Use Alexa!

Everyone laughed when a US TV show demonstrated how to use the Amazon Echo: the presenter announced ‘Alexa, buy me a dolls house’ at which point Alexa in numerous homes promptly did as it heard and hit Amazon up for kids toy houses.

Why not use Echo to trigger power demand?

You can see it in the near future: a popular TV or radio station inadvertently triggers a voice command whilst doing a demonstration. “Alexa, boil the kettle / turn on all the lights / turn all the power outlets off”.

There are similar attacks possible using Chromecast and other voice control devices.

What you lose in power draw per device when switching low power devices such as light bulbs you make back in volume…

Conclusion

It’s not just about smart thermostats and solar panels. The potential for IoT devices being used as attack weapons is huge.

Follow good practice advice; there’s some here https://www.pentestpartners.com/security-blog/advice-for-iot-device-manufacturers/