At the Security Analyst Summit 2016 Vasilios Hioureas from Kaspersky Lab and Thomas Kinsey from Exigent Systems revealed how anybody with $50 in their pocket can hack one of their neighbor’s air conditioner. If a hooligan chooses the right time and place, he can even cause a blackout in the neighborhood.
How is this possible?
Many people take their energy consumption seriously and try to be responsible in their usage. This type of approach is also encouraged by the states. Some utility companies in the United States offer their customers the opportunity to save up to $200 per year if they allow the provider to turn their air conditioners off during peak energy periods. This is all done remotely, of course.
For that the companies connect the air conditioning system to a special device, which receives commands to switch on and off over the air. Summer is hot, but during peak periods it’s much better to spend a few hours without air conditioning than have no electricity at all — so that policy seems quite reasonable.
IoT: How I hacked my home http://t.co/CCx9eQEbL2 via @Securelist by researcher @JacobyDavid #InternetofThings
— Kaspersky (@kaspersky) August 21, 2014
Whenever necessary operators at regional centers send the command to turn air conditioners off via a specific radio frequency. Repeater stations that are installed all over the city amplify the signal until it reaches its destination. The thing is that all receivers, which had been examined by our researchers, had no encryption or authentication solution. So in fact, anybody who could emit a stronger signal was able to blackout the utility company’s commands and gain control over all of these devices.
The necessary equipment can be easily purchased by pretty much everyone — it’s cheap and not hard to find. If you have $50, you can buy a device that is capable of powering on and off several air conditioners nearby. But if you can come up with $150, you could control couple of a blocks of your neighborhood. If you are a deep-pocketed criminal, this can be scaled to have control over the whole city.
More connected, less secure: how we probed #IoT for vulnerabilities https://t.co/f4Y6iXLG8U #internetofthings pic.twitter.com/ZwFbvGGW6G
— Kaspersky (@kaspersky) November 5, 2015
While this is a bad scenario at first glance, it is not overly critical. The reason is that air conditioners turned off during the summer or turned on remotely in the winter would only seriously impact certain parts of the population (elderly, terminally ill, etc.) in a dire manner. This group is typically not one who would be a prime particicipant for the program. Also actions like this can also break air conditioning units.
The larger issue with this lies within peak energy periods and if a criminal would turn all of the air conditioners on at one time. This can cause a sudden blackout in the whole district.
What’s the purpose of doing that?
One scenario could be that the criminals need it to penetrate into the de-energized office of their business competitors.. It’s noteworthy, that such manipulations do not require any special skills. The only thing a criminal needs to do is to find the radio frequency used by the utility company and write down commands, which are send by operators.
How to hack the power grid through home air conditioners https://t.co/XSEY4Hgw8G
— WIRED (@WIRED) February 10, 2016
Another way to exploit this vulnerability is to jam the RF traffic with noise and enjoy both, utility companies discount and working air conditioners during peak hours.
The researchers did not disclose the names of the vulnerable devices as they are still discussing this problem with the vendors. However, the whole situation shows how insecure our connected world is. It doesn’t really matter how exactly it is connected — via radio frequencies or Internet, it’s possible to hack both, as people do not care about security as much as they should.
Recapping #TheSAS2016: IoT hacks, #Metel, #Poseidon, and more https://t.co/IqPXRtMs8r pic.twitter.com/2Pu461dOkl
— Eugene Kaspersky (@e_kaspersky) February 17, 2016
Technologies are constantly developing, and five year old devices now can be hopelessly outdated. Meanwhile, Hioureas and Kinsey found out that the chip used in some of the devices they examined in this case were developed in 1995. As a result, even if the vendor wanted to add authentication to such a device, it would be impossible — equipment simply would not cope with this task.