Over the last couple of years, I’ve published a few posts describing how ridiculously easy it is to hack computers and gadgets. We’ve looked at how we can hack medical equipment, car alarms, and even entire cities. Now the time has come to see how we can hack energy markets to make a profit, unleash chaos, or a little bit of both.

You’ve probably heard of the Internet of Things, or IoT for short. It’s not another internet, but the collective name for every gadget that are connected to the internet. Back in the good, old days, the only thing connected to the internet was your computer. These days, however, pretty much every device is connected. Dish washers, air conditioners, DVRs, electric car chargers, toys, TVs, security cameras, and smart thermostats are just a few the of gadgets that for some reason have to be connected to the internet.

If the internet connection was just outbound, i.e. only used by the dish washer to collect information on the internet, IoT devices wouldn’t have been much of a target for hackers. Alas, the vast majority of IoT devices also accepts inbound connections. Your dish washer accepts inbound connections to enable totally unnecessary features like remote start, which could have easily been solved with a timer on the dish washer instead¹.

The incoming connection means that everyone on the internet can send commands to the IoT device. This wouldn’t have been a problem if the devices were secure. But security in IoT devices is notoriously bad. Many types and brands of IoT devices, for instance DVRs and security cameras, use the same Chinese white label hardware. It’s often cheap, and to make it cheap, every possible corner is cut during development and manufacturing. Security is often virtually non-existent, with well-known default passwords, wide open debug backdoors, and similar severe security vulnerabilities.

The large number of insecure IoT devices has resulted in the creation of several huge botnets with millions of infected devices.

Profit or Chaos

Traditional IoT botnets usually consist of low wattage devices like IP cameras and home routers. Their main application is extortion through DDoS attacks: Unless the target pays up, the party controlling the botnet will use it to generate enough traffic to take the target’s service offline.

But what if botnets started to take control of high wattage devices like electric car charges, air condition units, heaters, and smart thermostats? A talk presented on this year’s Black Hat goes through the details on how someone might take advantage of such a botnet.

Through clever manipulation of the energy markets, they could potentially earn millions of dollars. The presenters estimate that with a high-wattage botnet of just 50,000 devices, an attacker would be able to make up to 24 million USD per year while operating in today’s market. They also estimate that the it would cost about $ 4,000 per month to build such a botnet, which is an enormous return of interest².

By controlling a large number of power hungry devices, an attacker can also cause blackouts and chaos. By turning on many of the devices at the same time, the demand on the grid will soar, and you get local blackouts. By fine tuning the botnet by geographical location, it would theoretically be possible to knock out large areas. The presenters estimate that a nation state actor could cause 350 million USD worth of damage.

There is a very simple solution to all this: We have to stop connection all our shit to the internet. Your AC, dish washer, stove, heaters, and thermostats works perfectly well without their silly IoT features.