igor - Fotolia
Poor security on devices making up the internet of things (IoT) could potentially enable attackers to use them to down power grids, a security researcher and penetration tester has warned.
Ken Munro, partner at Pen Test Partners, is continually testing the security of IoT devices and recently found that some types of internet-connected thermostats are vulnerable to attack.
This means an attacker could take control of these devices and potentially trigger hundreds of thousands of heating or cooling systems in the same area to come on at the same time.
“That would be an enormous drain on the power grid, and it doesn’t take much to push a power grid into an overload situation, causing shutdowns, ” he told delegates at IPExpo at Excel, London.
This could result in the need for a “black start” procedure to recover from a shutdown, but all power stations need some power to start up.
In normal conditions, this power comes from neighbouring power stations, but if all surrounding power stations have been shut down by an attacker, a total blackout could result.
“Some, but not all, power stations in the UK have a ‘black start’ power source on site to bring the power grid back up, and auxiliary power supplies of this sort are quite rare in the US,” said Munro.
“That is why the IoT scares me. If an attacker could take down enough power stations, it could result in a massive power outage that could take several days to recover from.”
Read more about IoT security
- Cyber crime defences are lagging behind IoT development, which could be disastrous for producers and consumers alike, warns Telefónica report.
- Growth of the internet of things will be slowed or stunted if the industry fails to be proactive about data security, according to IoT Security Foundation.
- The influx of IoT devices will inevitably bring security headaches. Don’t miss out on the opportunities of IoT, but learn how to avoid security issues.
- The five key information security risks associated with the internet of things that businesses can and should address.
Echoing a similar warning by security researcher James Lyne that the IoT poses a very real threat to cyber security, Munro said the attack surface was “absolutely enormous”.
With vulnerabilities in wireless communications, mobile apps and firmware, there were many different opportunities for compromise, he said.
“And yet manufacturers with little or no understanding of security have a go at this, and by buying untested and unsecured devices, people are giving suppliers a huge opportunity to make a lot of money at their expense,” said Munro.
His research has revealed that common IoT failings include:
- Using common default passwords
- Including encryption keys and passwords in the source code of IoT-related apps
- Including encryption keys and passwords in devices’ firmware
- Leaving Bluetooth permanently in pairing mode
- Failure to use passcodes for Bluetooth
- Failure to disable diagnostic ports on live devices
- Failure to validate input to prevent SQL injection attacks
“When dealing with suppliers, write your security requirements into the contracts and then test to verify that those requirements have been met and whatever you are using is very secure,” he said. ....................................
Failure to do so could result in devastating damage to an organisation’s customers and reputation, said Munro. He warned that the IoT was a potential “trainwreck for security” and that the situation could get “a whole lot worse” before it gets better.