igor - Fotolia

Poor IoT security could take down power grid, warns researcher

A security researcher who has exposed a series of vulnerabilities in IoT devices says he is concerned about systemic attacks that could take down parts of the internet or national power grids

Poor security on devices making up the internet of things (IoT) could potentially enable attackers to use them to down power grids, a security researcher and penetration tester has warned.

Ken Munro, partner at Pen Test Partners, is continually testing the security of IoT devices and recently found that some types of internet-connected thermostats are vulnerable to attack.

This means an attacker could take control of these devices and potentially trigger hundreds of thousands of heating or cooling systems in the same area to come on at the same time.

“That would be an enormous drain on the power grid, and it doesn’t take much to push a power grid into an overload situation, causing shutdowns, ” he told delegates at IPExpo at Excel, London.

This could result in the need for a “black start” procedure to recover from a shutdown, but all power stations need some power to start up.

In normal conditions, this power comes from neighbouring power stations, but if all surrounding power stations have been shut down by an attacker, a total blackout could result.

“Some, but not all, power stations in the UK have a ‘black start’ power source on site to bring the power grid back up,  and auxiliary power supplies of this sort are quite rare in the US,” said Munro.

“That is why the IoT scares me. If an attacker could take down enough power stations, it could result in a massive power outage that could take several days to recover from.”

Read more about IoT security

Echoing a similar warning by security researcher James Lyne that the IoT poses a very real threat to cyber security, Munro said the attack surface was “absolutely enormous”.

With vulnerabilities in wireless communications, mobile apps and firmware, there were many different opportunities for compromise, he said.

“And yet manufacturers with little or no understanding of security have a go at this, and by buying untested and unsecured devices, people are giving suppliers a huge opportunity to make a lot of money at their expense,” said Munro.

His research has revealed that common IoT failings include:

  • Using common default passwords
  • Including encryption keys and passwords in the source code of IoT-related apps
  • Including encryption keys and passwords in devices’ firmware
  • Leaving Bluetooth permanently in pairing mode
  • Failure to use passcodes for Bluetooth
  • Failure to disable diagnostic ports on live devices
  • Failure to validate input to prevent SQL injection attacks

Munro advised organisations that were considering using or producing IoT devices and apps to look at guidance from the Open Web Application Security Project (Owasp) and the IoT Security Foundation.

“When dealing with suppliers, write your security requirements into the contracts and then test to verify that those requirements have been met and whatever you are using is very secure,” he said. ....................................

Failure to do so could result in devastating damage to an organisation’s customers and reputation, said Munro. He warned that the IoT was a potential “trainwreck for security” and that the situation could get “a whole lot worse” before it gets better.

Read more on Privacy and data protection