IoT botnets: Smart homes ripe for a new type of cyberattack

The burgeoning smart home device market has given rise to digital intrusion and potential energy market manipulation on a massive scale.

energy grid

Image: iStock/tebnad

From smart pet feeders to web-enabled thermostats, the modern home features a vast suite of interconnected devices. In recent years, the market for these products has increased dramatically. By 2025, it's been estimated that there will be 481 million smart homes worldwide, according to a Statista's 2020 Digital Market Outlook.

These smart devices allow homeowners to increase efficiency and minimize their carbon footprint, however, these internet-enabled technologies create entirely new vulnerabilities for cyberattacks and criminal activity. A recent Georgia Tech study illustrates various ways utility companies and nation-states can use these devices en masse to manipulate energy markets and more.

SEE: Identity theft protection policy (TechRepublic Premium)

IoT botnets, the grid, and market manipulation

In the smart home era, flipping the switch and siphoning energy from the grid is now a mere digital button away. In the idiosyncratic energy supply and demand markets, these Jules mean money. By powering on a large number of devices an energy supplier or utility company could artificially increase demand to boost profits. This idea is at the core of Black Hat USA 2020 presentation titled led by Georgia Tech researchers Tohid Shekari and Raheem Beyah.

"The similar analogy would be, you're participating in a stock market and you know what is going to happen in the next day because you have some sort of control and manipulation over the next day's and next week's markets," Shekari said. 

In a recent phone interview, Shekari used a standard home electric vehicle (EV) charger to illustrate how these devices could drive energy market manipulations.

"The attacker can use the EV batteries, which form a small portion of the available vulnerable high-wattage devices, to charge [or] discharge them from [or] to the market just to slightly increase and decrease the load of the system. Such small energy manipulations, such as 1% of the system load, can significantly affect the energy market prices and the financial gain [or] loss of its players." Shekari said.


Image: iStock/bet-noire

Unlike say a thermostat or a conventional oven, powering on an EV charger in the garage may not create as much of a readily discernible digital intrusion. This is an important consideration to note as many organizations and institutions have transitioned to remote work and online education during the pandemic.

However, by monitoring and analyzing the routine use of these devices, an individual can determine a homeowner's schedule, and then, work within these parameters, Shekari explained. 

Rather than triggering these devices on set daily schedules, attackers could instead attack intermittently throughout the week or month to minimize the risk of being discovered or raising suspicion.

"If you're doing this on a daily basis with huge profits, there is a very big possibility that you'll be caught, but we propose to take lower profits and not getting the maximum profits in order to keep your attacks stealthy," Shekari said. 

Such an orchestrated attack does not require massive energy manipulation on a daily basis to remain highly lucrative by any means. In fact, intermittent strikes within small windows of time throughout the year could yield massive profits.

"If you perform this attack just three hours a day and not every day, just two days a week, we have shown that you can do huge manipulations in the market," Shekari said. 

The owner of a small power plant could make $24 million of additional annual profits and a nation-state actor could cause a billion-dollar economic damage on the market, Shekari explained. 


Image: iStock/kodda

Data transparency and potential misuse

To accomplish this type of market manipulation an attacker will, of course, need a battalion of compromised bots, however, a comprehensive understanding of typical energy consumption and fluctuations in these daily forecasts is also imperative. Once the range of normal variations is known an entity can work within these confines to inconspicuously increase energy consumption.

"Imagine that you look at the market historical data and you extract the normal load fluctuation and the normal deviation of the load forecasting in a one-year period. You know that for example, 2% of the total demand fluctuation is pretty normal. And if anyone looks at the attacked load profile, he would think that 'OK this is a normal load forecasting error' and there is no sign of an attack or manipulation," Shekari said. 

At the moment, data pertaining to anticipated energy consumption is readily available online. This transparency essentially details the range in which this particular market could be manipulated without drawing suspicion. Although the information sharing may be ostensibly well-intended, knowledge of these detailed figures can help disguise market deception.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

"This fearless, and unnecessary data sharing is the main code that can lead to such huge financial attacks to the market. The reason that they're doing this is that they're giving the opportunity to the market analyzers and researchers to study the patterns in the market and improve their bids or increase their economic profits in the market," Shekari said. 

Shekari believes the availability of this data, may enable nation-states to carry out covert attacks within the forecasting error margins.

"They're sharing all of this information online with everyone publicly. So if you're sitting somewhere in China or Russia, you can simply just load the website, download all of the data that are being updated every five minutes, analyze them, and think about new ways of attack," Shekari said. 

To reduce the risk associated with this type of attack, Shekari suggested releasing processed data instead of raw market data and sharing data with the marketplace rather than making this information readily available to the public. Additionally, Shekari believes that registering these smart home devices could help identify suspicious activities and machine learning could be used to help discern attacks within this myriad data; although current data is insufficient for such classification.


Image: iStock/pixinoo

IoT botnet attacks: Past, present, and future

In recent years, botnet attacks utilizing an army of compromised IoT devices have caused widespread disruption. In 2016, the Mirai botnet delivered a wave of cyberattacks across the US and Europe resulting in large-scale internet outages. For comparison sake, that particular attack leveraged more than 600,000 IoT devices. The energy market manipulation detailed in the Georgia Tech study would require 15% capacity of the Mirai botnet, according to Shekari, putting such a scheme squarely in the realm of demonstrated possibility.

Since the Black Hat presentation, a representative from the Federal Energy Regulatory Commission (FERC) has contacted the research team about their findings. The employee was interested in collaborating with the researchers to better understand and detect potential market manipulations, according to Shekari. In 2018, FERC investigated numerous potential energy market manipulations cases, Shekari explained, and a number of these were closed without action due to lack of sufficient evidence.

"If you see someone who can make 200% profits every year, that's something weird. So there are some players that [are] in the market that are making profits like that, but [the FERC] have no evidence to detect these kinds of things and to figure out what's going wrong in this market," Shekari said. "Maybe they have some better prediction algorithms, who knows. Maybe they are manipulating something." 

Also see