Published in IoT

Hackers use IoT botnets to mess with the energy markets

by on05 August 2020

Shocking what you can do if you know what you are doing

Security experts at the Georgia Institute of Technology have discovered that high-wattage IoT botnets -- made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats -- could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US.

If an attacker knows what she or he is doing he or she could stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market", in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters.

By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They figured out how far hackers could push their attacks without the malicious activity raising red flags.

Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah said the report assumed access to a high-wattage IoT botnet.

"In our scenarios, attacker one is a market player; he's basically trying to maximise his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by a percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage."

An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. "The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack", the report adds.

"Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. The researchers calculated that market manipulation campaigns would cause, at most, a seven percent increase in consumers' home electric bills, likely low enough to go unnoticed."

The researchers say market manipulators could take home as much as $245 million a year, and cause as much as $350 million per year in economic damage.

Last modified on 05 August 2020
Rate this item
(0 votes)

Read more about: