Security experts find a vulnerable spot in air conditioners that could shut down your A/C, your neighborhood’s A/C, and possibly beyond.

You tug at your collar. It’s getting hot in here, isn’t it? You check your air conditioner and find it shut off, right in the middle of a heat wave. But this shutoff came from a secret attacker, using a method of “remote control” to manipulate your cooling system, and possibly try to manipulate or destroy parts of the electric grid.

Security researchers say they have found a gap in the system that could allow attackers to make siege on air conditioners, one by one or en masse, with the goal of causing a major power outage.

The secret is in a device some electric companies ask customers to put on their units—central air or window sets—to let the utility control and even turn off your air conditioning to conserve electricity, according to Vasilios Hioureas of Kaspersky Lab and his research partner, Thomas Kinsey of Exigent Systems.

“This is done in order to balance and prevent damage to infrastructure or blackout,” Hioureas told Archer News..

Those devices are secure, right?

Not all of them, Hioureas said.

How it works

Hioureas explained how hackers could carry out the attack.

When utilities want to shut down your air conditioner, many of them send a signal by radio.

“Electrical companies have transmitters broadcasting from towers throughout the city,” he said.

But, he said, the attackers can simply hijack that radio signal. The signal is not encrypted.

“What we showed is that we were able to decode the signal being sent over the air and replicate the signal, allowing us to send similar signals, resulting in different commands to be issued to this device,” Hioureas said.

In other words, the attackers could control your air conditioning—and units across an area—by sending their own commands. If they don’t know the right commands, they could just record and replay the electric company’s commands, he said.

It is all too simple—and inexpensive—for someone with nefarious intentions, Hioureas added.

“This device and attack is much easier to access for a hacker than would be, for example, attacking a power substation.  This is an extra reason why it is a serious issue,” he said.

What could happen?

Attackers could use this tactic to cause big problems, Hioureas said.

“Our work showed this danger applied towards a smaller scale,” he said. “But the only difference between the small scale and large scale scenario is the amount of money a criminal organization, for example, would be willing to throw at it.”

He and Kinsey explained the vulnerability at the Kaspersky Security Analyst Summit in Spain this week.

“Using the same attack which we demonstrated, but by simply buying more transmitters and installing them in more locations, you can just as easily compromise a wider area,” Hioureas said. “And as more and more homes begin installing these devices, the effects will only be amplified in the event of an attack.”  

“Under the correct conditions, if properly orchestrated, I believe this could be used to cause a widespread outage,” he added.

He said an attacker could send a rogue command to turn on all air conditioning units simultaneously, causing a massive spike in load on the grid.

“The main point that we wanted to make was that it is very dangerous that it is possible to create a critical load on the power grid by simply compromising a consumer-level product like an air conditioner shutoff,” Hioureas said.

What are the chances?

Some cybersecurity experts say though the attack may be possible, it is not likely.

“I do not think there is a high risk of a widespread blackout,” said Chris Sistrunk with Mandiant, a FireEye company.

He said it would be difficult for attackers to get all of the units to start at the same time, unless all of the units were the exact same type and age, and the same distance away from the radio. If attackers were able to do so successfully, he said, they would face another hurdle.

“Many utilities—especially in the South—are prepared for many A/C units to come on,” Sistrunk said.

“For instance, in August on a very hot day, all of the A/C units are running,” he said. “If a distribution feeder goes out—say due to a limb or other thing that can be fixed—when the feeder is energized, everyone’s house regains power and all of the A/C units, refrigerators, lights, and appliances turn on at the same time—and the feeder stays on!”

“This cold load current is much more current than just the A/C units starting at the same time,” he added.

“These A/C unit remote control devices typically only control power to the compressor,” Sistrunk said. “If the devices are told to turn on by the power company or an attacker, the compressor won’t actually turn on unless the thermostat in the house tells it to turn on as well.”

Sistrunk said these kinds of load issues are incorporated into system design, at least in North America, with many layers of defense.

“There are so many further protections against it, starting with the very first fuse,” he said.

“It is possible that in, the right conditions, a small scale outage could occur if the distribution line was undersized and the protections were improperly designed,” said Sistrunk. “However, the power company would notice this situation because the line would have more outages more often than properly designed lines.”

Plug the security hole

Still, Sistrunk said, the problem should be fixed.

“I do believe that security should be built into the remote control devices going forward,” he said.

Other cybersecurity experts agree.

“Much of what makes the grid ‘smart’ is the interconnection of different systems involved in power generation, transmission and distribution,” said Eric D. Knapp, co-author of the book “Applied Cyber Security and the Smart Grid.”

“This means that those interconnections need to be authenticated and secure,” he told Archer News.

“In this example, the consequences of manipulation are easy to grasp because the supply and demand relationship is a familiar one,” he added.  “If you can control one half of that equation it’s going to directly impact the other.”

Not an easy fix?

The researchers are contacting vendors to notify them of the problem, reported WIRED.

But they say the systems they tested use old technology and could be very hard to update, according to the article.

The attack is easy, the fix is not.

“When this is combined with the fact that there is not an easy patch that can be pushed out to the devices in order to fix the problem, this means that they will likely stay vulnerable for quite some time,” said Brandon Workentin with EnergySec.

Device makers need to concentrate on protection from the start, he told Archer News.

“This demonstrates the need for Internet of Things companies to have a focus on security beginning in the design stage,” he said.

“Unfortunately, including security as a base requirement means development will likely take more time,” said Workentin, “And the market rewards companies which have a working system first, not those which have a secure system later.”