Schneier on Security
A blog covering security and security technology.
« Hacking Power Networks |
| Unshredding »
January 23, 2008
I have absolutely no doubt that there will be security flaws in remotely controllable thermostats, allowing hackers to seize control of them. Do this on a too-hot day, and you might even cause a large blackout.
EDITED TO ADD (2/13): The proposal has been withdrawn.
Posted on January 23, 2008 at 6:07 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Its encoded AND encrypted. Well thats OK then. Cause after all the domain of potential signals must be huge. On, off, up, down. Nobody could ever figure out what is being sent. Or just send out enough (RF) power to jam the signal so it never is received and the power system is overloaded anyway.
Bruce .. are you for real on this just woke up on the left side of bed again.
There are literally 1000's of IP based power control devices being sold for servers (a closer source to juicy data sources) .. and I haven't heard the world come down with the rash of shutdowns yet.
Why waste the power to jam it, just cut the antenna lead.
blackouts, sure. What about deaths in an old folks home? Turn off their air conditioning during a heat wave and watch the death toll rise.
Or kill the air conditioning and kill people.
Sounds like a good idea.
My toilet is IPv6 ready. Flush over ssh.
They're actually talking of turning up (summer) or down (winter) the temperature a few degrees, instead of shutting things off altogether.
Personally, I think the whole discussion misses the point. Power is wasted on heating or cooling homes with bad insulation which are not designed with energy efficiency in mind. Codes for new or re-built buildings should fix _that_ instead.
Are they planning to raise everyone's thermostat by 2 degrees regardless of the previous setting? Or will the adjustment only affect thermostats set to a given temperature range?
I already set my thermostat to uncomfortable extremes (just ask the Mrs.), so I don't like the idea of having 2 more degrees arbitrarily added or subtracted.
I think I saw an ad for a refrigerator freezer combo with built-in Ethernet once. I thought, some teenage cracker will defrost everything while you're at work.
Now I think the danger is overblown. I still think that thermostats need a manual override that cannot be overruled, but that's because handing the ultimate control to corporations and bureaucrats is dangerous.
I'd prefer some sort of financial penalty instead of this form of central control. House A (1200 sq ft using say 1000 kWh) pays more PER kWh than House B (2000 sq ft using 1000 kWh).
Hit the "wasters" in the pocketbook but don't make everyone suffer. Who cares if the shared pain is less if we all share it? Someone who conserves should not have to share the pain with the wasters.
Why invite the risk (real or perceived) if there is a less expensive and safer way to do it?
What you want to limit is electricity, not heating or air conditioning. If your thermostat is being lowered in winter time, and you feel cold, you just plug in another space heater or crank up the hot tub.
To be fair, you would want to throttle the maximum current that is supplied to homes, so that the residents can choose to run the air conditioning, microwave or their 2000 watts surround system, but not all of them.
While we're talking about utilities: my water and electric meter are read remotely, surely there's a way to interfere with that?
Also, in a previous apartment, electricity was much cheaper at night, and the meter was switched between day time and night time remotely, using a signal over the power line. Wouldn't it be fun to hack the system and broadcast the "day time" signal early at night, so that everyone always paid the highest price ...
Well, duh. I think the big question isn't so much whether it can be done as how tracelessly it can be done. Because whoever does it and gets caught will have to face not only the law but the wrath of tens of thousands of very hot and cranky citizens...
It seems like they are using the paging network, which is a good thing (or at least better than using a custom interface with unknown security implications).
There are two obvious ways of hacking the system. You could build a Faraday cage around your thermostat to prevent it from getting pages. You could also put a heat source next to your thermostat so that it thinks that your house is warmer.
Overall, this is not a bad idea given a few provisoes. The code has to be open so that it can be analyzed by third parties, and the temperature adjustment has to be limited to a few degrees in order to limit the potential damages.
Adding stricter energy efficiency standards to building codes would be a much more effective policy. Of course, the two are not mutually exclusive.
I wonder if hacking a thermostat could be used as a precursor to a larger crime or infiltration. For example, if you hacked the thermostat of a data center could you force the shutdown of the data center? Perhaps you could then pose as a repair person to gain physical access. If you hacked the thermostat for a school could you cause the school to be evacuated? What other mischief or mayhem could you inflict as a result?
Products already exist for cheating on thermostats -- like X10's Setback Module. It's a small heat source that you place below your thermostat to trick it into thinking your house is warmer than reality. The intent is to save money on a heating bill, but this can just as easily be used to trigger the air conditioning. If one thermostat in a neighborhood is (dishonestly) reporting 10 degrees higher than all the others, that house gets AC priority.
"That is not possible, said Nicole Tam, a spokeswoman for P.G.& E. who works with the pilot program in Stockton."
Famous last words?
We already have this in Wisconsin on a voluntary basis. It's a little box they put near your AC that receives radio signals to cycle it on or off during peak demand. If you use it on the 'highest' level, you can get a $50 credit on your energy bill for the summer. It's a bargain for the utilities, because they don't have to spend money adding capacity.
Florida Power and Light used to control my hot water heater. They gave me a substantial discount for the privilege, too. We never noticed a lack of hot water. If we ever needed it, I knew that I could cycle the breaker and it would fail to "on".
I would be willing to give this a try, so long as I could see what was happening and as long as I got a discount or other incentive.
Bruce is right that connecting something to a network makes for all kinds of insecurities that wouldn't exist otherwise. Same as when you add wireless to a network anywhere.
If there's going to be any kind of remote access involved with a home system, it has to be done very, very carefully (though I think it's far safer to cut off such a connection completely or have it just be one-way (messages out to you, but no commands in)).
Quoted from the article:
“This is an outrage,��? one Californian said in an e-mail message to Dr. Rosenfeld. “We need to build new facilities to handle the growth in this state, not become Big Brother to the citizens of California.��?
Hah - as if remote control were PG&E's first choice. A quick review of the history of new power plant proposals in California is in order for the emailer.
State controlled thermostats -- freaking commies!
Andy & Nick: That's the way to do it -- capitalism.
>State controlled thermostats -- freaking commies
THE THERMOSTATS WERE TO BE CONTROLLED BY POWER COMPANIES, NOT THE STATE. The proposal was that all new construction (and major rennovations) would have these new thermostats that the power companies could diddle with.
> ... controlled by the power companies, not the state.
This falls into the 'if you're not doing anything wrong, you don't need to worry about surveillance' drawer.
I understand the whole Enron/California Power 'Crisis' was a few years back, but it's not the consumer that needs regulation. Blackouts were caused by traders gaming the system, no need for hackers.
So excuse me if I look at assurances of safety by PG&E officials with a skeptical eye.
If the general threat to SCADA infrastructure is overblown, how likely is a massive cyberattack on home thermostats?
Those who suggest setting the thermostat for lower consumption as a general practice - either voluntarily or involuntarily, whether it's by changing people's rates based on consumption, or enforcing an amperage cap, or eliminating subsidies so that people know how much their power actually costs and the free market can decide, or whatever - are missing the point.
The real issue is a need to reduce power consumption *in real time, when the system is overloaded*. That's what it will take to prevent blackouts, and it requires some form of real-time communication between the power company, who know how when an overload is in progress, and the end-user. Preferably (from the power company's point of view) without human intervention.
You can do it in an automated way, or you can maybe consider doing it in some kind of human-mediated way - every so often the flashing light goes off to let you know that if you turn down your thermostat NOW you can earn a credit on your bill or whatever. But it has to be a real-time thing. Just a general overall reduction that doesn't respond in real time to overload conditions, isn't going to address this specific problem.
Major industrial users already have this kind of system in place. The power company offers them a lower rate for power in general, on the condition that they implement a *real-time* response to reduce power consumption in overload conditions. And there are obviously contractual specifications on how often the power company is allowed to call "overload," and how fast and how reliably the user has to respond to it, and so on. But the key is real-time response. General reduction in power use without real-time response, is a completely different issue.
Indeed, commies controlling the thermostats.
Because it's a commie thing - to herd people into the better future by the whips of law.
How about real-time _pricing_ of electricity? Letting people (and their smart thermostates) to choose for themselves how to spend their money.
"How about real-time _pricing_ of electricity?"
The power company would have to install the smart meters that record power consumption as a function of date and time. It's an interesting question whether spending (say) $100 on a meter like this for 20 million homes is a better investment than just building another power plant for $2 billion. Presumably it would be, as it would permit more efficient use of the existing resources ... but only for a little while of course.
But the more common answer to this is that all those poor people won't be able to afford the electricity for their TeeVee's, game consoles and in-window air conditioners, should the power company jack the rates when they are nearing capacity.
How about this scenerio. Turning the heat off in a building in the dead of winter. Over a weekend you could end up with totally frozen / busted pipes.
This is bazaar! My grandmother knew how to jump the thermostat wires at the furnace with a bobby pin when Papa put tape over the temp setting in the living room. Anyone with a brain could get around this nonsense.
Cranky Old Man
Alex Sayle had an old bit about the League of Mediocre Super-Heros. One was "Gas Meter Reader-Man" who had the power to freeze old people to death in the winter. Now everyone will have that special power. And you know when everyone has that special power, it's just not so special anymore...
This system needs three safeguards in it:
1. It has to be clearly indicated on the thermostat when this feature is enabled, and control over whether it's enabled or not had to reside in the thermostat under purely local control. The thermostat can report the state to the power company, but it must not be possible to remotely override the local enable/disable setting.
2. There has to be a local sanity check, either as a maximum change from local setpoint or an absolute temperature limit. Any attempt to remotely command a setting exceeding the sanity limits must be rejected. For thermostats controlling separate heating and cooling systems it has to be asymetric. The cooling side shouldn't be able to be commanded to lower than the current setpoint nor higher than the limit, while the heating side should be limited to no higher than the setpoint and no lower than the limit.
3. The signal from the power company needs to be secured from tampering in some way. If the signal is via RF broadcast, it needs some authentication to prevent impersonation by a rogue broadcast.
"State controlled thermostats -- freaking commies!"
State controlled thermostats -- freaking fascists!
Our local electric company used to do this with our water heater and we got a credit on our bill. They would turn off the heater at the time of peak power use and we could hear the relay when it was activated. We never noticed any problem with the hot water supply. They stopped doing this some years ago but now they want to do the same thing with central air conditioners. We haven't decided to to go along with it or not.
Peak power use here (Ontario) is roughly 6 to 8 p.m. and the numbers are available online.
It does exist in a lot of coutries. Here (Hungary) for example electric heating (quite rare here actually) and hot water generation above a certain power limit may only be installed in such a way, that the power company controls it, via signals sent on the power line itself. It is only switched on during non-peak times. It is metered separately, and costs less then half of the non controlled electricity.
The control signlas can probably be hacked (it is using digital coding over low (audible) frequency ). However, the incentive for hacking is pretty low as generally there is no problem with using off-peak electricity for this purpose, and practically nothing is gained by having the controller on. And the power companies are now pretty smart in deiscovering illegal use.
It should be mentioned at least once that the idea has merit. Supplying peak demand comes at immense cost and is hugely wasteful. Regular base load power plants take hours to adjust their supply. Smaller gas generators can respond in minutes. Instantaneous demand is usually covered using pumped storage, see http://en.wikipedia.org/wiki/... which has an efficiency of about 80%, i.e., 20% of the produced energy is wasted.
Leveling peak loads becomes even more of a problem when you factor in wind and solar power, both of which can change fast and have to be compensated for.
If demand can be controlled, then a lot of waste and overcapacity (such as "warm" power plants) can be reduced.
Meanwhile in my country, instead of power companies demanding the right to hijack my usage of their product, the government gives a large tax concession to subsidise the continuous improvement of home insulation systems. Thus reducing power consumption all the time, applying a substantial lag to heating and cooling demand* which helps to smooth out demand spikes, and all in a non-intrusive, voluntary, self-regulating system which doesn't create broadcast electronic attack vectors or risk killing elderly people.
*Although built in an area with quite hot summers, my current home wasn't insulated when we moved in, and on hot days you started to think about switching on the AC by about 9:00 in the morning even if the house was cool at dawn. Now with roof insulation in, if we leave the screened windows open overnight to pre-cool everything then even on a 42°C (108 °F) day we didn't need the AC till about 4 pm. The problem there is badly screened west facing windows; we will be working on those next. Current rate of savings looks like paying for the installation in about 19 months; with the tax break, it will pay for itself in 10 ~ 11 months.
Incidentally, I've just been reading about ice storage AC systems. Apparently they are already being widely installed in industrial premises, and are likely to soon be available for home use.
The idea is as simple as it is ingenious: running your cooling system at night to chill down a big heat sink. (For most purposes, a big tank of water is the best choice.) During the day, a (much lower-powered) fan blows air through the heat sink to cool things down.
There are several advantages over conventional AC. First, you use off-peak electricity, which saves you a lot of money. Second, the reason the power companies charge less for that off-peak power is precisely because it smooths out demand spikes (just as they want to do by hacking your thermostat), thereby greatly increasing their operational efficiency and reducing wastage.
But best of all, the fact that the chilling phase occurs at night, when the "warm side" can dump heat to the cooler night air instead of the heat of the day, means its thermodynamic efficiency is greatly increased, so there is far less power used for the same amount of cooling.
In many industrial or commercial settings it will be a simple process to convert an existing refrigerative conditioner to one which chills a water tank (note, however, that many industrial and commercial systems use evaporative coolers.)
However the system can be much more compact if designed to actually freeze the water instead. The latent heat of fusion of ice is 334 kJ/kg, or the same as the specific heat in warming it by 80°C. Thus a tank of 300 litres (66 gallons) of ice, in being melted and warmed to (say) 20°C, can absorb 35 kWh of heat, easily enough for a day's cooling for most domestic users unless their insulation is lousy. Unless you have a very tiny flat, a 300 litre tank will not be any inconvenience.
If kept indoors, the ice tank also does not need to be especially well insulated; by absorbing ambient indoor heat, it is simply doing its job!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.