Anatomy of an IoT hack

Anatomy of an IoT hack

A lecture by an Internet security company runs through the chilling, hypothetical shut-down of the electrical grid via a domestic, Wi-Fi-connected oven.

With Internet of Things penetration set for a trillion devices by 2025, according to recent McKinsey numbers, our thoughts are, or should be, turning to security.

One question that could be posed is: Just how could a future IoT attack play out? What route could it take?

A security company reckons it has an answer.

'Terror in the kitchen'

One World Labs, a security outfit that specializes in penetration testing, forensics, and security code review, presented a session at San Francisco's RSA Conference in April, where it attempted to address the question.

The scenario that One World Labs conjured up was that by hacking a kitchen oven running Android, it would be able to get access to the appliance owner's entire home, including its connected thermostat, Wi-Fi garage door opener, associated automobile, and—perhaps most troubling—his or her place of work, which for the purposes of this scenario is a grid-connected hydro-electric power station.

The grid

Theoretically, the hackers would then be able to attack the power grid.

Chris Roberts, the presenter, termed the talk: "From the Oven to the Power Station," or alternatively "The Terror in the Kitchen."


The starting point could be an Android-controlled oven running older software, Roberts thinks.

Older Android software, such as version 4.0.3, is "susceptible to multiple forms of attack," Roberts says in his presentation (PDF). Rooting and then installing apps onto the oven by hacking the user while he's on a public hotspot is the premise of the attack.

The target

Roberts's hopefully imaginary victim is a 15-year power plant veteran. The engineer has a penchant for coffee and likes to frequent a coffee shop near the power plant. That's where he logs on and manages his evening roast via a suitably geeky IoT-connected oven.

Roberts says that the stooge in this case could be marked by scouring social networks, professional discussion forums, and so on; the oven discovered because the individual posts geo-located pictures of it online.


The hacking team knows that the target likes a particular coffee shop in part through social network geo-mapping.

The mark's failure to use disparate online passwords rounds out the perfect storm—stolen passwords can be found on the Internet. IRC channels can be used for this.

Theater of operations

Once the team has profiled their prey, the scenario sets about penetrating the house.

The key to this element is the fact that the oven is on the home's Wi-Fi network. Roberts's team is able to use a widely available network tool that identifies which devices are on a particular network.

Roberts goes into more detail about all of the tools, such as emulators used in the lecture's Power Point.

The team identifies a thermostat, some home automation switches, and a PC, which includes the energy company's passwords and backed-up USB drives, Roberts says.

The attack vector

The power plant engineer's NAS network drive is full of company backups—FTP in that case is open, allowing the perps to "extract all the content."

The connected thermostat's GUI is then used for its eco-smart grid server access—whereupon the baddies hypothetically attack the power provider's network with its 30 dams and 15,000-or-so miles of electrical lines.

And all that via the oven. Roberts doesn't say what happens to the roast.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO newsletter!

Error: Please check your email address.

More about NASRobertsRSA

Show Comments