Analysis: we're moving to a world where more and more of our home appliances are connected to the internet and and thus more hackable

By Iain Nash, Queen Mary University of London

Smart home devices are becoming more and more common in people’s homes. We can now connect our radios, security systems, televisions, cookers, immersions and central heaters to the internet, allowing us to control them remotely. When buying a smart device, there are some things that you should be aware of to protect you and your data - as well as the fact that connecting these devices to the internet means they can potentially be hacked and used in cyber-attacks.

We are not looking at whether an attacker could hack into a power station directly, as happened in Ukraine in 2015. Such a feat is really only possible by nation states and is a scenario taken very seriously by national cybersecurity agencies.

Instead, we are looking at a much softer target. Smart devices are frequently hacked and are known to be an easy target. However, if the worst should happen, and an attacker is able to take control of a network of smart home devices, is there a threat to the power grid? Such a scenario has been explored in academia and has also been the topic of movies and TV shows, but is it a realistic scenario?

We need your consent to load this YouTube contentWe use YouTube to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From National Geographic, trailer for American Blackout film about what happens when a cyberattack takes out the power supply

From an attacker’s perspective, one interesting part of the the power grid is that it must always be kept in balance. If there is an unexpected surge in demand for electricity, it must be met immediately with an increase in electrical supply. If the surge is too great and the demand cannot be met, blackouts will occur. Making this more complicated is the fact that the demand on the electrical grid is not static - there are peak times during the day, and there are peak time of the year when excess electrical supply capacity is reduced.

Sudden increased demand for electricity is a regular occurrence on an electrical grid. In the UK, the phenomenon of the TV Pickup has been known and managed for many years. This was a sudden surge in electrical demand caused by people who were watching the same television programme simultaneously boiling their kettle during the ad break, or at the end of the programme. When a pickup occurs, the managers of the electrical grid are able to use fast acting sources of power generation to keep the grid in balance.

So if such an attack is going to succeed, it must be able to deliver a surge of electrical demand which exceeds the supply capacity of the tools available to the network managers at that time.

We need your consent to load this YouTube contentWe use YouTube to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From CNET, the 5 most interesting smart home products from CES 2022

To see if smart devices could endanger the grid, we must first look at how much power they consume. Most of them will use either micro USB or USB-C as power supplies, which have a rather limited electrical draw. Electrical usage is measured in watts, and a Micro USB device can draw a maximum of 60 watts power, while USB-C can draw a maximum of 100 watts. This is compared to a typical kettle, heater or air conditioner which would draw around 2,500 watts when being used.

From this, we can see how you would need almost 42 micro USB devices, or 25 USB C Devices, to equal the amount of power consumed by a kettle. There are plans to increase the maximum capacity of USB-C to 240 watts, but that would still mean that it takes almost 11 of these devices to match the power drawn by a kettle.

If you were a super-villain looking to bring down the power grid, it is clear that you should focus on smart home devices which draw large amounts of electricity such as smart kettles, heaters, air-conditioners and tumble dryers, as opposed to ones with USB power supplies. Don’t forget, though, that these devices are already connected to the electrical grid. In order to generate the surge, they all need to be devices which operate normally on ‘low’ power and can then be switched to a higher draw by the attacker. Devices which operate continuously on a steady power draw will not be able to increase demand on the grid, as they are already in balance.

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From RTÉ Radio 1's Morning Ireland, Mark Foley from Eirgrid on the company's plan to deliver 70% renewable energy by 2030

The electrical grid in Ireland is run by EirGrid, who publish an assessment of the grid’s supply capacity. Taking the worse case scenario, an attacker seeking to destabilise the electrical grid would need to compromise around 52,000 smart kettles or equivalent in order to increase demand on the grid by more than it is capable of sustaining. This would equate to about three percent of the households in Ireland having a smart device of sufficient electrical draw that had been compromised.

If the attack was compromised solely of Micro USB devices, the size of the attacking network would have to be almost 2.1 million devices. USB-C devices would require a network of almost 1.3 million devices, while the next generation of USB-C would require ‘only’ around 541,000 devices.

In the UK, the National Grid have forecast an expected generation surplus of about 3,900 megawatts at peak times. Taking this figure as the hurdle which an attacker would need to clear, they would need around 1.5 million smart kettles or equivalent, which would equate to about six percent of UK households having a compromised, high draw smart device. The Micro USB equivalent is 65 million devices, while USB-C is about 39 million, dropping to 16.2 million devices if all were ‘next generation USB-C’.

At the moment, we probably don't need to worry about super-villains using our smart devices to cause blackouts

As with the Irish example, it is not realistic that there is a sufficient pool of such devices available to an attacker today. It is important to remember that other factors such as adverse weather (from the perspective of electricity generation) and power plants being taken offline for maintenance means the actual excess generation capacity present in the system may be lower than is outlined above.

At the moment, we probably don’t need to worry about cyber-attackers or super-villains using our smart devices to cause blackouts. We should be more worried about our smart devices bringing down the internet or spying on us.

However, as we move to a world where more and more of our home appliances are ‘smart’ and are accessible and hackable, we will enter a world where attacks on critical infrastructure will no longer be the preserve of nation states, but also of cyber-criminals. Today though, if you want to cause a blackout, you can always just throw a bike at a substation!

Iain Nash is a PhD student in the Centre for Commercial Law Studies at Queen Mary University of London.


The views expressed here are those of the author and do not represent or reflect the views of RTÉ