There are about 2 million of these devices currently deployed, but many more are expected to be added in coming years.
The researchers created a computer worm that could quickly spread among Smart Grid devices, many of which use wireless technology to communicate, according to Travis Goodspeed, an independent security consultant who worked with the team. “It spread from one meter to another and then it changed the text in the LCD screen to say ‘pwned’,” he said. Pwned is hacker-speak meaning “taken over.”
In the hands of a malicious hacker, this code could be used to cut power to Smart Grid devices that use a feature called “remote disconnect,” which allows power companies to cut a customer’s power via the network.
Oh, great. Computer security types have been telling reporters for decades that there’s no way to mess with the power grid by hacking stuff over networks because they’re all properly walled off, and now the power companies have figured out how to make it easy. (And in the hands of a malicious hacker this could not only hurt individual customers, it could also cause trouble for the grid itself — imagine a few gigawatts of demand suddenly disappearing, then reappearing a minute later, then disappearing again and so forth until something broke.
The “psyb0t” worm is believed to be the first piece of malware to target home networking gear, according to researchers from DroneBL, which bills itself as a real-time monitor of abusable internet addresses. It has already infiltrated an estimated 100,000 hosts. It has been used to carry out DDoS, or distributed denial of service, attacks and is also believed to use deep-packet inspection to harvest user names and passwords.
“This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited,” the DroneBL researchers wrote here. “This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique is not going away.”
Vulnerable devices include any home router or modem that uses Linux Mipsel, has an administration interface, sshd, or telnet in a DMZ, and employs a weak password. Once the malware takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web access. It then makes the devices part of a botnet.
Done “right”, this could create an entire alternate internet. Anyone whose routers were owned would get a different version of DNS, and all of their surfing could go to cracker-controlled versions of their favorite sites. Or just through cracker-controlled proxies. Whee.