Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, they could come in far more insidious forms than defenders expect.

In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.

Midway through her talk, Krotofil pointed to a Flowserve pump system, roughly the size of a big rig truck's engine, in front of the crowd. To that point, it had loudly cycled water through a series of transparent pipes. Then she cued a “hacker’ in a black hoodie on stage, who typed a command that sent a thick flow of bubbles through those pipes. A sensor on the pump registered that it was subtly vibrating, reducing its efficiency and, Krotofil said, slowly damaging it. In a matter of hours, she said, the bubbles would start to wear pits in the pump's metal surfaces, and in days would wear down the “impellers” that push water through it, until it’s rendered useless.

“Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”

Importantly, Krotofil's hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.

Krotofil's demo rig, a Flowserve industrial pump. Uli Ries

That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil's attack doesn't merely warn about the specific the danger of hacker-induced bubbles. Instead, it's meant as a more general harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.

“She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”