TENERIFE, Spain—There are many ways we know of to cause a blackout. You could hack industrial equipment to spin a generator out of control. You could hijack operator machines and remotely open breakers. Or you could launch a sniper assault on substations and shoot out transformers.

Now researchers have found another way to take down the power grid: by remotely manipulating home and office air conditioners to create a surge. It's an attack that grid experts told WIRED has the potential to be very serious.

The hack targets remote shut-off devices that utility companies install on air conditioners to conserve energy during peak summer periods. Many power companies offer discounts to customers if they agree to install the devices, which let the utility company remotely turn off their air conditioner when it's hot outside and demand for power is high.

The devices, which can be installed on both central air conditioning systems as well as window-installed units, can be easily manipulated by hackers, say Vasilios Hioureas of Kaspersky Lab and Thomas Kinsey of Exigent Systems, who conducted their research as part of the Securing Smart Cities initiative. The two presented their findings today at the Kaspersky Security Analyst Summit.

The way the system works is that operators at regional power centers send a command via radio frequency that gets amplified through repeater stations installed throughout a city to reach the devices and shut down air conditioners. But because the systems Hioureas and Kinsey examined don't encrypt that communication and don't use authentication to prevent unauthorized parties or systems from communicating with them, anyone in the vicinity who can emit a stronger signal than the one the utility company sends out through the repeater stations can manipulate the devices as well.

"Anyone with $50 can generate a signal that can trump a repeater [to take out a few air conditioners]; and anyone with $150 can generate that through an [amplifier] and presumably take out a whole neighborhood," says Kinsey. "And obviously you can scale that up as much as you want to [depending on the strength of your signal]."

A hacker could directly attack a group of homes or offices by taking advantage of the fact that unique IDs are assigned to groups of devices, allowing them to be singled out.

A hacker could cut air conditioners during a heatwave—creating a potentially fatal condition for the elderly and sick—or turn air conditioners on during peak energy periods, causing a surge that creates a widespread blackout. Or a hacker could directly attack a group of specific homes or offices by taking advantage of the fact that unique IDs are assigned to groups of devices, allowing them to be singled out.

According to another researcher, the hack could be even worse. If an attacker were to turn the air conditioners on and off repeatedly, the could create disturbances and imbalances in the grid that could trip breakers beyond the neighborhood they're targeting and cause an even more widespread blackout.

"This is bad, and that's why we need better security so that we don't have the ability to manipulate the load," says Eric Johansson, founder of Management Doctors, a security firm in Sweden that specializes in SCADA. "You shouldn't be able to do this."

The attack against the devices requires little skill. All a hacker would need is to be on the same radio frequency as the utility company, and then they could monitor and record the commands the company sends to the devices (a technique known as sniffing). From there, they could just play back those recorded commands to other devices to get them to turn on or off (a so-called "replay" attack).

"This is the funny part, to show how ridiculously insecure it really is, you don't have to even know anything or reverse-engineer anything and you can reproduce the result [by doing a replay attack]," says Hioureas.

An attacker could also simply jam the RF traffic with noise to prevent the power company from communicating with the devices to turn air conditioners on or off, simply preventing them from shutting down the devices during peak hours.

The two researchers wouldn't identify the devices they examined since they're still in the process of reaching out to vendors. But Kinsey says that the chips used in some of them are so out-dated and limited—one system they examined used a chip made in 1995—that even if the vendors wanted to add authentication to make the devices more secure he doubts they could do it.

"It doesn't look like there's room [to add authentication]...it looks like the hardware is not capable of doing something like that," he says.