Endpoint/Device Security, Network Security, ICS/SCADA

Patched vulnerability in widely used UPS devices allows attackers to control power backup system

Schneider Electric patched three vulnerabilities in its popular APC Smart-UPS line of power backup systems that could allow attackers to control if or how energy flows, or overheat the UPS to dangerous levels.

Armis, who discovered the vulnerabilities, released a video demonstrating how to use modified firmware to turn the power on and off, remotely alter the waveform of and voltage of the electricity being supplied and overheat it to the point the UPS emits smoke.

APC Smart-UPS is a widespread brand, encompassing everything from backups for PLC systems and medical devices to consumer-grade backups. The Schneider Electric website claims to have sold 20 million devices in the product line.

"We've checked with our clients and we see these devices are used by over 50% of our clients," said Barak Hadad, head of research at Armis.

The vulnerabilities lie in the TLS implementation used by cloud-connected Smart-UPS and unsigned and unauthenticated firmware. Armis has dubbed the trio of vulnerabilities "TLStorm."

Different Smart-UPS devices of different ages are subject to different vulnerabilities. Newer devices supporting the "SmartConnect" feature have both a TLS buffer overflow or TLS authentication bypass vulnerability in the handshake protocol, the latter of which allows the installation of malicious firmware. Older devices, using Schneider's NMC (Network Management Card), are subject to an unsigned malicious firmware update over a local network.

Armis will present their research at BlackHat Asia.

Schneider has released patches for affected devices. Enterprises with NMC backups could add an additional layer of security by guarding the connection with the UPS with an SSL certificate.

The set of vulnerabilities offers attackers different options in how to sabotage their victims.

"A waveform like a square wave is not something that devices expect to receive from the power socket. And that can slowly make devices break or behave in a weird way over time. That's a slow attack. But attackers could just turn stuff on and off or destroy the UPS," said Hadad.

"Usually these devices are connected to mission-critical devices. This is very severe," he said.

Enterprises often let connected UPS systems slip under the radar for network security, said Hadad, leading to a gap in visibility. But, he said, abnormal traffic would be obvious to anyone who was looking for it.

"If you want to issue a firmware upgrade, that's going to be a lot of data coming in and out of the UPS," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.