Hackers Now Target Internet-Connected UPS Devices

Post this here because I think there are plenty of people here who are running with UPS


Someone that connects a UPS to the internet deserves to have his/her/its house burned down. Dumber than a second coat of paint…

1 Like

So, how do you suppose they connect that UPS to the Internet? You think that people intentionally put it in front of their routers? Or maybe go out of their ways and manually modify router to open yet another connection to their internal devices?

The author didn’t bother to address what is the route to compromise those devices (so what is the point of that article). My take is that most likely those devices run UPnP to manipulate router settings. At the same time most routers ship with UPnP enabled. Uhm, saying that, did you check your config.yaml for UPnP settings? It does default to enabled, if you didn’t know. So, yeah, our farms are open to potential port 8444 attacks.

I do agree that those devices are designed by companies that have virtually zero relevant expertise (most of those UPSes cannot get LCD to work properly), and they just buy some low-cost WiFi / Ethernet enabled H/W, where software is just a slap-on part by a hardware engineer, and security is a four-letter word, as it makes things just too complicated for such company, most likely as the H/W just doesn’t have horsepower to run a proper stack. To make things worst, you buy a new toilet, and it will not flush, unless you connect it and agree to terms (why do I need to connect my TV and agree to terms to watch my cable - Samsung was already sound recording even when TV was in the official “off” mode). When such a box is using WiFi, it is rather impossible to remove those WiFi settings.

I also strongly disagree with - “It should be noted that targeting Internet-connected UPS devices does not necessarily bring benefits to attackers.” This is grossly false. If any device is compromised on the LAN, it will become a platform for internal attacks (password captures, packet sniffing, compromising other boxes).

To make things worst, the corporate agenda is to push all that exactly like you described - end user fault, and lobby to not have strong enough laws to force those companies to address security issues the same way like for instance UL certification - you don’t pass, you don’t ship, if you break it, there is penalty to eventually close your business.

It sounds this article is speaking about TLStorm without actually mentioning it. Due to several different security issues, an attacker could trick a UPS into downloading and installing unsigned firmware allowing them to takeover a device.

TLS state confusion allows an attacker to authenticate as Schneider Electric Cloud; [then] an attacker can forge a malicious firmware and install it over the network

So correct, no action required on the part of users or enterprises to get exploited by this. Anyone who plugged their (Schneider Cloud Smart) UPS into the LAN for any reason could be vulnerable to this attack because the devices (while plugged in to the LAN) attempt to communicate with cloud services. The communication between the device and the cloud services is where the exploitation happens.

The CISA link in the article describes the threat of UPS devices with default usernames and password connected to the internet but does not speak directly to the Schneider vulnerabilities. Presumably, it would take some effort (port forwarding, WAN addressing) to get a UPS with default credentials exposed directly to the internet.

Devices with default credentials is nothing new, but this is the first I’ve seen a warning about UPS devices specifically. While not a new problem, if it is being actively exploited as of late, attackers probably had huge lists of compromised UPS devices and sat on them until recently, bringing this lingering threat to life.

1 Like

I think that Netgear routers use serial numbers as the default password. So, there are always ways to make it a bit more secure. Although, after few years, your router hits EOL, and there will be no more patches for it. Although, it looks like those Schneider / APC UPSes maybe even don’t have an ability to update the F/W.

Great link. Right off the bat they have - “If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks.