Security News > 2022 > March > Widely used UPS devices can be hijacked and destroyed remotely
Three vulnerabilities in ubiquitous APC Smart-UPS devices could allow remote attackers to use them as an attack vector, disable or completely destroy them, Armis researchers have discovered.
"The latest APC Smart-UPS models are controlled through a Cloud connection. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution attack on a device, which in turn could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it," the researchers noted.
"This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried."
What's more, a malicious firmware update may also allow the attackers to fiddle with the UPS device's CPU that is responsible for the conversion of the DC that is coming out of the battery to the AC that the UPS supplies on the output, and cause it to heat up the internal circuitry until it's fried, effectively destroying the UPS. The attackers could also change the output of the UPS to the devices that rely on the power.
"UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications," the researchers added.
Barak Hadad, Head of Research at Armis, told Help Net Security that since a firmware upgrade requires some downtime in some of the models, Schneider Electric/APC cannot risk pushing patches/updates on the connected devices without the customers' say-so, so they should patch on their own.
News URL
https://www.helpnetsecurity.com/2022/03/08/ups-devices-vulnerabilities/