UPDATED 06:00 EDT / MARCH 08 2022


APC Smart-UPS vulnerabilities expose millions of businesses to hacking

Researchers at cybersecurity firm Armis Inc. today said they have uncovered three critical vulnerabilities in APC Smart-UPS that could allow attackers to manipulate the power of millions of enterprises.

APS, a division of Schneider Electric, is one of the leading vendors of uninterruptible power supply devices, with more than 20 million units sold worldwide. The devices are commonly used across industries and provide emergency power for mission-critical appliances that have to maintain high availability. A power disruption could cause injuries, business disruption or data loss in some cases.

How a UPS has vulnerabilities and can be hacked is reflects the times: The APC Smart-UPS are internet-connected.

The trio of vulnerabilities has been dubbed “TLStorm” by the Armis researchers. Two of the vulnerabilities involve the transport layer security or TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost.

The first vulnerability, known as CVE-2022-22806, allows for a TLS authentication bypass. A state confusion in the TLS handshake leads to an authentication bypass, allowing for remote code execution using a network firmware upgrade. The second, called CVE-2022-22805, is a memory corruption bug in packet reassembly that allows for a TLS buffer overflow.

The final vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically assigned in a secure manner. CVE-2022-0715 would allow an attacker to craft malicious firmware and install it using various paths, including over the internet, via local area network or even via a USB thumb drive.

That a “smart” device can be hacked is nothing particularly new but there’s a big difference between data corruption and theft and actual physical-world danger. TLStorm allows for the latter. The researchers managed to ignite an APS Smart-UPS in a cloud of smoke by exploiting vulnerabilities over the network, per the picture above and video below.

Attacks with physical real-world consequences are not theoretical and have precedent. In 2014, hackers attacked a German steel mill, infiltrating the mill’s network and tampering with a blast furnace shutdown mechanism. The hackers caused a massive explosion at the mill.

“The purpose of UPS devices — managing high voltage, combined with internet connectivity—makes them a high-value cyber-physical target,” the researchers note.

Patches that fix the vulnerabilities are available from Scheider Electric, but doing upgrades on a UPS, of all things, is likely not high on the agenda for many companies.

Photo: Armis

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy