Researchers at cybersecurity firm Armis Inc. today said they have uncovered three critical vulnerabilities in APC Smart-UPS that could allow attackers to manipulate the power of millions of enterprises.

APS, a division of Schneider Electric, is one of the leading vendors of uninterruptible power supply devices, with more than 20 million units sold worldwide. The devices are commonly used across industries and provide emergency power for mission-critical appliances that have to maintain high availability. A power disruption could cause injuries, business disruption or data loss in some cases.

How a UPS has vulnerabilities and can be hacked is reflects the times: The APC Smart-UPS are internet-connected.

The trio of vulnerabilities has been dubbed “TLStorm” by the Armis researchers. Two of the vulnerabilities involve the transport layer security or TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost.

The first vulnerability, known as CVE-2022-22806, allows for a TLS authentication bypass. A state confusion in the TLS handshake leads to an authentication bypass, allowing for remote code execution using a network firmware upgrade. The second, called CVE-2022-22805, is a memory corruption bug in packet reassembly that allows for a TLS buffer overflow.

The final vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically assigned in a secure manner. CVE-2022-0715 would allow an attacker to craft malicious firmware and install it using various paths, including over the internet, via local area network or even via a USB thumb drive.

That a “smart” device can be hacked is nothing particularly new but there’s a big difference between data corruption and theft and actual physical-world danger. TLStorm allows for the latter. The researchers managed to ignite an APS Smart-UPS in a cloud of smoke by exploiting vulnerabilities over the network, per the picture above and video below.

Attacks with physical real-world consequences are not theoretical and have precedent. In 2014, hackers attacked a German steel mill, infiltrating the mill’s network and tampering with a blast furnace shutdown mechanism. The hackers caused a massive explosion at the mill.

“The purpose of UPS devices — managing high voltage, combined with internet connectivity—makes them a high-value cyber-physical target,” the researchers note.

Patches that fix the vulnerabilities are available from Scheider Electric, but doing upgrades on a UPS, of all things, is likely not high on the agenda for many companies.

Photo: Armis