CISA warns of attacks against internet-connected UPS devices

Hackers have begun to attack internet-connected universal power supply devices, targeting their control interfaces via multiple remote code execution vulnerabilities and, in some cases, unchanged default usernames and passwords, according to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued on Tuesday.

UPS devices, in recent years, have received IoT upgrades, according to CISA – the idea being to allow users to control them remotely via the internet. However, like many other IoT devices, some UPSs have serious flaws in their security and authentication systems, which attackers have exploited to gain illicit access to them.

CISA’s major piece of guidance in the advisory is to immediately take inventory of all UPS devices in use at a given organization, and disconnect them from the internet completely, if at all possible. If they must remain connected to the internet, the agency urged that several steps be taken to mitigate possible compromises, including placing the vulnerable devices behind a VPN, enforcing multifactor authentication, and auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked.

The UPS exploits were first discovered by security firm Armis earlier this month. Several software vulnerabilities, according to Armis, affect UPS devices made by Schneider Electric-owned APC, a UPS market leader. The key vulnerabilities were found in a feature on newer APC devices called SmartConnect, which connects devices to the network and lets operators issue firmware updates and monitor and control them via a web portal.

Two of the main vulnerabilities involve flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory issue, and the second is a problem with the way SmartConnect’s TLS handshake works. A third vulnerability stems from a lack of cryptographic signature verification on firmware deployed to the affected devices. All three of these vulnerabilities, the researchers said, can be exploited remotely to upload maliciously crafted firmware, without any user interaction, and compromised UPS devices could be used to simply shut down power to any system to which they’re connected. Other vectors like USB sticks or LAN access could also be used to compromise vulnerable UPS systems, according to the Armis team.

Patches are available for some affected devices, but not all. Like CISA, Schneider Electric has released its own advisory documents, which offer the same advice to disconnect all potentially affected devices from the internet until they can be fully patched.