Hackers Now Target Internet-Connected UPS Devices

APC
(Image credit: APC)

The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned U.S. organizations that hackers are now targeting Internet-connected uninterruptable power supply (UPS) devices. Such attacks can literally fry PCs, or at least their power supplies, but the more dangerous outcome is that they can cause fires in datacenters, homes, and offices.

There are many different UPS offerings these days that connect to the internet to enable remote management, maintenance, and monitoring. But while these capabilities are designed to make UPS for datacenters, industrial facilities, hospitals, offices, and homes more reliable, internet connectivity also makes them a target for hackers according to CISA, reports BleepingComputer.

"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," a statement by CISA reads. "Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet."

In a bid to avoid attacks on mission critical machines, CISA recommends organizations ensure that their UPS are not reachable via the internet. Since this is sometimes impossible to do, CISA also recommends using strong passwords or passphrases, enabling multifactor authentication where available, implementing login timeout/lockout policies, and hiding any UPS devices behind virtual private networks. Obviously, default or weak passwords should not be used.

Perhaps the biggest problem is that UPS devices are, like other internet-connected devices, fundamentally vulnerable. For example, UPS solutions from APC suffered from a zero-day exposure called TLStorm that can be used remotely by unauthenticated perpetrators.

It should be noted that targeting Internet-connected UPS devices does not necessarily bring benefits to attackers. Uninterruptible power supplies do not host mission critical or financial data, so there is nothing to steal. But downing crucial datacenters or mission critical servers poses dangers to businesses or even states, which is why protecting UPS devices from cyberattacks is important.

Anton Shilov
Contributing Writer

Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.

  • InvalidError
    IMO, all such infrastructure should be hidden behind an SSH gateway so people without an SSL authentication certificate for the server can't get in.
    Reply
  • Bob/Paul
    Such attacks can literally fry PCs, or at least their power supplies, but the more dangerous outcome is that they can cause fires in datacenters, homes, and offices.

    Absolute BS. You can do things like adjust the time between loss of power and when the connected computer is told to shut down, adjust the limits that cause it to switch to battery, etc. You might even be able to remotely turn on the power. But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.
    Reply
  • InvalidError
    Bob/Paul said:
    But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.
    I wouldn't be so sure about that. UL certification doesn't test cyber-security, only the products as-is. If the product has flaws that enable an attacker to overwrite the firmware, then whatever safeguards may have been in the original firmware can potentially be altered or removed. I could imagine compromised firmware setting BMS limits beyond what the battery pack is rated for and potentially creating a fire that way.

    I had a CyberPower UPS from 4-5 years ago that silently cooked its battery. Still reported 24V battery voltage even though the battery pack had only 18V open-circuit voltage. Didn't even detect the fact that I had pulled the battery out and the UPS was still reporting 24V battery voltage despite the UPS battery terminals being at 28V open-circuit. The battery pack was around 60C when I pulled it out. Looks like CyberPower decided to default to "everything is fine" when whatever it has for BMS cannot make sense of what is happening to the battery.
    Reply
  • LikeToAccess
    Bob/Paul said:
    Absolute BS. You can do things like adjust the time between loss of power and when the connected computer is told to shut down, adjust the limits that cause it to switch to battery, etc. You might even be able to remotely turn on the power. But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.
    Clearly you've never watched Mr. Robot, you'd be surprised what a mildly upset Rami Malek can do to a data center of UPS's! 🤔
    Reply
  • cryoburner
    Bob/Paul said:
    Absolute BS. You can do things like adjust the time between loss of power and when the connected computer is told to shut down, adjust the limits that cause it to switch to battery, etc. You might even be able to remotely turn on the power. But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.
    Yeah, the fire thing seems fairly unlikely. In general, I think the UPS isn't going to have much control beyond switching the power on and off. I would think things like maximum battery-charging limits would be controlled by non-modifiable hardware. I guess maybe rapidly switching the power on and off could potentially cause damage to some hardware though.

    The most likely scenario is that they would just force-shutdown the hardware connected to the UPS to disrupt service, and maybe prevent it from starting back up again, at least until the victim figures out that the UPS is at fault. If an organization did that on a wide scale all at once, they could significantly disrupt services.

    I suppose there could potentially be ways for modified firmware to directly target a computer connected via USB though. That could potential allow the compromised UPS to steal data from the system, or install additional malware.
    Reply
  • InvalidError
    cryoburner said:
    I would think things like maximum battery-charging limits would be controlled by non-modifiable hardware.
    Most battery management modules are just micro-controllers running field-upgradable firmware these days. All a BMS would need to do to potentially ruin your day is never report any anomaly or do anything during an over-voltage condition.
    Reply
  • This is why we can’t have everything connected to the internet. Just not worth it
    Reply