Schneider Patches Critical Flaws in Smart-UPS Devices

Schneider Electric patched three vulnerabilities in its popular APC Smart-UPS line of power backup systems that could allow attackers to control if or how energy flows or overheat the UPS to dangerous levels.

Armis discovered the vulnerabilities, and named it as “TLStorm.” and also released a video demonstrating how to use modified firmware to turn the power on and off, remotely alter the waveform of and voltage of the electricity being supplied and overheat it to the point the UPS emits smoke.

APC Smart-UPS is a widespread brand, encompassing everything from backups for PLC systems and medical devices to consumer-grade backups. The Schneider Electric website claims to have sold 20 million devices in the product line. The vulnerabilities lie in the TLS implementation used by cloud-connected Smart-UPS and unsigned and unauthenticated firmware.

Different Smart-UPS devices of different ages are subject to different vulnerabilities. Newer devices supporting the “SmartConnect” feature have both a TLS buffer overflow or TLS authentication bypass vulnerability in the handshake protocol, the latter of which allows the installation of malicious firmware. Older devices, using Schneider’s NMC (Network Management Card), are subject to an unsigned malicious firmware update over a local network.

A waveform like a square wave is not something that devices expect to receive from the power socket. And that can slowly make devices break or behave in a weird way over time. That’s a slow attack. But attackers could just turn stuff on and off or destroy the UPS.

Schneider has released patches for affected devices. Enterprises with NMC backups could add an additional layer of security by guarding the connection with the UPS with an SSL certificate. The set of vulnerabilities offers attackers different options in how to sabotage their victims.