News Hackers Now Target Internet-Connected UPS Devices

[Admin]

CISA warns of attacks on Internet-connected UPS devices

Hackers Now Target Internet-Connected UPS Devices : Read more

 

[InvalidError]

IMO, all such infrastructure should be hidden behind an SSH gateway so people without an SSL authentication certificate for the server can't get in.

 

[Bob/Paul]

Such attacks can literally fry PCs, or at least their power supplies, but the more dangerous outcome is that they can cause fires in datacenters, homes, and offices.

Absolute BS. You can do things like adjust the time between loss of power and when the connected computer is told to shut down, adjust the limits that cause it to switch to battery, etc. You might even be able to remotely turn on the power. But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.

 

[InvalidError]

But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.

I wouldn't be so sure about that. UL certification doesn't test cyber-security, only the products as-is. If the product has flaws that enable an attacker to overwrite the firmware, then whatever safeguards may have been in the original firmware can potentially be altered or removed. I could imagine compromised firmware setting BMS limits beyond what the battery pack is rated for and potentially creating a fire that way.

I had a CyberPower UPS from 4-5 years ago that silently cooked its battery. Still reported 24V battery voltage even though the battery pack had only 18V open-circuit voltage. Didn't even detect the fact that I had pulled the battery out and the UPS was still reporting 24V battery voltage despite the UPS battery terminals being at 28V open-circuit. The battery pack was around 60C when I pulled it out. Looks like CyberPower decided to default to "everything is fine" when whatever it has for BMS cannot make sense of what is happening to the battery.

 

[LikeToAccess]

Absolute BS. You can do things like adjust the time between loss of power and when the connected computer is told to shut down, adjust the limits that cause it to switch to battery, etc. You might even be able to remotely turn on the power. But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.

Clearly you've never watched Mr. Robot, you'd be surprised what a mildly upset Rami Malek can do to a data center of UPS's! 🤔

 

[cryoburner]

Absolute BS. You can do things like adjust the time between loss of power and when the connected computer is told to shut down, adjust the limits that cause it to switch to battery, etc. You might even be able to remotely turn on the power. But there's nothing adjustable that can result in fire. Such a product would never pass UL testing.

Yeah, the fire thing seems fairly unlikely. In general, I think the UPS isn't going to have much control beyond switching the power on and off. I would think things like maximum battery-charging limits would be controlled by non-modifiable hardware. I guess maybe rapidly switching the power on and off could potentially cause damage to some hardware though.

The most likely scenario is that they would just force-shutdown the hardware connected to the UPS to disrupt service, and maybe prevent it from starting back up again, at least until the victim figures out that the UPS is at fault. If an organization did that on a wide scale all at once, they could significantly disrupt services.

I suppose there could potentially be ways for modified firmware to directly target a computer connected via USB though. That could potential allow the compromised UPS to steal data from the system, or install additional malware.

 

[InvalidError]

I would think things like maximum battery-charging limits would be controlled by non-modifiable hardware.

Most battery management modules are just micro-controllers running field-upgradable firmware these days. All a BMS would need to do to potentially ruin your day is never report any anomaly or do anything during an over-voltage condition.

 

[Deleted member 14196]

This is why we can’t have everything connected to the internet. Just not worth it