As long as you don’t run SmartConnect software you are safe.
SmartConnect software is Windows only. So you are safe if you only run Linux.
3 Likes
Don’t connect your UPS to a cloud, connect them to a local network with no access to the internet, preferably in a management LAN. If the devices in the management LAN need access to the internet, then move the UPS and thermal probes and whatnot to a LAN with no access to the internet, like “IoT LAN.” Putting UPSes, IP cameras, DVRs, NVRs and especially security access controllers on the internet is the dumbest thing people can do. And I’ve seen all of them happen a lot.
Just don’t connect it to the internet. I prefer APC and Eaton over other brands. I have used Ablerex in the past, their documentation was a bit meh, but their UPSes lasted 20 years I think (or close to that), just swapped batteries every few years. I don’t think I can recommend other brands. But if any of these would make it a requirement to connect to the cloud, I would not be buying from them anymore (at least not the cloud-mandated models).
3 Likes
the first I’ve seen that wasn’t exploiting a hardware issue (or a printer)
I do not use an APC. With Windows as the primary OS, I have to reset them about 4 hrs! Once a week for Android, 3 weeks for Apple, and Yearly for Linux! My server remains OFF unless I hit the Raspberry Pi, and it starts in 20 seconds! But I am moving, and 11 computers are in storage. But I am moving to older parts and the power is on poles!
I personally prefer APC, luckily none of my power backups are on this list. At least APC told their customers when the problem was found, instead of trying to sweep it under the rug.
Vulnerabilities can happen to anything at anytime from any company. You just have to be ready to act if something is affecting your equipment no matter who made it.
5 Likes
Thank you.
1 Like
Vibes
1 Like
Right on.
So I use the APC UPS’ connected to my PC using USB with their Powerchute software. Am I effected?
Check the linked whitepaper to see if your particular model number is among the affected versions. If it is, I would think about updating the UPS as they suggest in the security notification.
Here is the link to the pdf notification through the american side of APC. https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-067-02_Smart-UPS_Security_Notification_EN.pdf&p_Doc_Ref=SEVD-2022-067-02
Here is a link to the root security information page for Schneider Electric (the people who make APC power supplies)
Always double check the pages people are linking are the actual pages for your device before trusting random downloads.
2 Likes
Haven’t used PowerChute in years, so unfamiliar with the current versions and whether they connect to the cloud.
The older versions did not, they simply stayed within the local network.
The security flaw is with a different software product and involves connection with APC cloud servers.
Probably and likely you are not affected.
What scares me with this is that one of the articles I read said one of the CVEs also applied to the expensive addin NMC cards and the software they run.
But I can’t get an answer if they are going to release a patch for the NMCs or not. NMC2 went end of support in Nov 2021.
Guess which is the most common model I have…