Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security in UPS Software?

Posted by Cliff on from the keeps-you-up-thru-a-blackout-leaving-crackers-an-open-door dept.

Anonymous Coward asks: "Does anyone have experience with UPS software that has an eye towards security? i want an alternative to APC's 'Powerchute for Linux'. I've just discovered that Powerchute opens multiple ports and there are no options to turn this 'feature' off. What is even worse is that APC Support has announced no plans to address the issue. This means that if your firewall is running Powerchute, you might have security issues. Another example of the lax security: Powerchute requests root priveliges on install and has a certain 3-letter default password that anyone could guess within 5 minutes! Can anyone help with suggestions for alternative software?" Hmmm... I wonder if I accidentally put the default password in the text of this story.

3 of 42 comments (clear)

  1. Belkin UPS boxes *had* a similar problem by alizard · · Score: 2, Interesting
    In the course of writing a review for 8wire about the Belkin Sentry UPS, I discovered that in the UPS software, Belkin Sentry Bulldog that was originally shipped with the machine, the Web control/monitoring interface which was advertised as allowing control from anywhere did not mention it could be controlled by anybody, and the Web control software installed by default.

    The default password access page could easily be bypassed by anyone who knew the directory tree and the IP address of the workstation / UPS.

    This was fixed a few weeks after the article came out for some reason.

    Take a careful look at the software for ANY Web-controlled devices (including routers and toasters) for ugly surprises before running it on your network.

    --
    Tech Public Policy stuff
  2. It's worse by sllort · · Score: 3, Interesting

    Large UPS's are almost always SNMP Rev1 Managed. No security. Add that plus the recent spate of attacks on high-level security providers who use unsecured SNMP...

    Yes, it really is just a f%*kup waiting to happen.

  3. Re:It's not a standard serial cable by Sabriel · · Score: 3, Interesting
    I think they intentionally wired it so that you'd have to buy their cable.
    Correct. While externally identical, APC's cables are proprietary with their own internal wiring and resistance scheme. They are also, of course, hellaciously more expensive than a standard RS232C serial cable.

    It is possible to wire your own cable; depending on your model of UPS and whether your computer asserts DTR on powerup you may not be able to achieve full functionality. Eg, http://www.eng.auburn.edu/users/doug/ups.html

    You may also like to google for "APC" "wiring scheme", as quite a few people have tackled rolling their own cables and code for this problem.