Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/19/2008
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Permanent Denial-of-Service Attack Sabotages Hardware

Researcher to demonstrate a permanent denial-of-service (PDOS) attack that remotely wipes out hardware via flash firmware updates

You don’t have to take an ax to a piece of hardware to perform a so-called permanent denial-of-service (PDOS) attack. A researcher this week will demonstrate a PDOS attack that can take place remotely.

A PDOS attack damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the infamous distributed denial-of-service (DDOS) attack -- which is used to sabotage a service or Website or as a cover for malware delivery -- PDOS is pure hardware sabotage.

“We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today,” says Rich Smith, head of research for offensive technologies & threats at HP Systems Security Lab.

Smith says a PDOS attack would result in a costly recovery for the victim, since it would mean installing new hardware. At the same time, it would cost the attacker much less than a DDOS attack. “DDOS attacks require investment from an attacker for the duration of the extortion -- meaning the renting of botnets, for example,” he says.

Smith will demonstrate how network-enabled systems firmware is susceptible to a remote PDOS attack -- which he calls “phlashing” -- this week at the EUSecWest security conference in London. He’ll also unveil a fuzzing tool he developed that can be used to launch such an attack as well as to detect PDOS vulnerabilities in firmware systems.

His so-called PhlashDance tool fuzzes binaries in firmware and the firmware’s update application protocol to cause a PDOS, and it detects PDOS weaknesses across multiple embedded systems.

The danger with embedded devices is that they are often forgotten. They don’t always get patched or audited, and they can contain application-level vulnerabilities, such as flaws in the remote management interface that leave the door open for an attacker, according to Smith. And remote firmware updates aren’t typically secured, but rather set up to occur by default.

Smith says remotely abusing firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. “Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue,” he says.

But HD Moore, director of security research for BreakingPoint Systems, says a more effective attack than waging a DOS on firmware would be to deliver malware. “It seems like if you can do a remote update of firmware, it would better to deliver a Trojan'ed firmware image, instead of just a DOS,” Moore says.

Meanwhile, Smith says he’s not aware of any phlashing PDOS attacks in the wild to date, but there are a few precautions to protect against these attacks. “Unfortunately, there isn't a magic bullet, but making sure the flash update mechanisms have authentication so as not just anyone can perform an update is a start,” Smith says. “Beyond this, flash update mechanisms need to be designed with malicious attacks in mind.”

Smith has no plans yet for releasing his PhlashDance tool.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Hewlett-Packard Co. (NYSE: HPQ)
  • BreakingPoint Systems

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
    Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
    RDP Bug Takes New Approach to Host Compromise
    Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-2873
    PUBLISHED: 2019-07-23
    Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
    CVE-2019-2874
    PUBLISHED: 2019-07-23
    Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
    CVE-2019-2875
    PUBLISHED: 2019-07-23
    Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
    CVE-2019-2876
    PUBLISHED: 2019-07-23
    Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
    CVE-2019-2877
    PUBLISHED: 2019-07-23
    Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...