Analytics

5/19/2008
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Permanent Denial-of-Service Attack Sabotages Hardware

Researcher to demonstrate a permanent denial-of-service (PDOS) attack that remotely wipes out hardware via flash firmware updates

You don’t have to take an ax to a piece of hardware to perform a so-called permanent denial-of-service (PDOS) attack. A researcher this week will demonstrate a PDOS attack that can take place remotely.

A PDOS attack damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the infamous distributed denial-of-service (DDOS) attack -- which is used to sabotage a service or Website or as a cover for malware delivery -- PDOS is pure hardware sabotage.

“We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today,” says Rich Smith, head of research for offensive technologies & threats at HP Systems Security Lab.

Smith says a PDOS attack would result in a costly recovery for the victim, since it would mean installing new hardware. At the same time, it would cost the attacker much less than a DDOS attack. “DDOS attacks require investment from an attacker for the duration of the extortion -- meaning the renting of botnets, for example,” he says.

Smith will demonstrate how network-enabled systems firmware is susceptible to a remote PDOS attack -- which he calls “phlashing” -- this week at the EUSecWest security conference in London. He’ll also unveil a fuzzing tool he developed that can be used to launch such an attack as well as to detect PDOS vulnerabilities in firmware systems.

His so-called PhlashDance tool fuzzes binaries in firmware and the firmware’s update application protocol to cause a PDOS, and it detects PDOS weaknesses across multiple embedded systems.

The danger with embedded devices is that they are often forgotten. They don’t always get patched or audited, and they can contain application-level vulnerabilities, such as flaws in the remote management interface that leave the door open for an attacker, according to Smith. And remote firmware updates aren’t typically secured, but rather set up to occur by default.

Smith says remotely abusing firmware update mechanisms with a phlashing attack, for instance, is basically a one-shot attack. “Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue,” he says.

But HD Moore, director of security research for BreakingPoint Systems, says a more effective attack than waging a DOS on firmware would be to deliver malware. “It seems like if you can do a remote update of firmware, it would better to deliver a Trojan'ed firmware image, instead of just a DOS,” Moore says.

Meanwhile, Smith says he’s not aware of any phlashing PDOS attacks in the wild to date, but there are a few precautions to protect against these attacks. “Unfortunately, there isn't a magic bullet, but making sure the flash update mechanisms have authentication so as not just anyone can perform an update is a start,” Smith says. “Beyond this, flash update mechanisms need to be designed with malicious attacks in mind.”

Smith has no plans yet for releasing his PhlashDance tool.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Hewlett-Packard Co. (NYSE: HPQ)
  • BreakingPoint Systems

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Crowdsourced vs. Traditional Pen Testing
    Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
    BEC Scammer Pleads Guilty
    Dark Reading Staff 3/20/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Well, at least it isn't Mobby Dick!
    Current Issue
    5 Emerging Cyber Threats to Watch for in 2019
    Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
    Flash Poll
    The State of Cyber Security Incident Response
    The State of Cyber Security Incident Response
    Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-9945
    PUBLISHED: 2019-03-23
    SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
    CVE-2019-9942
    PUBLISHED: 2019-03-23
    A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
    CVE-2018-20165
    PUBLISHED: 2019-03-22
    Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
    CVE-2019-1716
    PUBLISHED: 2019-03-22
    A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
    CVE-2019-1763
    PUBLISHED: 2019-03-22
    A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...