Phlashing attack permanently destroys hardware over the network

A scary new (theoretical) malware attack, Phlashing, involves tricking a remote device into letting you flash its firmware so that the machine can't ever be rebooted, and must be pulled out and replaced. They're called it a "Permanent Denial of Service" (PDOS) attack -- there's a ton of tasty new coinages in this little bit of ugliness.

Smith will demonstrate how network-enabled systems firmware is susceptible to a remote PDOS attack -- which he calls “phlashing” -- this week at the EUSecWest security conference in London. He’ll also unveil a fuzzing tool he developed that can be used to launch such an attack as well as to detect PDOS vulnerabilities in firmware systems.
His so-called PhlashDance tool fuzzes binaries in firmware and the firmware’s update application protocol to cause a PDOS, and it detects PDOS weaknesses across multiple embedded systems.

Link (via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Happy Mutants • Safety

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

zikzak

@12, You relating this story to the “fear of terrorism” narrative, and deriding it on the basis that it must be fear-mongering with an ulterior motive. But that seems like an inappropriate comparison…sometimes, when people alert us about specific, real dangers, it’s a good thing.

Most security researchers are more similar to consumer advocates or public safety watchdogs, monitoring commercial products for evidence of sloppiness or irresponsibility on the part of manufacturers, and alerting the public when they see a problem.

Some security researchers can even be thought of as whistle-blowers, putting themselves in legal and professional jeopardy in order to expose a security problem that a corporation won’t solve on their own.
waded

@#4 I’ll call it Brickroll if you will.

Although ideally that term would be reserved for remote flashing of the iPhone, not such that it’s bricked, but such that it can only play one song…
tiptopper

Wow!
A Weapon in the War on Hackers????????
MOM!!!the NSA just fryed my computer!!!!
vjinterkosmos

“The hackers can turn your TV-connected-to-computor a BOMB!”
wynneth

@12-HOMESTARRUNRUN- Whether or not it’s hype for people to panic over might depend on what kind of circles you run in, situations you put your network in, etc. If you’re the admin of a network that has access to some valuable data, the “evil phlash” replacement could be a worry. Likewise, if you’re a script kiddie cursing people out on IRC or various undernets it would be prudent.
Anonymous

My friend’s little brother was doing this to unsuspecting neighbors with unsecured local telco wireless routers a few years ago. The ISP just gave people their modem/routers with the same default security settings and no guidance whatsoever on securing them. The routers even allowed configuration via wireless connection so he’d start a firmware upgrade and disconnect in the middle of the download.
Anonyman

Zerth (26112) said it best.

Phlashing? And he calls his demo code PhlashDance? Good way to make this seem completely silly. “Damn it, we’ve been phlashdanced!” That’ll really get management to up your security budget, if they ever stop laughing.

It figures that when “bricking” might be remotely appropriate, they pick something worse.

It could have been remote bricking, BOIP(brick over IP), brick-and-run, packet bricking, warbricking.

Even brick-o-gram(landshark).

Sigh…

It’s also worth noting that many devices now have bad flash recovery procedures, making the “Permanent” aspect of this somewhat dubious.

I find this whole scenario to be significantly overstated.
skarbreeze

Ugh, this hits below the belt imo. This vulnerability is very common in retail wireless routers, among other things. Pretty much every device has a function that allows flashing the firmware, but only some allow it via the network. This could eventually be the vandals equivalent of an unsecured network.
Anonymous

This is what we deserve for being so lazy that it isn’t acceptable to have a jumper preventing any kind of firmware update so long as it is in the default position.
wackyvorlon

This isn’t as new as you may think. There have been one or two viruses that purported to flash themselves into a motherboard’s BIOS. I have to agree, the moniker ‘phlashing’ is vexing. Does the ph dipthong really deserve this much attention?
Church

How about “Brickroll?”
zikzak

Like HD Moore says, if you can overwrite the firmware, why settle for a DoS attack?

That’s kind of like getting root access to a box and immediately running “rm -rf /” There’s so much more potential there!

The best part being: non-DoS phlashing attacks could easily happen without anyone realizing they had, simply installing poisoned or backdoored firmwares on embedded devices to silently do Very Bad Things.
Mantari

Even better: red herring phlashing

For example, flash a PC’s BIOS. But don’t destroy the BIOS. Instead, have it produce a fatal error on the memory test, which prevents booting. (Easy enough to do.)

The person responsible for the hardware will spend the time to fix a memory problem, and ultimately find it unfixable. They’ll then blame the motherboard without giving even a second though to the BIOS having been tampered with.

Result: much time wasted chasing down a false issue, and the hardware goes in the trash without the original tampering being suspected.

* – YMMV
Anonymous

Anonyman/Zerth:

A great problem today for computer researchers is namespace collisions. Google, for example, cannot easily separate pages concerning biological viruses from pages concerning computer virii. This problem is one of the main barriers to the much bally-hooed “Semantic Web”.

The problem is somewhat ameliorated by “leet speak” parodying by people in the security trade; “phishing” and “phlashing” have low collision incidence and thus searching is made trivial.

The problem is compounded when self-appointed experts insist that there is no proper etymology for some term and engage in Internet-wide flame wars, such as the one Tom Christiansen started over “virii” (that continues to this day on Wikipedia). It doesn’t matter what the ancient greeks would have called a robot – the name robot is an excellent word that is easily modified to form robots, robotic, etc. with existing rules.

Scientists used to have an intuitive grasp of this concept; in days past a man might coin a unique word by compounding or mis-spelling greek or latin roots to label a new discovery or theoretical concept. Sadly, those days have passed, and now we have “dark matter”, “global warming”, and computer viruses… similar abominations abound.

As a person who has (really!) done research on brick masonry using Google, and who has a copy of the excellent album “unhalfbricking”, I have to congratulate the author of phlashdance for his attention to naming. Thank God he didn’t add yet another layer of meaning on “brick”.

–Charlie
OldCrow

i second WACKYVORLON. this capability has existed for at least the last 10 years and has been employed by various groups, both state sponsored and supported. word on the street is that the israeli’s has quite an issue with this in the late 1990′s…
homestarrunrun

ONOZ! THERES SOMETHING COMING TO GET YOUR COMPUTER SOUND TEH ALARMZ!
This is some hype that people will panic and buy crap for. Like how private citizens had fallout shelters in the 50s and 60s.
Not likely to happen to you but listen to promos for local news and see if I’m crazy.
“They tried to cut costs, but nearly crashed two airplanes. See Danger in the Dark, tonight at 10 on NBC5
z0iid

in today’s malware world, this type of attack is unlikely to wildly spread. at the most basic level, a bricked computer can’t propagate the virus to anyone. sure, it is *possible* to set it to be dormant, propagate, and launch at a set future date, ie, 9/11/11. But – the most advanced methods of spreading viruses (virii) are by using bot-nets. These bot-nets are generally used for gathering personal information illegally. The malware writers that lease out these networks, wouldn’t be ok with someone bricking their entire bot-net, or using their bot-net for a purpose that would only potentially increase sales/profit for hardware manufacturers. They are in the information business, not a physical, tangible product. A script kiddie’s method of distributing a virus is likely to get discovered and shutdown quickly by AV products.

So – mass hysteria? this article should not cause. Individual awareness increase? sure. don’t piss techie people off.
zikzak

@ #6: But little to they know, you’re waiting back behind their dumpster to grab all the “broken” hardware and boot it with a special jumper setting which runs the BIOS in “non-evil” mode :)