By Kelly Jackson Higgins
May 19, 2008
You don't have to take an ax to a piece of hardware to perform a
so-called permanent denial-of-service (PDOS) attack. A researcher this
week will demonstrate a PDOS attack that can take place remotely.
A PDOS attack damages a system so badly that it requires replacement or
reinstallation of hardware. Unlike the infamous distributed
denial-of-service (DDOS) attack -- which is used to sabotage a service
or Website or as a cover for malware delivery -- PDOS is pure hardware
"We aren't seeing the PDOS attack as a way to mask another attack, such
as malware insertion, but [as] a logical and highly destructive
extension of the DDOS criminal extortion tactics seen in use today,"
says Rich Smith, head of research for offensive technologies & threats
at HP Systems Security Lab.
Smith says a PDOS attack would result in a costly recovery for the
victim, since it would mean installing new hardware. At the same time,
it would cost the attacker much less than a DDOS attack. "DDOS attacks
require investment from an attacker for the duration of the extortion --
meaning the renting of botnets, for example," he says.
Smith will demonstrate how network-enabled systems firmware is
susceptible to a remote PDOS attack -- which he calls "phlashing" --
this week at the EUSecWest security conference in London. He'll also
unveil a fuzzing tool he developed that can be used to launch such an
attack as well as to detect PDOS vulnerabilities in firmware systems.
His so-called PhlashDance tool fuzzes binaries in firmware and the
firmware's update application protocol to cause a PDOS, and it detects
PDOS weaknesses across multiple embedded systems.
The danger with embedded devices is that they are often forgotten. They
don't always get patched or audited, and they can contain
application-level vulnerabilities, such as flaws in the remote
management interface that leave the door open for an attacker, according
to Smith. And remote firmware updates aren't typically secured, but
rather set up to occur by default.
Smith says remotely abusing firmware update mechanisms with a phlashing
attack, for instance, is basically a one-shot attack. "Phlashing attacks
can achieve the goal of disrupting service without ongoing expense to
the attacker; once the firmware has been corrupted, no further action is
required for the DOS condition to continue," he says.
But HD Moore, director of security research for BreakingPoint Systems,
says a more effective attack than waging a DOS on firmware would be to
deliver malware. "It seems like if you can do a remote update of
firmware, it would better to deliver a Trojan'ed firmware image, instead
of just a DOS," Moore says.
Meanwhile, Smith says he's not aware of any phlashing PDOS attacks in
the wild to date, but there are a few precautions to protect against
these attacks. "Unfortunately, there isn't a magic bullet, but making
sure the flash update mechanisms have authentication so as not just
anyone can perform an update is a start," Smith says. "Beyond this,
flash update mechanisms need to be designed with malicious attacks in
Smith has no plans yet for releasing his PhlashDance tool.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com