[ISN] Permanent Denial-of-Service Attack Sabotages Hardware

From: InfoSec News (alerts@private)
Date: Fri May 23 2008 - 00:13:58 PDT


By Kelly Jackson Higgins
Senior Editor
Dark Reading
May 19, 2008

You don't have to take an ax to a piece of hardware to perform a 
so-called permanent denial-of-service (PDOS) attack. A researcher this 
week will demonstrate a PDOS attack that can take place remotely.

A PDOS attack damages a system so badly that it requires replacement or 
reinstallation of hardware. Unlike the infamous distributed 
denial-of-service (DDOS) attack -- which is used to sabotage a service 
or Website or as a cover for malware delivery -- PDOS is pure hardware 

"We aren't seeing the PDOS attack as a way to mask another attack, such 
as malware insertion, but [as] a logical and highly destructive 
extension of the DDOS criminal extortion tactics seen in use today," 
says Rich Smith, head of research for offensive technologies & threats 
at HP Systems Security Lab.

Smith says a PDOS attack would result in a costly recovery for the 
victim, since it would mean installing new hardware. At the same time, 
it would cost the attacker much less than a DDOS attack. "DDOS attacks 
require investment from an attacker for the duration of the extortion -- 
meaning the renting of botnets, for example," he says.

Smith will demonstrate how network-enabled systems firmware is 
susceptible to a remote PDOS attack -- which he calls "phlashing" -- 
this week at the EUSecWest security conference in London. He'll also 
unveil a fuzzing tool he developed that can be used to launch such an 
attack as well as to detect PDOS vulnerabilities in firmware systems.

His so-called PhlashDance tool fuzzes binaries in firmware and the 
firmware's update application protocol to cause a PDOS, and it detects 
PDOS weaknesses across multiple embedded systems.

The danger with embedded devices is that they are often forgotten. They 
don't always get patched or audited, and they can contain 
application-level vulnerabilities, such as flaws in the remote 
management interface that leave the door open for an attacker, according 
to Smith. And remote firmware updates aren't typically secured, but 
rather set up to occur by default.

Smith says remotely abusing firmware update mechanisms with a phlashing 
attack, for instance, is basically a one-shot attack. "Phlashing attacks 
can achieve the goal of disrupting service without ongoing expense to 
the attacker; once the firmware has been corrupted, no further action is 
required for the DOS condition to continue," he says.

But HD Moore, director of security research for BreakingPoint Systems, 
says a more effective attack than waging a DOS on firmware would be to 
deliver malware. "It seems like if you can do a remote update of 
firmware, it would better to deliver a Trojan'ed firmware image, instead 
of just a DOS," Moore says.

Meanwhile, Smith says he's not aware of any phlashing PDOS attacks in 
the wild to date, but there are a few precautions to protect against 
these attacks. "Unfortunately, there isn't a magic bullet, but making 
sure the flash update mechanisms have authentication so as not just 
anyone can perform an update is a start," Smith says. "Beyond this, 
flash update mechanisms need to be designed with malicious attacks in 

Smith has no plans yet for releasing his PhlashDance tool.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Fri May 23 2008 - 00:32:54 PDT