New 'Phlashing' Attack Sabotages Hardware

yahoi writes "A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."

Pharphetched naming

[Anonymous Coward]

I'm sick of this naming phad.

Re:Pharphetched naming

[Thanshin]

I pheel it phaitphully phollows the phirst uses oph it.

Re:Pharphetched naming

[davidpbrown]

Reminds me of the European Commission

The European Commission has announced an agreement whereby English will be the official language of the EU, rather than German, which was the other contender. Her Majesty's Government conceded that English spelling had room for improvement and has therefore accepted a five-year phasing in of "Euro-English".

In the first year, "s" will replace the soft "c". Sertainly, this will make sivil servants jump for joy. The hard "c" will be dropped in favour of the "k", Which should klear up some konfusion and allow one key less on keyboards.

There will be growing publik enthusiasm in the sekond year, when the troublesome "ph" will be replaced with "f", making words like "fotograf" 20% shorter.

In the third year, publik akseptanse of the new spelling kan be expekted to reach the stage where more komplikated changes are possible. Governments will enkourage the removal of double letters which have always ben a deterent to akurate speling. Also, al wil agre that the horible mes of the silent "e" is disgrasful.

By the fourth yer, peopl wil be reseptiv to steps such as replasing "th" with "z" and "w" with "v".

During ze fifz yer, ze unesesary "o" kan be dropd from vords kontaining "ou" and similar changes vud of kors be aplid to ozer kombinations of leters. After zis fifz yer, ve vil hav a reli sensibl riten styl. Zer vil be no mor trubls or difikultis and everivun vil find it ezi to understand ech ozer. ZE DREM VIL FINALI COM TRU!

Herr Schmidt

Re:Pharphetched naming

[Curien]

Credit where credit's due:
http://www.physics.uwo.ca/~harwood/humor13.txt [physics.uwo.ca]

Re:Pharphetched naming

[flosofl]

Dude, at least acknowledge the original you borrowed this from (maybe Mark Twain, most likely M.J. Yilz). http://grammar.ccc.commnet.edu/grammar/twain.htm [commnet.edu]

Re:Pharphetched naming

[beadfulthings]

I'm in a lot of trouble. By those rules, by Year 5 there won't be any letters left in my first name.

Sincerely yours,

*

Re:Pharphetched naming

[Anonymous Coward]

Cphethw, is that you!?

Re:

[ChefInnocent]

<pedantic>

Each time I read this, it gets easier to read the final paragraph. However, it still has at least two issues. The first is the overloading of the v with w which have different sounds. The second is that British English has about 11 non-dipthong vowels (which is really most of the issue with spelling), and the "new spelling system" (let's call it a Rechtschreibung) doesn't really address that. This of course, can also lead to the issues of sh and ch. Although if you left sh as the s sy

Re:Pharphetched naming

[Kamineko]

It sure as hell beats phbricked.

Re:

[mweather]

I think it's a bit more than a fad if it's been going on 40+ years.

source of the name

[straponego]

PHLASH.EXE is the name of Phoenix's BIOS upgrade tool.

I am not making this up: less than a week ago, I woke up thinking: what to firmware, BIOS, TPM, and IPMI have in common? They'd all be great vectors for bricking a machine.

Re:

[nmg196]

> I'm sick of this naming phad.

Yeah it's phucking stupid. The stupid phuckwits should take some time to phink of a better name.

I had no clue people still upgraded firmwares.

[nauseum_dot]

Seriously, I work to update the equipment at work, but at home, I just really don't care a whole lot about a $30 router.
I can't tell you the last time upgraded the bios on a motherboard. I think it was an older P3 Dell PowerEdge because I was installing Linux on it.

Re:

[ratbag]

I updated the firmware on my Vigor 2600 router a couple of weeks back in order to enable WDS. Also seems to have improved the ADSL reliability. It was the first update I'd done to it in over a year. Also updated by BlackBerry earlier this year so that it could connect to my Mac without locking the machine up solid. So at least one person is still doing firmware upgrades...

Re:

[maxume]

No doubt all his equipment works exactly as he expects it to.

He would probably be outright offended if he heard about Rockbox or other projects where people are *writing* their own firmware.

Re:

[Kingrames]

Well, you probably wouldn't value a $30 router unless you were using it at the time.

I can easily see this being an issue, if perhaps, someone attacked your router and destroyed it in the middle of a counter-strike match or a WoW arena matchup, for example.

Re:

[Dekortage]

I can easily see this being an issue, if perhaps, someone attacked your router and destroyed it in the middle of a counter-strike match or a WoW arena matchup, for example.

Umm... I'd see it as even more of an issue if you were a telecommuter and your VPN died. Corporate or government, there are many such staff.

Of course, this will be on the new list of "dog ate my homework" excuses: "Really boss, somebody bricked my router!"

Re:

[Creepy Crawler]

And Im running a WRT54G with OpenWRT on it. Supports sshv2 and all the mods I wish to load on it. You paid 300$ (?) for something that does a small subset what mine does, for 1/10 the price. Sweet.

Re:

[Amouth]

sorry butthe WRT54G isn't what i would consider a reliable peice of hardware..

Re:I had no clue people still upgraded firmwares.

[Creepy Crawler]

That's the key: Reliable Enough. We dont need 100% availability, as it requires many redundant units (akin DRBD). I just have another WRT54G if this one burns out.

Business wise: I would go higher end as time==money. Better reliability can be afforded.

It does what I want it to do, and it does it well. And cheap.

Re:

[Creepy Crawler]

Nope. Mine's WRT54G v.3

I got it before they started using that non-linux OS on it.

Re:

[Creepy Crawler]

I'm thinking in terms of the following. Im unsure what exactly the feature set of that Cisco is.

1. SIP gateway
2. Kismet node
3. SSH tunnel/TOR tunnel
4. Linux firewall (i'd rather have freebsd firewall, but oh well)
5. IPv4-IPv6 tunnel

more here [openwrt.org]. I doubt your cisco has that feature set.

Re:

[element-o.p.]

Meh. Cisco doesn't have a lot of horsepower either, unless you want to pony up for their really big iron. If you want horsepower, buy a micro-ATX motherboard and a compact flash drive, put a really slimmed down Linux distribution on it, run IPTables to firewall your network and use Quagga to do any routing you need. You'll blow away any Cisco box you can afford, and have ten times the flexibility to boot.

Not that comfortable with doing it yourself? Buy an http://www.imagestream.com/ [imagestream.com]ImageStream Envoy

Re:

[Anonymous Coward]

We're running a small IT shop and are reflashing multiple ADSL modems per week as local ISP is giving low-cost Telewell EA-501v3 modems for free when subscribing. Those boxes are probably bought en masse some years ago and all of them have ancient firmware which causes NAT to get stuck in couple weeks uptime.

Re:

[Coopjust]

If you have $30 router and a minor issue with it, the 2 minutes it takes to apply new firmware isn't a terrible inconvenience.

And, thanks to new exploits like this, firmware upgrades may be necessary to block exploits from sabotaging your network equipment, simply maliciously (bricking) or for profit (undetectable redirects to phishing sites, attaching your affiliate ID to all ads, catching any SSN/Credit Card Number/Login going through even if it is not a phishing site.

Re:

[clang_jangle]

I just updated the firmware on my Treo...

Re:

[jank1887]

you should just buy Trendnet routers. They never actually offer any firmware updates. must be because the devices are such high quality to start with...

Re:

[mspohr]

I've had a Trendnet ADSL WiFi router for about a year and never checked for updates. Never had any problem. It has just worked for the entire time. Should I worry? I bought it because it was the cheapest I could find at the time. (I always buy the cheapest stuff and most of the time it just works fine.)

Re:

[sqlrob]

It's not just network hardware or computers.

iPhone
PS3
360
Wii
PSP

Read-only switch

[ettlz]

...or jumper. How much more would that cost?

Re:Read-only switch

[Anonymous Coward]

more than nothing

Re:

[rthille]

My board (VIA EPIA EN-15000G) already has a jumper you have to set to flash the bios. You can make bios configuration changes, but not flash the bios. Not sure how the division is accomplished (perhaps the bios config is in battery backed static ram), but it seems to work. I don't know that I would completely reject a board without that feature, but it certainly would be a strike against it.

Re:Read-only switch

[marxmarv]

About two cents in quantity, plus a penny to drill the hole and stuff the part. Plus six or seven cents for the AND gate on the write line. Times several million.

Bricking

[ThrudTheBarbarian]

FINALLY! *This* is bricking

Re:

[hostyle]

+1 Architectural

Re:

[dreamchaser]

Yes it is, in a sense, but at least in the case of a PC all one would need do is replace the BIOS physically. Not a very difficult fix for any tech savvy person.

Re:Bricking

[Linker3000]

Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.

FTFY

Re:

[dreamchaser]

Not sure about your PC's, but every one of mine has an easily removeable BIOS that requires none of that. Even if it did, what tech savvy person DOESN'T know how to desolder a chip and pop in a new one. I didn't say it would be easy for the average Joe.

Re:

[Intron]

I'm a hardware guy and I haven't attempted to solder a SMD by hand in the last 10 years. Typical flash memory pin spacing is 0.5mm. I drink way too much coffee for that.

Re:Bricking & replacement parts

[Technician]

Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.


Truly spoken by someone who hasn't tried to buy a programmed flash part for a made in China board. Hint, the replacement board can be purchased but the replacement chip containing IP firmware is a little harder to obtain. Custom parts on the board (flash memory) are not imported in a programmed state. If you can extract the image from the executable without the aid of the boot loader, many of these blank chips and flash upgrade don't come with any way to install the initial code to load the initial firmware.

A new blank BIOS chip doesn't contain enough firmware to boot a floppy, USB memory stick, or CD ROM to flash the BIOS. You need a BIOS image and device programmer. Since neither is supplied and both are needed, your chances of obtaining a BIOS image and installing the firmware are slim to none.

A Blank clock flash memory chip from Mouser does not make a bricked board bootable enough to flash the new BIOS firmware.

If you want to try it, Pick up a blank unit here; Good luck
http://www.epn-online.com/page/new56862/mouser-stocks-silicon-laboratories-c8051f9xx-line-of-mcus.html [epn-online.com]

Re:

[jonadab]

Not very difficult *if* you have the replacement part, with a good BIOS on it. Which is probably only available bundled on another motherboard of exactly the same model and revision...

Re:

[MagicM]

I propose we call it "phricking".

thank you for another buzzword

[mambosauce]

interesting research, but we should browbeat the research for calling it phlashing

Re:thank you for another buzzword

[aproposofwhat]

nah - his tool's called PhlashDance, which made me go all warm and fuzzy at the thought of Jennifer Beals stamping on my fimware in her heels :P

Re:thank you for another buzzword

[Anonymous Coward]

nah - his tool's called PhlashDance, which made me go all warm and fuzzy at the thought of Jennifer Beals stamping on my fimware in her heels :P

Hmmmm... What a pheeling.

Re:

[SargentDU]

I agree! phlashing sounds like flashing! Stupid to use something that is phonically identical for different outcomes.

In Italy

[Anonymous Coward]

In Italy a big ISP gave ADSL modems with default password and active administrator wan access...

Re:

[Jaysyn]

Hell, my ISP does the same thing now. The phone support tech freaked out when I told them I was in the modem's management console. Apparently, you're not supposed to upgrade the firmware on your own.

And no, I'm not going to tell you who my ISP is. :D

Re:

[the_bard17]

I've noticed that Time Warner is handing out Netgear WGR614v7 routers... or so they appear. Look closely, and the model number has a -VC or something close to it appended.

Try to upgrade the firmware off Netgear's website, and the normal WGR614 firmware doesn't apply... the router kicks it out, saying that the firmware's for the wrong device.

P.S.: I'm doing this from memory, so I may have the wrong model number listed above. My apologies if so.

Re:

[Uncle Focker]

Comcast?

How is the mechanism exploited?

[Coopjust]

Is it possible to exploit firmware from the outside, unless the person has enabled remote management and is using the default password?

Those two rarely go hand in hand.

However, I think we'll see a lot of trojans with firmware payloads. How many people use the WRT54G? And how many access points are unsecured with the name "linksys"? Those people probably didn't change their admin password.

Simple solution: Hardware button. You have to press it to flash the router, and you have a minute after you press it to upload the firmware. Should be an easy thing to do and provide a great amount of protection.

Re:

[Kingrames]

Well there must be some way to get the root password - I suspect that social engineering or a bad seed may be the culprit for that - then it's just a matter of running a program.

Re:How is the mechanism exploited?

[kalirion]

Why would flashing even be allowed through remote management? My router comes with instructions to not even risk flashing through a wireless LAN connection, much less the whole big world wide net.

Re:

[Coopjust]

A flash could put firmware that redirected to phishing sites, added affiliate IDs to banner ads, or do other things beyond bricking...

That's the best they could come up with

[Zerth]

Phlashing? And he calls his demo code PhlashDance? Good way to make this seem completely silly. "Damn it, we've been phlashdanced!" That'll really get management to up your security budget, if they ever stop laughing.

It figures that when "bricking" might be remotely appropriate, they pick something worse.

It could have been remote bricking, BOIP(brick over IP), brick-and-run, packet bricking, warbricking.

Even brick-o-gram(landshark).

Sigh...

Re:That's the best they could come up with

[trongey]

It could have been remote bricking, BOIP(brick over IP), brick-and-run, packet bricking, warbricking.

Even brick-o-gram(landshark).

I vote for Brick-rolling.

Re:

[Orbijx]

We're no strangers to v4. You know ipchains, and so do I. A full traceroute's what I'm thinking of. You wouldn't ping it with any other guy. :)

Surely this isn't that much of a problem

[Silver Sloth]

As a targeted attack against a commercial venture any support team worth their salt will do patching as part of routine maintenance - don't we guys'n'gals? As an attack against mom and pop PCs there are so many hardware variants that any one piece of malware will have a very limited target.

To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.

Re:

[Oxy the moron]

To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.

What if one were able to upload firmware from device type A, a certain DVD-Writer, to device type B, a CD-ROM? I realize it isn't the best example, but wouldn't having the wrong firmware type (not just a different hacked version of the same type of drive) completely brick that hardware? From that standpoint, I don't think the firmware would have to be "targeted" per se.

Re:

[TubeSteak]

As a targeted attack against a commercial venture any support team worth their salt will do patching as part of routine maintenance - don't we guys'n'gals?

The problem is that this isn't a targeted attack, it's a fuzzer.
If there are overflow issues in your code, allegedly, this will trash your firmware.

To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.

It's a problem because it goes back to the truly malicious days of the 80's and 90's where the goal wasn't to own someone's computer, just to destroy and disrupt. This could kill your graphics card, sound card, network card, bluetooth, cd/dvd drive, etc etc etc.

And it isn't a quick solve, because it will require the people writing firmwares to write (at a mini

Re:

[Missing_dc]

As a targeted attack against a commercial venture any support team worth their salt will do patching as part of routine maintenance - don't we guys'n'gals? As an attack against mom and pop PCs there are so many hardware variants that any one piece of malware will have a very limited target.

To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.

If the trojan carried the payload onboard, sure, the target audience would be small. However, if the trojan read the PC

This is new?

[Timothy Brownawell]

I'm pretty sure I remember stories about viruses that could destroy hardware, by doing things like making the drives seek in "funny" ways (past the edge of the disc or something?) or driving wired-together pins to opposite voltages. Those sound *really* permanent, where a bad flash can be fixed by anyone with the proper equipment (JTAG programmer) unless it does that same sort of thing.

Re:

[Thanshin]

I'm pretty sure I remember stories about viruses that could destroy hardware,

I remember stories about viruses that could infect the computer human user.

I didn't believe in them, though.

Re:

[Timothy Brownawell]

I'm pretty sure I remember stories about viruses that could destroy hardware,

I remember stories about viruses that could infect the computer human user. I didn't believe in them, though.

Sure, but these at least are believable if you don't have the spare resources to provide proper encapsulation for the interfaces to your hardware. The OS shouldn't be able to drive a bus while some other device is talking on it, but sufficiently dumb/cheap driver hardware might not prevent this.

Re:

[kvezach]

I remember stories about viruses that could infect the computer human user.

It's called an e-mail chain letter or virus hoax, and infects the minds of gullible users.

Re:

[Uncle Focker]

But I was just trying to help that poor Nigerian get his gold out of the country! :'(

Re:

[MilesAttacca]

Indeed, early Commodore PETs reportedly suffered a "killer POKE [6502.org]" via their BASIC.

Re:

[lz2pt]

God, this is going back,

In the good old DOS PC days when 10Mb hard disks were 'big' and 'Stoned' was probably the only wild virus ever found on the lab machines..

There was an issue wrt Stoned I think, or some other virus of the time whose name escapes me, its final action was to zap the old MFM hard disks via some low level init call, but, this wasn't fatal as we could get the info back off them with a bit of faffing, however, the first generation of those new fangled IDE disks, the same init call permanent

Nothing to see, move on folks.

[140Mandak262Jamuna]

The link does not tell us how to attack and render all computers in [insert your favorite evil company here AAPL,MSFT,GOOG]. Just some research guy jaw boning what could be done. So technically there is nothing worthwhile for the slashdot crowd.

Re:

[zappepcs]

Survey said! bzzzzzz wrong.

It is of interest. Think about it. If you wanted to do damage to company xyz, you social engineer the information for what PCs they are using, the CD hardware etc., routers, blah blah blah... then silently release a worm or virus that redirects them to your special webpage. brick brick brick brick until their productivity grinds to a halt.... if some get bricked for the CD, others for the motherboard, others because of routers... it matters not. What is being shown is that it is P

Rivets

[John Hasler]

> May your body rot next to that of the designer of the Titanic.

Unfair. If the ship had been built with the rivets specified by the engineers it would not have sunk. The shipyard couldn't get rivets that met specs so management went with what they had. After all, they had a delivery date...

Proof of concept

[Malevolent Tester]

Dear Sir, I am the former son of the Nigerian dictator Sonni Abacha. I would like to give you several million dollars. To receive this, please add a static IP to your D-Link router and reboot it.

I used to work with a Sys Admin like that

[MosesJones]

He used to be able to turn any working piece of kit into a piece of metal art in about 20 seconds, EVERYTHING was always a BIOS issue and he would NEVER check with anyone before replacing the BIOS.

Lets be clear about how dumb this person was, he had a BIOS that worked on his test servers and would then apply that to all the other servers INDEPENDENT OF HARDWARE OR OS. He would then start the machines (which of course wouldn't start) declare them "broken" and say the issue was with the software.

We did some low level hardware stuff in our software and it did break the boxes sometimes so it took 2 months of painful testing and debugging which found nothing, it only came about because one of the team had a heavy night and decided to "rest" in the server room and saw the moron apply the BIOS to a server that had been running and then scurry out to blame the team again.

Basic rule after then was BIOS set to read-only and locked down with a secure password, to this day my BIOS has a password thanks to the sheer physical shock of realising how dumb some people can be.
 

Re:I used to work with a Sys Admin like that

[kalirion]

That's sounds like a good submission to The Daily WTF [thedailywtf.com].

Re:

[Cassini2]

I always assumed that the flash updating programs would have lock outs to prevent someone from uploading an incorrect BIOS image when flashing the hardware. This would prevent people from flashing things, bricking their own hardware, and then trying to return it under warranty.

I add that feature to the embedded hardware that I design ...

Re:

[MosesJones]

The production kit did when it was shipped but not the stuff that was in our test environment (different from the Sys Admin test environment) we just hadn't realised that our fellow employees were more stupid than any of our clients could ever hope to be.

Re:

[Kjella]

The really clueless are often too afraid to break it to do anything dangerous. It's the semi-skilled people that are really dangerous, just enough to know such things as to flash a BIOS yet completely oblivious to any problems that might cause. They're the kind that'll disable the anti-virus and firewall if you let them, because it blocks whatever important thing they're doing. If anyone ever feels the need to utter "Trust me, I know what I'm doing" it's time to duck and take cover.

Re:

[Uncle Focker]

You're overqualified.

This is what I love about computers

[Richard W.M. Jones]

Nothing is really new.

Bytecode [wikipedia.org], killer pokes [oldcomputers.net], the auto type [wikipedia.org], XML [wikipedia.org] ...

Rich.

Hardware Virus

[Pikoro]

I seem to remember a virus back in the 486 days that would cause the hard drive to sweep back and forth between extremes and would keep sweeping until it hit some "resonant frequency" of the drive heads. At that point the heads would start oscillating on the vertical, causing it to strike the platter and physically damage the hard disc.

Anyone else remember this? I had only seen it once and have never been able to find a reference to it.

This would have been in the mid '90s. I have been wracking my brain over finding it since then.

Anyone else who has heard of this, reply and let me know.

Re:Hardware Virus

[Anonymous Coward]

I experimented with a technique (that worked) on the Commodore 64. You could address the floppy drive directly to move the drive head to the innermost position, which was on the opposite side of the "track 0" microswitch. Then you deliberately crash the CPU on the drive. When it POSTs it moves the head inward to track 0 to initialize. Since the head is on the wrong side of the switch it never gets there, makes a terrible noise, and gives up.

Re:

[Captain Spam]

I heard of viruses like those back in that time frame, too. Though when I heard of them, they were reported as spinning the hard drive heads so fast that they overheated and warped.

But in the end, I think those were all just email hoaxes. Ah, those were the good ol' days, when hoax emails were pranks like those and not phishing scams. Now I'm all nostaligic. :-)

All things considered, though, I don't believe the head would ever be able to do what you're suggesting due to the head never actually touching t

Re:

[Intron]

What meds were you on at the time? I've heard the seek command used to play musical tones (shave-and-a-haircut), but I've never heard of it damaging a hard drive. When you give a seek command to the drive, it ramps the acceleration and speed that the heads move to give a smooth stop at the position that you request. There's no way you can cause an oscillation, because there is no overshoot. This might have been possible back in ST-506 days (early 80s), where the seek was done by an external controller -

Ouch

[commodoresloat]

This would have been in the mid '90s. I have been wracking my brain over finding it since then.

Wow, man, you've been wracking your brain since the mid-90s?

Hardly a new phenomenon

[g051051]

This isn't exactly a new problem...in the early days, you could fry a monitor by setting the video card to absurd refresh rates, and you could destroy hard disks by issuing bogus stepping commands to the heads and slamming them into the stops.

Works in real life too !

[garett_spencley]

The last time I "phlashed" someone in real-life I received a permanent injunction and restraining order from a very nice judge in court. I guess you can call that a permanent denial of service.

Re:

[hyperz69]

I guess your firmware didn't impress her.

Little endian

[Ilan Volow]

I bet she laughed when you phlashed your insignificant bits.

Re:

[aproposofwhat]

he was probably Little-Endian :P

Sometimes I wonder...

[bsDaemon]

Sometimes I wonder the mindset that even goes into creating something like this. I'll admit that when I was a middle-school aged kid, i thought that "computer hackers" were cool. Now, however, I just sort of wonder --

even if information wants to be free, wtf am I supposed to do with it?

"Fone Phreaking" I saw a benefit to, and its something that I took an interest in.

Trying to hijack computers and stuff -- why bother? Unless I'm doing it to be a dick to someone, just why? I can understand if mobster type

Re:Sometimes I wonder...

[trongey]

Sometimes I wonder the mindset that even goes into creating something like this. ... I can understand if mobster types are trying to do a virtual bank robbery,...

Close. It's called extortion. You do this to one of a site's machines. Then you send the demand for payment with a threat to do it to the rest of their machines. It's been happening to gambling and porn sites for years since law enforcement agencies don't usually get in a hurry to apprehend people who attack those sites. They have been using DDoS, so this would just be a bigger hammer.

Re:

[bsDaemon]

Oh, and I thought 13-14 dipshits were the only ones who called things "gay".

Sometimes old habits die hard.

Everything should have a factory reset switch

[davidwr]

I'm sorry, but every device out there should have two factory reset switches:

1 to reset user data, akin to a standard BIOS "reset to factory settings"
1 to re-flash the BIOS to the factory-installed version of the BIOS, to de-brick devices.

Furthermore, if there is anything a user can do that is designed to update the machine in a way that's irreversible without a password setting a BIOS or boot password, a hardware switch should be pressed as the information is saved. While this won't prevent social engineering, it will prevent pure software exploits from making the hardware unusable.

Re:

[Stellian]

I'm sorry, but every device out there should have two factory reset switches:

Things like easy accessible switches and backup copies of the flash cost money. Granted, they don't cost very much, but when you are talking about millions of units things add up. Since these features are useless (i.e will never be used) for 99.9% of the customers, the market forces will act to remove them.
Besides they are not really necessary if you simply engineer the old flash to accept only flashing with a digitally signed newer version. This takes a few KB of object code to implement, and will 100% bl

Magic Bullet

[John Hasler]

> "Unfortunately, there isn't a magic bullet..."

Yes there is. It's called a write-disable switch.

Nothing really new...

[moxley]

What is so new about this? That it's been given a media friendly ph-suffix name?

I think Malicious Firmware Update is better.

M.F.U. (I am sure with those initials, we could come up with a name much more compelling and befitting the situation you'd be in if this happened to you).

Anyone who has worked with even consumer grade home computers and routers and done a firmware or BIOS flash should have been aware that this is possible, with most home routers having the ability for remote management....

Now....if we

Already done in 1998

[RickRussellTX]

Wasn't this already done by the CIH (later called Chernobyl) virus [wikipedia.org], circa 1998? There was even an e-mail variant of it, based on the Loveletter worm.

This is not really new..

[mengel]

I recall a friend of mine having a little routine for TRS-80's that would:

• wait for a key press
• for decreasing n
  • turn on the tape cassete relay
  • wait n cycles
  • turn off the tape cassete relay

this would cause an increasing pitch whine, followed by a little whiff of smoke from the cassette relay.

Something about the people there always saying "there's nothing you can type on the computer that will hurt it..."

But they can't patent it because there's prior art

[jc42]

When I was at the U of Wisconsin back in the 1970s, the central campus Computer Center had a Univac system. An EE prof (or his students ;-) got circuit diagrams and did some analysis. He announced that there was a bug: If a particular (unlikely) sequence of instructions was executed, they would fry a transistor in the CPU. Rather than thanks, he got ridiculed and insulted by the Univac CS people (and a lot of people on campus). So he announced that he'd run a test. He submitted a job that included a chunk of assembly language with the sequence. The machine promptly halted and couldn't be rebooted. The CS engineers looked into it, and found that a transistor had been fried.

These days, though, I suppose that he'd probably be charged with something. The smart thing to do if you learn of such bugs is probably to not notify anyone, especially not the vendor or your employer. Instead, you quietly offer the information (for a price of course) to various "interested parties" for whatever use they'd like to make of it.

Another time, some students figured out a bug in Univac's tape drives. They found code that sent commands to spool forward and rewind with timing such that the drive did both - which snapped the tape. They were also not believed, so they demoed it. They submitted a job that asked for a scratch tape, wrote a few KB of data, and snapped the tape. Then it asked for another scratch tape. It didn't take too many tapes before the operators figured out that they should call in the CS people.

I'll bet that others here have a bunch of similar stories. And nonetheless, a future story will be the patenting of using such bugs for "PDOS" attacks. Probably by our favorite whipping boy, Microsoft, who will patent such attacks as a way of enforcing licensing restrictions or DRM.

Maybe the fellow the story is about can get the patent first ...

Re:New word overloading

[smooth wombat]

Just another reason not to use Flash or even have it installed on your system.

This is why, Flash must die! [slashdot.org]