New 'Phlashing' Attack Sabotages Hardware

yahoi writes "A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."

Pharphetched naming

[Anonymous Coward]

I'm sick of this naming phad.

thank you for another buzzword

[mambosauce]

interesting research, but we should browbeat the research for calling it phlashing

Re:I had no clue people still upgraded firmwares.

[Kingrames]

Well, you probably wouldn't value a $30 router unless you were using it at the time.

I can easily see this being an issue, if perhaps, someone attacked your router and destroyed it in the middle of a counter-strike match or a WoW arena matchup, for example.

How is the mechanism exploited?

[Coopjust]

Is it possible to exploit firmware from the outside, unless the person has enabled remote management and is using the default password?

Those two rarely go hand in hand.

However, I think we'll see a lot of trojans with firmware payloads. How many people use the WRT54G? And how many access points are unsecured with the name "linksys"? Those people probably didn't change their admin password.

Simple solution: Hardware button. You have to press it to flash the router, and you have a minute after you press it to upload the firmware. Should be an easy thing to do and provide a great amount of protection.

Re:thank you for another buzzword

[SargentDU]

I agree! phlashing sounds like flashing! Stupid to use something that is phonically identical for different outcomes.

This is new?

[Timothy Brownawell]

I'm pretty sure I remember stories about viruses that could destroy hardware, by doing things like making the drives seek in "funny" ways (past the edge of the disc or something?) or driving wired-together pins to opposite voltages. Those sound *really* permanent, where a bad flash can be fixed by anyone with the proper equipment (JTAG programmer) unless it does that same sort of thing.

Re:How is the mechanism exploited?

[kalirion]

Why would flashing even be allowed through remote management? My router comes with instructions to not even risk flashing through a wireless LAN connection, much less the whole big world wide net.

Re:Pharphetched naming

[mweather]

I think it's a bit more than a fad if it's been going on 40+ years.

Re:Bricking

[Linker3000]

Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.

FTFY

Everything should have a factory reset switch

[davidwr]

I'm sorry, but every device out there should have two factory reset switches:

1 to reset user data, akin to a standard BIOS "reset to factory settings"
1 to re-flash the BIOS to the factory-installed version of the BIOS, to de-brick devices.

Furthermore, if there is anything a user can do that is designed to update the machine in a way that's irreversible without a password setting a BIOS or boot password, a hardware switch should be pressed as the information is saved. While this won't prevent social engineering, it will prevent pure software exploits from making the hardware unusable.

Magic Bullet

[John Hasler]

> "Unfortunately, there isn't a magic bullet..."

Yes there is. It's called a write-disable switch.

Re:Hardware Virus

[Captain Spam]

I heard of viruses like those back in that time frame, too. Though when I heard of them, they were reported as spinning the hard drive heads so fast that they overheated and warped.

But in the end, I think those were all just email hoaxes. Ah, those were the good ol' days, when hoax emails were pranks like those and not phishing scams. Now I'm all nostaligic. :-)

All things considered, though, I don't believe the head would ever be able to do what you're suggesting due to the head never actually touching the platters and there not being enough power in the head's servo motor to cause enough destabilization to the mechanics. Similarly, the overheat story wouldn't be possible, either, unless it was an exceptionally poorly-made drive which suffered overheat problems anyway.

Still, THAT would be an effective DoS tool. :-)

Re:Bricking

[jonadab]

Not very difficult *if* you have the replacement part, with a good BIOS on it. Which is probably only available bundled on another motherboard of exactly the same model and revision...

Re:I used to work with a Sys Admin like that

[Kjella]

The really clueless are often too afraid to break it to do anything dangerous. It's the semi-skilled people that are really dangerous, just enough to know such things as to flash a BIOS yet completely oblivious to any problems that might cause. They're the kind that'll disable the anti-virus and firewall if you let them, because it blocks whatever important thing they're doing. If anyone ever feels the need to utter "Trust me, I know what I'm doing" it's time to duck and take cover.

Re:Read-only switch

[marxmarv]

About two cents in quantity, plus a penny to drill the hole and stuff the part. Plus six or seven cents for the AND gate on the write line. Times several million.

Re:Everything should have a factory reset switch

[Stellian]

I'm sorry, but every device out there should have two factory reset switches:

Things like easy accessible switches and backup copies of the flash cost money. Granted, they don't cost very much, but when you are talking about millions of units things add up. Since these features are useless (i.e will never be used) for 99.9% of the customers, the market forces will act to remove them.
Besides they are not really necessary if you simply engineer the old flash to accept only flashing with a digitally signed newer version. This takes a few KB of object code to implement, and will 100% block any type of software bricking, as long as the private key is secured by the manufacturer. Yes, I'd rather buy a locked down piece of hardware - that I'm not planing to run Linux on - instead of a 0.5$ more expensive or less secure, but open alternative.