Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Hardware IT

New 'Phlashing' Attack Sabotages Hardware 242

yahoi writes "A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."
This discussion has been archived. No new comments can be posted.

New 'Phlashing' Attack Sabotages Hardware

Comments Filter:
  • by nauseum_dot ( 1291664 ) on Tuesday May 20, 2008 @09:33AM (#23474414)
    Seriously, I work to update the equipment at work, but at home, I just really don't care a whole lot about a $30 router.
    I can't tell you the last time upgraded the bios on a motherboard. I think it was an older P3 Dell PowerEdge because I was installing Linux on it.
  • Read-only switch (Score:5, Interesting)

    by ettlz ( 639203 ) on Tuesday May 20, 2008 @09:36AM (#23474468) Journal
    ...or jumper. How much more would that cost?
  • by Silver Sloth ( 770927 ) on Tuesday May 20, 2008 @09:44AM (#23474578)
    As a targeted attack against a commercial venture any support team worth their salt will do patching as part of routine maintenance - don't we guys'n'gals? As an attack against mom and pop PCs there are so many hardware variants that any one piece of malware will have a very limited target.

    To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.
  • by Anonymous Coward on Tuesday May 20, 2008 @09:46AM (#23474610)
    We're running a small IT shop and are reflashing multiple ADSL modems per week as local ISP is giving low-cost Telewell EA-501v3 modems for free when subscribing. Those boxes are probably bought en masse some years ago and all of them have ancient firmware which causes NAT to get stuck in couple weeks uptime.
  • by MosesJones ( 55544 ) on Tuesday May 20, 2008 @09:49AM (#23474648) Homepage
    He used to be able to turn any working piece of kit into a piece of metal art in about 20 seconds, EVERYTHING was always a BIOS issue and he would NEVER check with anyone before replacing the BIOS.

    Lets be clear about how dumb this person was, he had a BIOS that worked on his test servers and would then apply that to all the other servers INDEPENDENT OF HARDWARE OR OS. He would then start the machines (which of course wouldn't start) declare them "broken" and say the issue was with the software.

    We did some low level hardware stuff in our software and it did break the boxes sometimes so it took 2 months of painful testing and debugging which found nothing, it only came about because one of the team had a heavy night and decided to "rest" in the server room and saw the moron apply the BIOS to a server that had been running and then scurry out to blame the team again.

    Basic rule after then was BIOS set to read-only and locked down with a secure password, to this day my BIOS has a password thanks to the sheer physical shock of realising how dumb some people can be.
  • Re:This is new? (Score:3, Interesting)

    by MilesAttacca ( 1016569 ) <milesattacca@gm[ ].com ['ail' in gap]> on Tuesday May 20, 2008 @09:49AM (#23474650)
    Indeed, early Commodore PETs reportedly suffered a "killer POKE []" via their BASIC.
  • Re:In Italy (Score:2, Interesting)

    by Jaysyn ( 203771 ) on Tuesday May 20, 2008 @09:58AM (#23474776) Homepage Journal
    Hell, my ISP does the same thing now. The phone support tech freaked out when I told them I was in the modem's management console. Apparently, you're not supposed to upgrade the firmware on your own.

    And no, I'm not going to tell you who my ISP is. :D
  • Hardware Virus (Score:4, Interesting)

    by Pikoro ( 844299 ) <> on Tuesday May 20, 2008 @10:01AM (#23474820) Homepage Journal
    I seem to remember a virus back in the 486 days that would cause the hard drive to sweep back and forth between extremes and would keep sweeping until it hit some "resonant frequency" of the drive heads. At that point the heads would start oscillating on the vertical, causing it to strike the platter and physically damage the hard disc.

    Anyone else remember this? I had only seen it once and have never been able to find a reference to it.

    This would have been in the mid '90s. I have been wracking my brain over finding it since then.

    Anyone else who has heard of this, reply and let me know.
  • Re:Bricking (Score:3, Interesting)

    by dreamchaser ( 49529 ) on Tuesday May 20, 2008 @10:01AM (#23474830) Homepage Journal
    Yes it is, in a sense, but at least in the case of a PC all one would need do is replace the BIOS physically. Not a very difficult fix for any tech savvy person.
  • by Anonymous Coward on Tuesday May 20, 2008 @10:10AM (#23474944)

    To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.

    What if one were able to upload firmware from device type A, a certain DVD-Writer, to device type B, a CD-ROM? I realize it isn't the best example, but wouldn't having the wrong firmware type (not just a different hacked version of the same type of drive) completely brick that hardware? From that standpoint, I don't think the firmware would have to be "targeted" per se.

    The whole idea is that you write some sonsense to the flash memory thus rendering it unusable. Writing firmware from some other device or writing just a bunch of random numbers doesn't make a difference. But yes, hardware has to be "targeted" specifically. You see, there is no unified way of accessing the flash firmware. Most motherboard manufacturers have completely different implementations from each other, optical media is also accessed very different from motherboards, not to mention the differences between different models and manufacturers and so forth...

    One could of course create a program that detects f.ex. which manufacturer's motherboard you are using and then take the necessary steps to flash the firmware but then you'd still have to create atleast a dozen different implementations.

    As for the article..this is NOTHING NEW! There has been such malware/viruses in the wild even before that could brick certain motherboards in use. The word used for such attacks has been "bricking", so why invent some new and "cool" word for it now all of a sudden?
  • source of the name (Score:5, Interesting)

    by straponego ( 521991 ) on Tuesday May 20, 2008 @10:15AM (#23475042)
    PHLASH.EXE is the name of Phoenix's BIOS upgrade tool.

    I am not making this up: less than a week ago, I woke up thinking: what to firmware, BIOS, TPM, and IPMI have in common? They'd all be great vectors for bricking a machine.

  • by Anonymous Coward on Tuesday May 20, 2008 @10:21AM (#23475142)
    If it finally costs people when their boxes get hacked, maybe they will care enough not to let their machines get hacked.
    If one botnet got taken over and the disks on that botnet's host got passwords set on them and the resulting mess got good press, the spamming industry might actually take a big hit.
  • by zappepcs ( 820751 ) on Tuesday May 20, 2008 @10:23AM (#23475180) Journal
    Survey said! bzzzzzz wrong.

    It is of interest. Think about it. If you wanted to do damage to company xyz, you social engineer the information for what PCs they are using, the CD hardware etc., routers, blah blah blah... then silently release a worm or virus that redirects them to your special webpage. brick brick brick brick until their productivity grinds to a halt.... if some get bricked for the CD, others for the motherboard, others because of routers... it matters not. What is being shown is that it is POSSIBLE to do this.

    In this day and age, shame on your for dismissing it as not possible. May your body rot next to that of the designer of the Titanic. If it can happen, it will, and probably already is. I could write a virus that is undetected, and does nothing but look for people who have a bill.gates in their address book, and upon finding one, sit patiently, wait till idle time, then delete the oldest .xls file on the hard drive. Repeat that once every rand(x) number of days. lather, rinse, repeat.

    Perhaps your virus waits till it sees acks from 40 other machines on the same LAN segment, then they all start bricking things?

    This *IS* of interest. Welcome to Tuesday.
  • Re:Hardware Virus (Score:5, Interesting)

    by Anonymous Coward on Tuesday May 20, 2008 @10:37AM (#23475388)
    I experimented with a technique (that worked) on the Commodore 64. You could address the floppy drive directly to move the drive head to the innermost position, which was on the opposite side of the "track 0" microswitch. Then you deliberately crash the CPU on the drive. When it POSTs it moves the head inward to track 0 to initialize. Since the head is on the wrong side of the switch it never gets there, makes a terrible noise, and gives up.
  • by Creepy Crawler ( 680178 ) on Tuesday May 20, 2008 @10:39AM (#23475428)
    That's the key: Reliable Enough. We dont need 100% availability, as it requires many redundant units (akin DRBD). I just have another WRT54G if this one burns out.

    Business wise: I would go higher end as time==money. Better reliability can be afforded.

    It does what I want it to do, and it does it well. And cheap.
  • Already done in 1998 (Score:5, Interesting)

    by RickRussellTX ( 755670 ) on Tuesday May 20, 2008 @10:49AM (#23475558)
    Wasn't this already done by the CIH (later called Chernobyl) virus [], circa 1998? There was even an e-mail variant of it, based on the Loveletter worm.
  • Re:This is new? (Score:3, Interesting)

    by lz2pt ( 1210056 ) on Tuesday May 20, 2008 @11:02AM (#23475812)
    God, this is going back,

    In the good old DOS PC days when 10Mb hard disks were 'big' and 'Stoned' was probably the only wild virus ever found on the lab machines..

    There was an issue wrt Stoned I think, or some other virus of the time whose name escapes me, its final action was to zap the old MFM hard disks via some low level init call, but, this wasn't fatal as we could get the info back off them with a bit of faffing, however, the first generation of those new fangled IDE disks, the same init call permanently screwed the disks.

    It killed a number of expensive large (40Mb) hard disks back then in the lab..thanks mainly to one serial offender who disabled the virus scanners on these new machines when they stopped him running infected code off floppies. (don't ask, the guy was a serious pain..)

    I also remember a fun summer spent manually repositioning the heads on a bunch of MFM drives by trial and error which had 'gone faulty' after virus infestation, turned out there was a small grub screw which worked loose on an optical interrupter on the head positioning motor shaft if the drive was particularly hammered (lots of seeks over a short period of time etc). There was an opening of the case and a lot of twiddling and adjusting whilst watching the position of the heads over the platters (not carried out in a clean, dust free environment I hasten to add). As that was one brand of HD, I doubt it was a targeted effect of a virus though, just bad design.

    My memory is vague on this, as I was more hardware design and Sun support..

  • by ChefInnocent ( 667809 ) on Tuesday May 20, 2008 @11:04AM (#23475856)

    Each time I read this, it gets easier to read the final paragraph. However, it still has at least two issues. The first is the overloading of the v with w which have different sounds. The second is that British English has about 11 non-dipthong vowels (which is really most of the issue with spelling), and the "new spelling system" (let's call it a Rechtschreibung) doesn't really address that. This of course, can also lead to the issues of sh and ch. Although if you left sh as the s symbol, you wouldn't be able to drop a letter from the keyboard. Furthermore, does Z replace th as in thin or th as in than? If it replaces both, there is not advantage to its replacement.

    Since we are inclined to speak of a Rechtschreibung, can we address issues like it's versus its? Perhaps, we can add back some of our missing pronouns (i.e. wit to mean you, I, and maybe others versus I and others, excluding you; to mean plural you). Oh, the list can go on for some time, but if we propose a Rechtschreibung, we should do it right.

  • by mengel ( 13619 ) <`mengel' `at' `'> on Tuesday May 20, 2008 @11:33AM (#23476344) Homepage Journal
    I recall a friend of mine having a little routine for TRS-80's that would:
    • wait for a key press
    • for decreasing n
      • turn on the tape cassete relay
      • wait n cycles
      • turn off the tape cassete relay
    this would cause an increasing pitch whine, followed by a little whiff of smoke from the cassette relay.

    Something about the people there always saying "there's nothing you can type on the computer that will hurt it..."

  • by element-o.p. ( 939033 ) on Tuesday May 20, 2008 @01:31PM (#23478654) Homepage
    Meh. Cisco doesn't have a lot of horsepower either, unless you want to pony up for their really big iron. If you want horsepower, buy a micro-ATX motherboard and a compact flash drive, put a really slimmed down Linux distribution on it, run IPTables to firewall your network and use Quagga to do any routing you need. You'll blow away any Cisco box you can afford, and have ten times the flexibility to boot.

    Not that comfortable with doing it yourself? Buy an []ImageStream Envoy or Transport, then. It'll cost you a little more (I think a brand new Transport is about $800, but the Envoy is a lot less), and it'll smoke any Cisco up to 3-5X the price :)
  • by Anonymous Coward on Tuesday May 20, 2008 @04:47PM (#23482146)
    I ran into a virus that did this over 15 years ago. It would sucessfully exploit a a particular bios (I'm not sure to what end) but most systems it would just brick.

    We went through several Motherboards before we realized what was going on. At with point we removed the "enable flash update" jumper from the board and were able to clean the virus out.
  • by jc42 ( 318812 ) on Tuesday May 20, 2008 @06:17PM (#23483602) Homepage Journal
    When I was at the U of Wisconsin back in the 1970s, the central campus Computer Center had a Univac system. An EE prof (or his students ;-) got circuit diagrams and did some analysis. He announced that there was a bug: If a particular (unlikely) sequence of instructions was executed, they would fry a transistor in the CPU. Rather than thanks, he got ridiculed and insulted by the Univac CS people (and a lot of people on campus). So he announced that he'd run a test. He submitted a job that included a chunk of assembly language with the sequence. The machine promptly halted and couldn't be rebooted. The CS engineers looked into it, and found that a transistor had been fried.

    These days, though, I suppose that he'd probably be charged with something. The smart thing to do if you learn of such bugs is probably to not notify anyone, especially not the vendor or your employer. Instead, you quietly offer the information (for a price of course) to various "interested parties" for whatever use they'd like to make of it.

    Another time, some students figured out a bug in Univac's tape drives. They found code that sent commands to spool forward and rewind with timing such that the drive did both - which snapped the tape. They were also not believed, so they demoed it. They submitted a job that asked for a scratch tape, wrote a few KB of data, and snapped the tape. Then it asked for another scratch tape. It didn't take too many tapes before the operators figured out that they should call in the CS people.

    I'll bet that others here have a bunch of similar stories. And nonetheless, a future story will be the patenting of using such bugs for "PDOS" attacks. Probably by our favorite whipping boy, Microsoft, who will patent such attacks as a way of enforcing licensing restrictions or DRM.

    Maybe the fellow the story is about can get the patent first ...

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN