Phlashing PDOS firmware attack could permanently disable hardware
by Joshua Fruhlinger 
posted May 20th 2008 at 6:24PM
You know all that network hardware that runs quietly 24 hours a day in server rooms around the world? What if black-hats could exploit remote firmware flashing utilities to take over -- or completely destroy -- vulnerable gear? Though still theoretical, PDOS -- permanent denial-of-service -- attacks will be demonstrated by researchers from HP Security Labs at the EUSecWest security conference in London this week. "Phlashing", as it's being referred to, focuses on exploiting network-enabled firmware updates, making use of a fuzzing tool that tricks hardware into flashing anything from back-door access to a corrupt image, causing complete and permanent hardware failure. There's no reason to panic just yet (especially not when it comes to consumer devices, which typically don't support remote firmware updates), but given the amount of unattended and relatively dormant enterprise network hardware out there, this could be something for admins to seriously think about.[Via Slashdot]
Filed under: Misc. Gadgets, Networking
Reader Comments (Page 1 of 1)
dro @ May 20th 2008 6:32PM
great!
just keep giving them ideas!
RijilV @ May 21st 2008 2:13AM
what are you talking about? this is hardly news, 'bricking' devices by writing bad info to their flash/bios/whatever is something people have been doing for years. ever hear of a program called bioswriter? I remember some cats I news who were all into this type of thing. They could destroy a few parts of a computer, the BIOS, typically the NIC, sometimes a few other bits of gear...
extending this to a router which basically accepts a TFTP'ed image isn't really a leap of brilliance (if anything its possible this wouldn't even require admin privs on the device, perhaps just some clever exploit)... I would be /very/ shocked if this type of thing hasn't already happeend..
Also, how many bits of gear out there have numerous warnings regarding the possiblity of bricking your device when you're flashing it to the newest version? Looking around my place, every single embeded device that I can upgrade the firmware has a warning about possibly destroying the device while attempting to upgrade it.
in short, I really really doubt the article here is giving anyone any ideas.
PS:
I've said it before, but I'll say it again because people just aren't listening: "Computer [network] security is a lot like sex ed." Just because people don't talk about it doesn't mean your 13 year old isn't experimenting with sex, or pwning some router...
Alexander @ May 20th 2008 6:31PM
I'm just glad some hacker didn't realize this first...
Flashpoint @ May 20th 2008 7:27PM
I'm using a server at my office to serve Crysis. They'll never find out - and if they do, I'll blame the hackers.
linuxamp @ May 20th 2008 11:54PM
Who says they didn't. The symptoms probably look like a hardware failure.
Eliot @ May 21st 2008 2:49AM
This attack is hype
http://www.hackaday.com/2008/05/20/phlashing-denial-of-service-attack-the-new-hype/
joe @ May 20th 2008 6:33PM
this is good to get you thinking and asking, does my ISP or Business use a closed network system or open remote admin network...?
waiownsyou @ May 20th 2008 6:34PM
Shit, this is Skynet all over again.
ethana2 @ May 20th 2008 7:09PM
....except backwards.
sheikhness @ May 20th 2008 6:40PM
well, most of the networking gear I worked with had a bootloader factory-burned on non-volatile ROM. I'm not a hardware engineer, but I am pretty sure since its called non-volatile is exactly what it is and it cannot be written on or changed in any way.
Neal @ May 20th 2008 6:45PM
Bootloader is basically the BIOS for the switch, it gets it up and running at a very low, basic level. You shouldn't ever (or VERY rarely need to update the bootloader). The firmware, is basically the O/S that runs on the switch - this is updated often by the manufacturer to release new features, bugfixes, enable use with newer componants, etc.
You have to take a reboot to update this anyway, which brings the switch down for several minutes anyway, usually a scheduled outage or what many people will do is load the new image, mark it as the boot image, and whenever the next outage occurs, it will reboot with the new code automatically. This is fearmongering for press.
Peter @ May 20th 2008 6:37PM
i dont know alot about computers/servers so can anyone explain(as simple as possible) to me how hacking can cause permanent hardware damage?
Neal @ May 20th 2008 6:51PM
If you totally brick a switch, it can still be recovered. VERY rarely can you do something to it, even on purpose, that will totally incapacitate it. Even if you nuke the boot loader, you can recover it. It sucks, but you can do it. You have to have physical access to the device and a Serial console cable, which connects at 9600 baud. Then you have to upload the replacement boot loader, which can take 15 minutes to an hour depending on the size and complexity of the boot loader (and hence the switch as well). After than you have to restore the O/S image the same way.
High end switches with encryption have O/S images in the 70-100meg range. It can take all night to upload an O/S at 9600 baud this way. Of course if it times out at any point in either O/S or Boot loader upload, you get to start all over again. Either way, it will bring that network down for a while, but not cause any sort of permanent damage to the hardware.
Mike10010100 @ May 20th 2008 9:20PM
However, that kinda keeps with the whole hacker theme: annoying, destructive, life ruining, but no physical damage to the hardware itself.
However, once they get into the system, rather than corrupting the whole thing when it could be recovered, why not find a way to push the servers to the limits by overloading their CPU's. I'm sure that the immense heat generated would eventually kill the electronics. This, however, is probably a stupid idea since servers generally have manual fail-safes if the temperature gets higher than the normal operating temperature.
Why not simply disable the remote firmware update feature? This may seem like an obvious idea, but, again, I'm not very learned in the ways of server farms.
Joel @ May 21st 2008 12:14AM
I don't know if most people realize this, but virtually all HP servers in the past 5 years have had remote firmware flashing capabilities. I would imagine Dell, IBM, and Sun, do as well (As they ussually try to compete in features). That means a new firmware update comes out, it can be pushed to all servers while they are live. We do it at my job all the time. The thing about Firmware flashes is that if they go bad and you get a corrupt flash, the server won't boot. If the system can't boot you can't overwrite the firmware with a working version, so in the end you end up doing a warranty swap on the system board. Well If someone could exploit that to intentionally corrupt the bios on a server, then it would be bad news. It's no wonder HP is taking the lead on researching it.
Carl M @ May 20th 2008 6:38PM
How much equipment is there that, once "bricked", cannot be revived by reflashing it with external hardware?
I'd imagine only some highly secure hardware fits into this category (where disassembly leads to destruction).
Dustin @ May 20th 2008 6:41PM
No disassemble Johnny 5!!!!!
linuxamp @ May 20th 2008 11:58PM
Good point, many devices have removable components so bricking the device will only require replacing a single eeprom chip.
pball_inuyaha @ May 20th 2008 6:41PM
sounds interesting. I wonder if they put those chips they have in some phones that can be flashed to even if you brick it the first time, would you be able to fix it after someone "Phlashed" it.
neal @ May 20th 2008 6:41PM
Good thing no one with half a brain enables http on any switches or routers, or enables "update remotely anytime" on any device they give a care about. If someone has admin access to the switch in order to manually do this, they can wreck it without needing to flash the firmware...
Also - that is one of the worst cabling jobs I have seen for so dense a modern environment.
Stollie @ May 20th 2008 7:19PM
Then you haven't seen the cabling in our environment.....
Reid @ May 20th 2008 8:26PM
You lose. That's actually a pretty clean cabling job. Color-coded, velcro-tied, etc. I've seen orders of magnitude worse, and, frankly, struggle to do much better than this myself, even given ideal circumstances.
retro77 @ May 20th 2008 6:41PM
Thats why you institute good security measures to protect your "management" VLAN. Stuff like no access to the internet, no access in from other VLANs at all.
Carl M @ May 20th 2008 6:42PM
Actually, I just thought of an answer for Peter & I.
With BIOS's on many computers, you can adjust various component voltages & frequencies. I suppose a harmful hack could possibly adjust the values enough to cause hardware damage by overheating components.
LC @ May 20th 2008 6:45PM
Or, the hacker could break into the servers physical location and physically hack the server to bits with an axe.
Whatever works for them......
andres @ May 20th 2008 8:34PM
Not if the servers break into your house first.
Jenny @ May 20th 2008 9:34PM
Because that'd be time efficient. Do you have any idea how many servers there are out there, and how much power they use? (Plus the power to air condition them?)
Even thinking of the numbers is mind numbing.
BigD145 @ May 20th 2008 6:45PM
Phlashing? Is it related to cheezing?
"OMG guyz. I was phlashing so f*ing hard last night. There was magic blue smoke coming out my ears and I just couldn't put it back in."
People do this sort of thing by accident all the time, so why hasn't this come up before? Start up even a normal firmware upgrade and then force a power off state and you're done. Your only option is to pull the BIOS/ROM chip out and overwrite it. That would make it an easy fix so long as this custom firmware didn't force the hardware to crank up the volts and fry something.
pball_inuyaha @ May 20th 2008 6:45PM
First do you know what flashing is? Well that is updating a chip in the harware and if that is erased or flashed incorectly you can brick the hardware. I'm not an expert but I know most things can't be fixed easily once bricked unless they have special chips like some cell phones I've read about.
Basically some hacker could get the server to do a firmware upgrade from outside the network and tell it to use a firmware that is made not to work.
pball_inuyaha @ May 20th 2008 6:49PM
Stupid reply
meant to answer Peter up there
Aaron @ May 20th 2008 6:49PM
This would be a good trojan or virus to install on Windows PCs serving the content. Since most routers are configured NOT to accept firmware upgrades from the WAN, if you can get the virus on the computers on the LAN, it could cause some real havoc...
thehumanyawn @ May 20th 2008 7:05PM
An Admin is not doing their job if they haven't plugged all known and (no matter how much of a longshot) potential security holes.
andres @ May 20th 2008 8:35PM
i dont think admins are allowed to cover all the computers in that black epoxy crap.
Kamokazi @ May 20th 2008 8:55PM
Then you can probably claim virtually every admin in the world is not doing their job. That's an extremely unreasonable expectation. The admin should be expected to take necessary precautions and be mindful of their networks from a security standpoint, but expecting every single hole to be plugged is absurd.
Most organizations don't even need to have that level of security. And those that do can afford dedicated teams of security specialists that focus on nothign but security. But expecting every adming from 10 users to 10,000 to have everything accounted for is ridiculous.
Now concerning the point at hand, this vulnerability, in many cases, will probably not be preventable (other than having good external security in the first place). Much of the hardware this applies to cannot have this option disabled. The only fix will probably be to purchase new hardware with this fix in mind. Although some of the devices could probably be fixed in much they way that they can be exploited...updated firmware that authenticates the updater somehow.
kastonie @ May 20th 2008 7:30PM
the firestorm has begun
barry99705 @ May 20th 2008 8:16PM
"You know all that network hardware that runs quietly 24 hours a day in server rooms around the world?" No, no I don't know any quiet network hardware running in server rooms. Please point me to some. The last network room I was in was so damn loud I could barely think. The server room was worse.
Craig M. @ May 20th 2008 8:17PM
This reminds me kind of like when PSPs and iPhones become "bricked." However, they are still fixable.
John @ May 20th 2008 8:43PM
I'm waiting for this to be showen. and for a hacker to create a file, i would download it, send it to the IT department to open, then they're fucked.
Aroura Gate @ May 20th 2008 9:28PM
OH SHIT
Lysia @ May 21st 2008 12:38AM
The real issue is less long-term than the view most of you are looking at this with. If you could bring down a network this way, even if just until the bricked hardware is replaced, you could do heaven knows what in the meantime. Knock out some credit card authentication servers, or transportation controllers, etc...
Joe Anstine @ May 21st 2008 1:20AM
Isn't that picture from the move "Hackers" ?
Joe Anstine @ May 21st 2008 1:21AM
movie*
Tony Rayo @ May 21st 2008 1:57AM
I am able to access about 4 Linksys home routers remote login screens (out of the 8 that are normally online, and I don't even have an antenna booster or anything, just an internal wireless b/g/n chip) from within the 2nd story of my suburban home. So not only could I mooch their internet (although I'm sure they all have the same regular Comcast package like I do), but I could easily damage their hardware.
7 out of the 8 routers are also broadcasting their SSID as well as using whimpy WEP protection (if you haven't guessed already, I am #8 using WPA2 with AES/TKIP protection and not broadcasting my SSID). Not that this is unbreakable, but I really doubt someone is going to take the time to overthrow all of that and spoof their MAC address.
Broo @ May 22nd 2008 6:52PM
Actually I doubt most people would even try to hack a 'wimpy WEP' protection unless they are actually looking to get onto your specific network- and hacking into a network just to kill a network device seems pretty dull and boring...
I run WEP as it is easier for me to setup my wireless devices (and some devices do not even support WPA2- such as media extenders, phones, IP webcams, etc.) and this will probably stop 99% of the 'casual hackers' around my house. If someone in other 1% moves into my neighborhood I would be better off disabling wireless and running a few more CAT5 drops..
loosely_coupled @ May 21st 2008 3:41AM
Shouldn't they be more concerned with people loading up custom firmware images that DON'T take down the router? Seriously, how hard would it be to write some customer software that records sensitive data and sends it to another party. Perfect for international espionage *cough* China *cough*.