http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/ Engadget Comments for http://www.engadget.com/media/feedlogo.gif http://www.engadget.com en-us Copyright 2012 Weblogs, Inc. The contents of this feed are available for non-commercial use only. Blogsmith http://www.blogsmith.com/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
just keep giving them ideas!]]>May 20th 2008 6:32PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
extending this to a router which basically accepts a TFTP'ed image isn't really a leap of brilliance (if anything its possible this wouldn't even require admin privs on the device, perhaps just some clever exploit)... I would be /very/ shocked if this type of thing hasn't already happeend..

Also, how many bits of gear out there have numerous warnings regarding the possiblity of bricking your device when you're flashing it to the newest version? Looking around my place, every single embeded device that I can upgrade the firmware has a warning about possibly destroying the device while attempting to upgrade it.


in short, I really really doubt the article here is giving anyone any ideas.


PS:
I've said it before, but I'll say it again because people just aren't listening: "Computer [network] security is a lot like sex ed." Just because people don't talk about it doesn't mean your 13 year old isn't experimenting with sex, or pwning some router...
]]>May 21st 2008 2:13AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:31PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 7:27PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 11:54PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.hackaday.com/2008/05/20/phlashing-denial-of-service-attack-the-new-hype/]]>May 21st 2008 2:49AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:33PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:34PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 7:09PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:40PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
You have to take a reboot to update this anyway, which brings the switch down for several minutes anyway, usually a scheduled outage or what many people will do is load the new image, mark it as the boot image, and whenever the next outage occurs, it will reboot with the new code automatically. This is fearmongering for press.]]>May 20th 2008 6:45PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:37PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
High end switches with encryption have O/S images in the 70-100meg range. It can take all night to upload an O/S at 9600 baud this way. Of course if it times out at any point in either O/S or Boot loader upload, you get to start all over again. Either way, it will bring that network down for a while, but not cause any sort of permanent damage to the hardware.]]>May 20th 2008 6:51PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
However, once they get into the system, rather than corrupting the whole thing when it could be recovered, why not find a way to push the servers to the limits by overloading their CPU's. I'm sure that the immense heat generated would eventually kill the electronics. This, however, is probably a stupid idea since servers generally have manual fail-safes if the temperature gets higher than the normal operating temperature.

Why not simply disable the remote firmware update feature? This may seem like an obvious idea, but, again, I'm not very learned in the ways of server farms.]]>May 20th 2008 9:20PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 21st 2008 12:14AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
I'd imagine only some highly secure hardware fits into this category (where disassembly leads to destruction).]]>May 20th 2008 6:38PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:41PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 11:58PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:41PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
Also - that is one of the worst cabling jobs I have seen for so dense a modern environment.]]>May 20th 2008 6:41PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 7:19PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 8:26PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:41PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
With BIOS's on many computers, you can adjust various component voltages & frequencies. I suppose a harmful hack could possibly adjust the values enough to cause hardware damage by overheating components.
]]>May 20th 2008 6:42PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
Whatever works for them......]]>May 20th 2008 6:45PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 8:34PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
Even thinking of the numbers is mind numbing.]]>May 20th 2008 9:34PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
"OMG guyz. I was phlashing so f*ing hard last night. There was magic blue smoke coming out my ears and I just couldn't put it back in."

People do this sort of thing by accident all the time, so why hasn't this come up before? Start up even a normal firmware upgrade and then force a power off state and you're done. Your only option is to pull the BIOS/ROM chip out and overwrite it. That would make it an easy fix so long as this custom firmware didn't force the hardware to crank up the volts and fry something.]]>May 20th 2008 6:45PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
Basically some hacker could get the server to do a firmware upgrade from outside the network and tell it to use a firmware that is made not to work.]]>May 20th 2008 6:45PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
meant to answer Peter up there]]>May 20th 2008 6:49PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 6:49PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 7:05PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 8:35PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
Most organizations don't even need to have that level of security. And those that do can afford dedicated teams of security specialists that focus on nothign but security. But expecting every adming from 10 users to 10,000 to have everything accounted for is ridiculous.

Now concerning the point at hand, this vulnerability, in many cases, will probably not be preventable (other than having good external security in the first place). Much of the hardware this applies to cannot have this option disabled. The only fix will probably be to purchase new hardware with this fix in mind. Although some of the devices could probably be fixed in much they way that they can be exploited...updated firmware that authenticates the updater somehow.]]>May 20th 2008 8:55PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 7:30PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 8:16PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 8:17PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 8:43PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 20th 2008 9:28PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 21st 2008 12:38AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 21st 2008 1:20AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/]]>May 21st 2008 1:21AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
7 out of the 8 routers are also broadcasting their SSID as well as using whimpy WEP protection (if you haven't guessed already, I am #8 using WPA2 with AES/TKIP protection and not broadcasting my SSID). Not that this is unbreakable, but I really doubt someone is going to take the time to overthrow all of that and spoof their MAC address.]]>May 21st 2008 1:57AMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/
I run WEP as it is easier for me to setup my wireless devices (and some devices do not even support WPA2- such as media extenders, phones, IP webcams, etc.) and this will probably stop 99% of the 'casual hackers' around my house. If someone in other 1% moves into my neighborhood I would be better off disabling wireless and running a few more CAT5 drops..]]>May 22nd 2008 6:52PMhttp://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/http://www.engadget.com/2008/05/20/phlashing-pdos-firmware-attack-could-permanently-disable-hardwar/May 21st 2008 3:41AM