Phlashing denial of service attack, the new hype


Imagine how surprised we were to discover that by accidentally bricking our router we were executing a brand new attack: Phlashing Denial Of Service (PDOS). This week at EUSecWest, researcher [Rich Smith] will present the theoretical PDOS attack. Instead of taking over control of an embedded system, the attacker turns it into a nonfunctioning brick by flashing it with a broken firmware. Anyone who has flashed a device knows the danger of interrupting the procedure.

Embedded systems, like wireless routers, network cameras, and printers require remote access to be upgraded. This could be over the network or just a USB cable. Unfortunately most devices go unpatched because of this lack of easy access. The upgrade procedure can be very insecure too. The last time we flashed a custom firmware on our La Fonera we had to set up a TFTP server for it to download the firmware from. The TFTP protocol has no authentication, so anyone could pose as the server and offer a bad firmware for download. Many embedded system upgrade tools use TFTP because of its ease of implementation and low hardware overhead.

The PDOS attack hasn’t been seen in the wild and we don’t expect to. Malware is a business and destroying hardware doesn’t seem to have much income potential. The article presents this as an alternative to maintaining a botnet to perform a DDOS. With a DDOS, you deny the service, ask for ransom, and return service when they pay. With PDOS, you threaten to deny their service, they don’t pay, and then you destroy their equipment and get nothing. We agree with [HD Moore] that a more successful attack would be installing your own custom firmware that gives you full control of the system and full access to the network to do as you please.

Outside of griefing, the PDOS attack is not a threat. In any case, firmware upgrade procedures for embedded devices need to be improved.

[via /.]

Comments

  1. Jesse Krembs says:

    Well this is pretty handy attack if, your not thinking commercially. If say my goal is to ruin your ability to operate on the internet and I can brick all your edge routers, I’d say it works for me. Not everything has a direct profit motive.

  2. I’ve cringed at viruses that go after your BIOS, but this is just too cool. Also, since when does this not pose a threat? Correct me if I’m wrong, wouldn’t complete control over the firmware offer you complete control of a device’s behavior? You could peer around encryption, route packets, selectively deny access around a network, and so much more.

  3. Mike Stiber says:

    Seems like a good way to spread chaos with relatively little effort or risk. Just develop the software infrastructure — and relatively small hardware infrastructure — to scan for unsecured devices and brick them. I wonder how many police surveillance cameras can be remotely flashed, for example?

  4. cde says:

    You are my competition. I destroy your web presence. I make more money by being the only one up and running.

    There’s your profit motive.

    (Or in Lol: Ur mah competizion. I has set u up the bomb. Lol.)

  5. cokebottle says:

    been there done that unintentionally almost owed the compsci department a new router dident ask how much it would have cost me. having said that, its really not all to hard to unbrick routers.

  6. phnoty says:

    Hmm say you were to crack “someone’s” wep/wpa AP if it’s wireless and if it wasnt already unproteced,
    log in to there router strat a firmware upgrade and turn off there power half way through would that work the same way ?

  7. Wolf says:

    phnoty:

    more reliably, you could take the origional firmware, hex edit it a bit, then flash it on normally.

    Me and an admin were thinking about doing this to a rouge DHCP on his network, but decided it was too evil, and just changed its settings, and password, then turned off the port it was connected too.

  8. hkm says:

    Nice, now it has a name. This can also be done via CSRF to popular ISP provided home routers, home users cant bring a router back to life.

  9. beakmyn says:

    Robert Graham talked about this very thing.
    http://erratasec.blogspot.com/2008/01/hacking-flash-memory.html

  10. services says:

    I never heard about PDOS attack before, thanks for sharing..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,571 other followers