Phlashing denial of service attack, the new hype

posted May 20th 2008 4:15pm by Eliot Phillips
filed under: news

Imagine how surprised we were to discover that by accidentally bricking our router we were executing a brand new attack: Phlashing Denial Of Service (PDOS). This week at EUSecWest, researcher [Rich Smith] will present the theoretical PDOS attack. Instead of taking over control of an embedded system, the attacker turns it into a nonfunctioning brick by flashing it with a broken firmware. Anyone who has flashed a device knows the danger of interrupting the procedure.

Embedded systems, like wireless routers, network cameras, and printers require remote access to be upgraded. This could be over the network or just a USB cable. Unfortunately most devices go unpatched because of this lack of easy access. The upgrade procedure can be very insecure too. The last time we flashed a custom firmware on our La Fonera we had to set up a TFTP server for it to download the firmware from. The TFTP protocol has no authentication, so anyone could pose as the server and offer a bad firmware for download. Many embedded system upgrade tools use TFTP because of its ease of implementation and low hardware overhead.

The PDOS attack hasn’t been seen in the wild and we don’t expect to. Malware is a business and destroying hardware doesn’t seem to have much income potential. The article presents this as an alternative to maintaining a botnet to perform a DDOS. With a DDOS, you deny the service, ask for ransom, and return service when they pay. With PDOS, you threaten to deny their service, they don’t pay, and then you destroy their equipment and get nothing. We agree with [HD Moore] that a more successful attack would be installing your own custom firmware that gives you full control of the system and full access to the network to do as you please.

Outside of griefing, the PDOS attack is not a threat. In any case, firmware upgrade procedures for embedded devices need to be improved.

[via /.]

Read

Comments [9]

tagged: ddos, embedded, embeddedsystem, firmware, fon, fonera, lafonera, pdos, router, slashdot, tftp

Reader Comments

Well this is pretty handy attack if, your not thinking commercially. If say my goal is to ruin your ability to operate on the internet and I can brick all your edge routers, I’d say it works for me. Not everything has a direct profit motive.

Posted at 4:46 pm on May 20th, 2008 by Jesse Krembs

I’ve cringed at viruses that go after your BIOS, but this is just too cool. Also, since when does this not pose a threat? Correct me if I’m wrong, wouldn’t complete control over the firmware offer you complete control of a device’s behavior? You could peer around encryption, route packets, selectively deny access around a network, and so much more.

Posted at 4:57 pm on May 20th, 2008 by Solenoidclock

Seems like a good way to spread chaos with relatively little effort or risk. Just develop the software infrastructure — and relatively small hardware infrastructure — to scan for unsecured devices and brick them. I wonder how many police surveillance cameras can be remotely flashed, for example?

Posted at 5:34 pm on May 20th, 2008 by Mike Stiber

You are my competition. I destroy your web presence. I make more money by being the only one up and running.

There’s your profit motive.

(Or in Lol: Ur mah competizion. I has set u up the bomb. Lol.)

Posted at 7:48 pm on May 20th, 2008 by cde

been there done that unintentionally almost owed the compsci department a new router dident ask how much it would have cost me. having said that, its really not all to hard to unbrick routers.

Posted at 8:33 pm on May 20th, 2008 by cokebottle

Hmm say you were to crack “someone’s” wep/wpa AP if it’s wireless and if it wasnt already unproteced,
log in to there router strat a firmware upgrade and turn off there power half way through would that work the same way ?

Posted at 5:41 am on May 21st, 2008 by phnoty

phnoty:

more reliably, you could take the origional firmware, hex edit it a bit, then flash it on normally.

Me and an admin were thinking about doing this to a rouge DHCP on his network, but decided it was too evil, and just changed its settings, and password, then turned off the port it was connected too.

Posted at 9:57 am on May 21st, 2008 by Wolf

Nice, now it has a name. This can also be done via CSRF to popular ISP provided home routers, home users cant bring a router back to life.

Posted at 1:23 pm on May 21st, 2008 by hkm

Robert Graham talked about this very thing.
http://erratasec.blogspot.com/2008/01/hacking-flash-memory.html

Posted at 3:18 pm on May 21st, 2008 by beakmyn

Phlashing denial of service attack, the new hype

Recent Posts

Reader Comments

Leave a Reply

hacks

resources

rss newsfeeds

Most Commented On (30 days)

Recent Comments