Phlashing denial of service attack, the new hype

Posted May 20th 2008 4:15PM by Eliot Phillips
Filed under: news

Imagine how surprised we were to discover that by accidentally bricking our router we were executing a brand new attack: Phlashing Denial Of Service (PDOS). This week at EUSecWest, researcher [Rich Smith] will present the theoretical PDOS attack. Instead of taking over control of an embedded system, the attacker turns it into a nonfunctioning brick by flashing it with a broken firmware. Anyone who has flashed a device knows the danger of interrupting the procedure.

Embedded systems, like wireless routers, network cameras, and printers require remote access to be upgraded. This could be over the network or just a USB cable. Unfortunately most devices go unpatched because of this lack of easy access. The upgrade procedure can be very insecure too. The last time we flashed a custom firmware on our La Fonera we had to set up a TFTP server for it to download the firmware from. The TFTP protocol has no authentication, so anyone could pose as the server and offer a bad firmware for download. Many embedded system upgrade tools use TFTP because of its ease of implementation and low hardware overhead.

The PDOS attack hasn't been seen in the wild and we don't expect to. Malware is a business and destroying hardware doesn't seem to have much income potential. The article presents this as an alternative to maintaining a botnet to perform a DDOS. With a DDOS, you deny the service, ask for ransom, and return service when they pay. With PDOS, you threaten to deny their service, they don't pay, and then you destroy their equipment and get nothing. We agree with [HD Moore] that a more successful attack would be installing your own custom firmware that gives you full control of the system and full access to the network to do as you please.

Outside of griefing, the PDOS attack is not a threat. In any case, firmware upgrade procedures for embedded devices need to be improved.

[via /.]

Reader Comments

(Page 1)

1. I've cringed at viruses that go after your BIOS, but this is just too cool. Also, since when does this not pose a threat? Correct me if I'm wrong, wouldn't complete control over the firmware offer you complete control of a device's behavior? You could peer around encryption, route packets, selectively deny access around a network, and so much more.

Posted at 4:57PM on May 20th 2008 by Solenoidclock

2. Well this is pretty handy attack if, your not thinking commercially. If say my goal is to ruin your ability to operate on the internet and I can brick all your edge routers, I'd say it works for me. Not everything has a direct profit motive.

Posted at 5:01PM on May 20th 2008 by Jesse Krembs

3. been there done that unintentionally almost owed the compsci department a new router dident ask how much it would have cost me. having said that, its really not all to hard to unbrick routers.

Posted at 8:33PM on May 20th 2008 by cokebottle

4. You are my competition. I destroy your web presence. I make more money by being the only one up and running.

There's your profit motive.

(Or in Lol: Ur mah competizion. I has set u up the bomb. Lol.)

Posted at 1:09AM on May 21st 2008 by cde

5. Hmm say you were to crack "someone's" wep/wpa AP if it's wireless and if it wasnt already unproteced,
log in to there router strat a firmware upgrade and turn off there power half way through would that work the same way ?

Posted at 6:18AM on May 21st 2008 by phnoty

6. phnoty:

more reliably, you could take the origional firmware, hex edit it a bit, then flash it on normally.

Me and an admin were thinking about doing this to a rouge DHCP on his network, but decided it was too evil, and just changed its settings, and password, then turned off the port it was connected too.

Posted at 9:58AM on May 21st 2008 by Wolf

7. Nice, now it has a name. This can also be done via CSRF to popular ISP provided home routers, home users cant bring a router back to life.

Posted at 3:41PM on May 21st 2008 by hkm

8. Robert Graham talked about this very thing.
http://erratasec.blogspot.com/2008/01/hacking-flash-memory.html

Posted at 11:18AM on May 22nd 2008 by beakmyn

9. Seems like a good way to spread chaos with relatively little effort or risk. Just develop the software infrastructure -- and relatively small hardware infrastructure -- to scan for unsecured devices and brick them. I wonder how many police surveillance cameras can be remotely flashed, for example?

Posted at 9:01PM on May 27th 2008 by Mike Stiber

Add your comments

Please keep your comments relevant to this blog entry: inappropriate or purely promotional comments may be removed. Email addresses are never displayed, but they are required to confirm your comments. To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br> tags.