Slashdot Mirror
New 'Phlashing' Attack Sabotages Hardware
yahoi writes "A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."
I'm sick of this naming phad.
Seriously, I work to update the equipment at work, but at home, I just really don't care a whole lot about a $30 router.
I can't tell you the last time upgraded the bios on a motherboard. I think it was an older P3 Dell PowerEdge because I was installing Linux on it.
Crap! I just kissed my karma good-bye.
...or jumper. How much more would that cost?
FINALLY! *This* is bricking
interesting research, but we should browbeat the research for calling it phlashing
In Italy a big ISP gave ADSL modems with default password and active administrator wan access...
Is it possible to exploit firmware from the outside, unless the person has enabled remote management and is using the default password?
Those two rarely go hand in hand.
However, I think we'll see a lot of trojans with firmware payloads. How many people use the WRT54G? And how many access points are unsecured with the name "linksys"? Those people probably didn't change their admin password.
Simple solution: Hardware button. You have to press it to flash the router, and you have a minute after you press it to upload the firmware. Should be an easy thing to do and provide a great amount of protection.
For those wondering why you would need to seperate types of phishing sites, according to Netcraft(and yes Netcraft said they are increasing)
Phlashing? And he calls his demo code PhlashDance? Good way to make this seem completely silly. "Damn it, we've been phlashdanced!" That'll really get management to up your security budget, if they ever stop laughing.
It figures that when "bricking" might be remotely appropriate, they pick something worse.
It could have been remote bricking, BOIP(brick over IP), brick-and-run, packet bricking, warbricking.
Even brick-o-gram(landshark).
Sigh...
As a targeted attack against a commercial venture any support team worth their salt will do patching as part of routine maintenance - don't we guys'n'gals? As an attack against mom and pop PCs there are so many hardware variants that any one piece of malware will have a very limited target.
To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.
init 11 - for when you need that edge.
I'm pretty sure I remember stories about viruses that could destroy hardware, by doing things like making the drives seek in "funny" ways (past the edge of the disc or something?) or driving wired-together pins to opposite voltages. Those sound *really* permanent, where a bad flash can be fixed by anyone with the proper equipment (JTAG programmer) unless it does that same sort of thing.
The link does not tell us how to attack and render all computers in [insert your favorite evil company here AAPL,MSFT,GOOG]. Just some research guy jaw boning what could be done. So technically there is nothing worthwhile for the slashdot crowd.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Dear Sir, I am the former son of the Nigerian dictator Sonni Abacha. I would like to give you several million dollars. To receive this, please add a static IP to your D-Link router and reboot it.
If you haven't made a developer cry, you've wasted a day.
He used to be able to turn any working piece of kit into a piece of metal art in about 20 seconds, EVERYTHING was always a BIOS issue and he would NEVER check with anyone before replacing the BIOS.
Lets be clear about how dumb this person was, he had a BIOS that worked on his test servers and would then apply that to all the other servers INDEPENDENT OF HARDWARE OR OS. He would then start the machines (which of course wouldn't start) declare them "broken" and say the issue was with the software.
We did some low level hardware stuff in our software and it did break the boxes sometimes so it took 2 months of painful testing and debugging which found nothing, it only came about because one of the team had a heavy night and decided to "rest" in the server room and saw the moron apply the BIOS to a server that had been running and then scurry out to blame the team again.
Basic rule after then was BIOS set to read-only and locked down with a secure password, to this day my BIOS has a password thanks to the sheer physical shock of realising how dumb some people can be.
An Eye for an Eye will make the whole world blind - Gandhi
Finally, as the parent said, this is bricking. As much as this term gets thrown around slashdot, you don't use it to describe actual bricking??!?!?!@!??!111!? I'm suprised it wasn't tagged as censorship, another term that gets over-used on slashdot because a bunch of idiots don't know what it means.
Also as mentioned befophe this "PH" naming phad is phucking stupid.
Nothing is really new.
Bytecode, killer pokes, the auto type, XML ...
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
I seem to remember a virus back in the 486 days that would cause the hard drive to sweep back and forth between extremes and would keep sweeping until it hit some "resonant frequency" of the drive heads. At that point the heads would start oscillating on the vertical, causing it to strike the platter and physically damage the hard disc.
Anyone else remember this? I had only seen it once and have never been able to find a reference to it.
This would have been in the mid '90s. I have been wracking my brain over finding it since then.
Anyone else who has heard of this, reply and let me know.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
This isn't exactly a new problem...in the early days, you could fry a monitor by setting the video card to absurd refresh rates, and you could destroy hard disks by issuing bogus stepping commands to the heads and slamming them into the stops.
I saw someone Phlashing their laptop in a public park, he was arrested for public indecency :-)
Take Nobody's Word For It.
The last time I "phlashed" someone in real-life I received a permanent injunction and restraining order from a very nice judge in court. I guess you can call that a permanent denial of service.
I am not making this up: less than a week ago, I woke up thinking: what to firmware, BIOS, TPM, and IPMI have in common? They'd all be great vectors for bricking a machine.
Sometimes I wonder the mindset that even goes into creating something like this. I'll admit that when I was a middle-school aged kid, i thought that "computer hackers" were cool. Now, however, I just sort of wonder --
even if information wants to be free, wtf am I supposed to do with it?
"Fone Phreaking" I saw a benefit to, and its something that I took an interest in.
Trying to hijack computers and stuff -- why bother? Unless I'm doing it to be a dick to someone, just why? I can understand if mobster types are trying to do a virtual bank robbery, but this is just sorta gay.
I can see why a 13-14 year old little dipshit might want to use it, but it's pretty clear that they someone that age wouldn't have invented the technique. So, my question really is - what sort of mal-adjusted dickhead would come up with something like this, wrap it in nice little scriptkiddy packaging, and make it available to lazy little vandals that got "dissed" on myspace?
If it finally costs people when their boxes get hacked, maybe they will care enough not to let their machines get hacked.
If one botnet got taken over and the disks on that botnet's host got passwords set on them and the resulting mess got good press, the spamming industry might actually take a big hit.
So that's what they call it when a web server is melted remotely.
GameRanger - multiplayer gaming service for PC and Mac games
/\/3VV, 8i05 \/1ru535 @re 4 t3h 900d +1m3z && L337 H4X0rz.
Hey I get a new boot message!
Look it's on my nintendo WII too.
I'm sorry, but every device out there should have two factory reset switches:
1 to reset user data, akin to a standard BIOS "reset to factory settings"
1 to re-flash the BIOS to the factory-installed version of the BIOS, to de-brick devices.
Furthermore, if there is anything a user can do that is designed to update the machine in a way that's irreversible without a password setting a BIOS or boot password, a hardware switch should be pressed as the information is saved. While this won't prevent social engineering, it will prevent pure software exploits from making the hardware unusable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
With older VGA video hardware it was possible for software to set the monitor on fire. Perhaps turning the monitor off could be not only a power savings, but a security benefit as well.
I bet she laughed when you phlashed your insignificant bits.
Ergonomica Auctorita Illico!
> "Unfortunately, there isn't a magic bullet..."
Yes there is. It's called a write-disable switch.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
What is so new about this? That it's been given a media friendly ph-suffix name?
I think Malicious Firmware Update is better.
M.F.U. (I am sure with those initials, we could come up with a name much more compelling and befitting the situation you'd be in if this happened to you).
Anyone who has worked with even consumer grade home computers and routers and done a firmware or BIOS flash should have been aware that this is possible, with most home routers having the ability for remote management....
Now....if we saw a worm that does this in the wild, it might be more newsworthy.
As long as it's a hot girl hacker who phlashes me.
Wasn't this already done by the CIH (later called Chernobyl) virus, circa 1998? There was even an e-mail variant of it, based on the Loveletter worm.
> May your body rot next to that of the designer of the Titanic.
Unfair. If the ship had been built with the rivets specified by the engineers it would not have sunk. The shipyard couldn't get rivets that met specs so management went with what they had. After all, they had a delivery date...
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Nah, I'd rather go with this entry submitted above: BOIP (brick-over-IP).
(OT: lol. captcha: phrased)
- wait for a key press
- for decreasing n
- turn on the tape cassete relay
- wait n cycles
- turn off the tape cassete relay
this would cause an increasing pitch whine, followed by a little whiff of smoke from the cassette relay.Something about the people there always saying "there's nothing you can type on the computer that will hurt it..."
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Turns out there wasn't a phishing attack, but an Apple Update that didn't go as planned. Apple sent an update that caused every mac to flash their router with a AirPort/AppleTalk/IPX update. Everything went as planned, except for the few customers that had Mac computers on non-Airport based networks. Rumor has it Apple has regarded the issue as low priority, but will provide a patch for everyone that buys OSX10.6 and until then their official statement so far is "STFU, why weren't you using an Airport?", noting that use of non-Apple routing equipment can void your warranty, and that they have no legal obligation to resolve the issue with the few affected hackers.
Want Big Business out of government? Take away the incentive and start by getting government out of big business!
...you should have shown her your hard drive and not your floppy? Most women simply aren't impressed by a 3.5" anymore...
Last night I played a blank tape at full volume. The mime next door went nuts.
Anyone remember dark avenger from the 80's? or CIH in the 90's?
But its about time destructive viruses have returned. Perhaps if enough machines are trashed someone will finally deal with the problem. As long as its just bot nets, no ones really going to care.
---- Booth was a patriot ----
Apple sent an update that caused every mac to flash their router with a AirPort/AppleTalk/IPX update. Everything went as planned, except for the few customers that had Mac computers on non-Airport based networks.
I have a hard time believing that software to flash the firmware on an Airport would have any effect on a non-Airport router.
Can you provide a URL or other cite for this?
"Unfortunately, there isn't a magic bullet, but making sure the flash update mechanisms have authentication so as not just anyone can perform an update is a start," Smith says. "Beyond this, flash update mechanisms need to be designed with malicious attacks in mind."
Um, yeah, there's a magic bullet.
A simple, hardwired button/toggle switch on the back of the device. "Flash: enabled [|| ] disabled"
Kind of like the tab on floppies, VHS tapes, flash drives, memory cards, you know.
Sorry if you have to get up out of your chair to flip the switch on the device, but you should be prepared to have to physically access the device anyway if you're doing any sort of flashing. Take the time to blow out / vac out the dust while you're at it. Check that the labels are still attached, the power cords are still seated firmly, etc.
You're not Ron Popeil.
You can't "Set it and Forget it!" like a rotisserie oven.
- I just *died*. Good one, Zerth!
They could have just adopted Swedish instead of changing English. You betcha!
Tell me once again, how much you want those cybernetic implants...
http://www.symantec.com/security_response/writeup.jsp?docid=2000-121916-0457-99&tabid=2
This virus was first found over 14 years ago, so the idea of remotely causing hardware failure isn't new. However no one has tried to implement it on a serious scale since. Given that so many modern-day devices and software are able to automatically flash/patch, this is something which, if done right, could adversely affect a significant number of systems.
I wonder... supposedly China is behind many cyber attacks on the US. It seems that many of these chips could have backdoors to be triggered by botnets. It's not like that code is audited...
Would you pay $2 more for a router that proudly supported a "guaranteed recoverable from malware or your money back" sticker vs. one that that didn't? I would.
OK, it would be more like $5 more: $2 for the increased costs of manufacture, $0.20 for the sticker, and $2.80 in extra profit for the fear, uncertainty, and doubt scare-words provide.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
hard...floppy..3.5 inch...
:)
this can be taken in SOOO many ways
I used to play with viruses when I was a kid, I distinctly remember one that used to trash the bios. Might have been Magistrate.
Support my political activism on Patreon.
and business is run on "the numbers", or "the financials" nowadays.
.. ta-boom! ) is to run an OS that won't do such things, and that probably means preventing Microsoft operating systems from being one all one's machines.
Businesses have been bankrupted by shortchanging their new products by 10 cents, in the new management-style.
The only solution ( other than dissolving one's computer
I don't know Mac code security, but I've read some un-nice things about it...
As for it being possible, look how many motherboards can be flashed from within MS Windows.
If the vendor gives you, the user, the ability to do it, then it can be done.
Malicious use of the same mechanism is inevitable.
When I was at the U of Wisconsin back in the 1970s, the central campus Computer Center had a Univac system. An EE prof (or his students ;-) got circuit diagrams and did some analysis. He announced that there was a bug: If a particular (unlikely) sequence of instructions was executed, they would fry a transistor in the CPU. Rather than thanks, he got ridiculed and insulted by the Univac CS people (and a lot of people on campus). So he announced that he'd run a test. He submitted a job that included a chunk of assembly language with the sequence. The machine promptly halted and couldn't be rebooted. The CS engineers looked into it, and found that a transistor had been fried.
...
These days, though, I suppose that he'd probably be charged with something. The smart thing to do if you learn of such bugs is probably to not notify anyone, especially not the vendor or your employer. Instead, you quietly offer the information (for a price of course) to various "interested parties" for whatever use they'd like to make of it.
Another time, some students figured out a bug in Univac's tape drives. They found code that sent commands to spool forward and rewind with timing such that the drive did both - which snapped the tape. They were also not believed, so they demoed it. They submitted a job that asked for a scratch tape, wrote a few KB of data, and snapped the tape. Then it asked for another scratch tape. It didn't take too many tapes before the operators figured out that they should call in the CS people.
I'll bet that others here have a bunch of similar stories. And nonetheless, a future story will be the patenting of using such bugs for "PDOS" attacks. Probably by our favorite whipping boy, Microsoft, who will patent such attacks as a way of enforcing licensing restrictions or DRM.
Maybe the fellow the story is about can get the patent first
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Way to miss the point, troll.
Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.
Truly spoken by someone who hasn't tried to buy a programmed flash part for a made in China board. Hint, the replacement board can be purchased but the replacement chip containing IP firmware is a little harder to obtain. Custom parts on the board (flash memory) are not imported in a programmed state. If you can extract the image from the executable without the aid of the boot loader, many of these blank chips and flash upgrade don't come with any way to install the initial code to load the initial firmware.
A new blank BIOS chip doesn't contain enough firmware to boot a floppy, USB memory stick, or CD ROM to flash the BIOS. You need a BIOS image and device programmer. Since neither is supplied and both are needed, your chances of obtaining a BIOS image and installing the firmware are slim to none.
A Blank clock flash memory chip from Mouser does not make a bricked board bootable enough to flash the new BIOS firmware.
If you want to try it, Pick up a blank unit here; Good luck
http://www.epn-online.com/page/new56862/mouser-stocks-silicon-laboratories-c8051f9xx-line-of-mcus.html
The truth shall set you free!
Published in Astounding Science Fiction in the late 1940's or early 50's. Many of the proposed letter substitutions are even the same. (Well, some are obvious, as "s" for the soft "c"...but I mean some of the arbitrary ones.)
Naturally the "Short Story" (modest proposal?) developed the idea in more depth, but it was essentially the same. You could also compare this with some ideas pushed by Bertrand Russell, and probably others. Note that this isn't a new language, merely a rephonetization of the current language. As such it really would be easy to switch to as long as your dialect as close in it's pronunciation to that the the dialect chosen for phonetisizing around. Going in the other direction would be quite a bit more difficult, so if you do this all books will need to be republished with new spellings. OTOH, this could be phased in over a decade or so. But you'd need a government agency authorized to forbid the publication of books unless they were in the new spelling. (That could probably be easily abused.)
I think we've pushed this "anyone can grow up to be president" thing too far.
The "factory default" flash could be a failsafe that offers just enough functionality to load a real flash image in a safe way.
For example, a smart-phone's main OS would be stored in a large flash, while the failsafe OS would have just enough smarts to either read the inserted memory card or activate the basic phone features and phone a known-good phone number, and download a predetermined filename from the remote server, then install it. It wouldn't even have to be over internet protocols, XMODEM or something equally simple would do nicely. That should take a lot less room than the "real" BIOS.
A router's failsafe OS would have just enough smarts to set up a LAN with a predefined fixed address, start a tftp server, wait for a file named X to come in, verify the file is properly cryptographically signed, and install it. That's a lot less smarts than the "real" flashed image and a consequently a lot smaller.
Likewise, a PC's failsafe could be "initialize hardware to safe settings, then prompt user to insert CD and press any key. When key pressed load first X bytes from CD to determine where to go on CD to find the image then load and activate the new real BIOS." That's a lot smaller than a real BIOS.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Bell and DirecTV bricked thousands of pirate receivers a few years ago. People that didn't know what JTAG meant or how to use google ended up paying big $$ to either their dealers or the Sat companies for new hardware.
That whooshing sound was the sarcasm and wry humor streaking over your head.
In 2004 or 2005 on my LAX-Singapore flight I was seated next to a pair of HiTB Malaysia attendees and having a discussion of this same idea. One was going to be presenting a paper on USB Client-Host-Client hacking via malforming of the OHCI/UHCI communications, and we got into a discussion on the viability of replacing firmware via a virus or worm. The other had recently accomplished the creation of a 'trojaned' firmware update containing a virus for a GeForce video card that could not be removed by any anti-virus software or any offical update, and he was rather intrigued by a few ideas I had on attacking a network via flaws in the networking hardware.
And if you recognize yourself in the above, I'm still working on the manuscript.
That whooshing sound was the sarcasm and wry humor streaking over your head.
Point well taken. I do however remember in the PC XT days (No CMOS) where the BIOS was a plug in chip. It was great fun to unplug the BIOS and replace the copywright message with something like my name with a bit editor and burn it back into a blank EPROM. Those days are gone forever..
Anybody want some blank 2764's?
The truth shall set you free!