Slashdot Mirror

← Back to Stories (view on slashdot.org)

New 'Phlashing' Attack Sabotages Hardware

Posted by timothy on from the not-so-nice dept.

yahoi writes "A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."

5 of 242 comments (clear)

  1. Pharphetched naming by Anonymous Coward · · Score: 5, Insightful

    I'm sick of this naming phad.

  2. How is the mechanism exploited? by Coopjust · · Score: 5, Insightful

    Is it possible to exploit firmware from the outside, unless the person has enabled remote management and is using the default password?

    Those two rarely go hand in hand.

    However, I think we'll see a lot of trojans with firmware payloads. How many people use the WRT54G? And how many access points are unsecured with the name "linksys"? Those people probably didn't change their admin password.

    Simple solution: Hardware button. You have to press it to flash the router, and you have a minute after you press it to upload the firmware. Should be an easy thing to do and provide a great amount of protection.

  3. Re:Bricking by Linker3000 · · Score: 4, Insightful

    Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.

    FTFY

    --
    AT&ROFLMAO
  4. Everything should have a factory reset switch by davidwr · · Score: 5, Insightful

    I'm sorry, but every device out there should have two factory reset switches:

    1 to reset user data, akin to a standard BIOS "reset to factory settings"
    1 to re-flash the BIOS to the factory-installed version of the BIOS, to de-brick devices.

    Furthermore, if there is anything a user can do that is designed to update the machine in a way that's irreversible without a password setting a BIOS or boot password, a hardware switch should be pressed as the information is saved. While this won't prevent social engineering, it will prevent pure software exploits from making the hardware unusable.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Magic Bullet by John+Hasler · · Score: 4, Insightful

    > "Unfortunately, there isn't a magic bullet..."

    Yes there is. It's called a write-disable switch.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.