New 'Phlashing' Attack Sabotages Hardware

yahoi writes "A new type of denial-of-service attack, called permanent denial-of-service (PDOS), damages a system so badly that it requires replacement or reinstallation of hardware. A researcher has discovered how to abuse firmware update mechanisms with what he calls 'phlashing' — a type of remote PDOS attack."

Pharphetched naming

I'm sick of this naming phad.

Re:Pharphetched naming

[Thanshin]

I pheel it phaitphully phollows the phirst uses oph it.

Re:Pharphetched naming

[Kamineko]

It sure as hell beats phbricked.

Re:Pharphetched naming

[davidpbrown]

Reminds me of the European Commission

The European Commission has announced an agreement whereby English will be the official language of the EU, rather than German, which was the other contender. Her Majesty's Government conceded that English spelling had room for improvement and has therefore accepted a five-year phasing in of "Euro-English".

In the first year, "s" will replace the soft "c". Sertainly, this will make sivil servants jump for joy. The hard "c" will be dropped in favour of the "k", Which should klear up some konfusion and allow one key less on keyboards.

There will be growing publik enthusiasm in the sekond year, when the troublesome "ph" will be replaced with "f", making words like "fotograf" 20% shorter.

In the third year, publik akseptanse of the new spelling kan be expekted to reach the stage where more komplikated changes are possible. Governments will enkourage the removal of double letters which have always ben a deterent to akurate speling. Also, al wil agre that the horible mes of the silent "e" is disgrasful.

By the fourth yer, peopl wil be reseptiv to steps such as replasing "th" with "z" and "w" with "v".

During ze fifz yer, ze unesesary "o" kan be dropd from vords kontaining "ou" and similar changes vud of kors be aplid to ozer kombinations of leters. After zis fifz yer, ve vil hav a reli sensibl riten styl. Zer vil be no mor trubls or difikultis and everivun vil find it ezi to understand ech ozer. ZE DREM VIL FINALI COM TRU!

Herr Schmidt

Re:Pharphetched naming

[Curien]

Credit where credit's due:
http://www.physics.uwo.ca/~harwood/humor13.txt

Re:Pharphetched naming

[flosofl]

Dude, at least acknowledge the original you borrowed this from (maybe Mark Twain, most likely M.J. Yilz). http://grammar.ccc.commnet.edu/grammar/twain.htm

Re:Pharphetched naming

[beadfulthings]

I'm in a lot of trouble. By those rules, by Year 5 there won't be any letters left in my first name.

Sincerely yours,

*

Re:Pharphetched naming

Cphethw, is that you!?

I had no clue people still upgraded firmwares.

[nauseum_dot]

Seriously, I work to update the equipment at work, but at home, I just really don't care a whole lot about a $30 router.
I can't tell you the last time upgraded the bios on a motherboard. I think it was an older P3 Dell PowerEdge because I was installing Linux on it.

Re:I had no clue people still upgraded firmwares.

[maxume]

No doubt all his equipment works exactly as he expects it to.

He would probably be outright offended if he heard about Rockbox or other projects where people are *writing* their own firmware.

Re:I had no clue people still upgraded firmwares.

[Creepy+Crawler]

That's the key: Reliable Enough. We dont need 100% availability, as it requires many redundant units (akin DRBD). I just have another WRT54G if this one burns out.

Business wise: I would go higher end as time==money. Better reliability can be afforded.

It does what I want it to do, and it does it well. And cheap.

Read-only switch

[ettlz]

...or jumper. How much more would that cost?

Re:Read-only switch

more than nothing

Re:Read-only switch

[marxmarv]

About two cents in quantity, plus a penny to drill the hole and stuff the part. Plus six or seven cents for the AND gate on the write line. Times several million.

Bricking

[ThrudTheBarbarian]

FINALLY! *This* is bricking

Re:Bricking

[hostyle]

+1 Architectural

Re:Bricking

[Linker3000]

Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.

FTFY

How is the mechanism exploited?

[Coopjust]

Is it possible to exploit firmware from the outside, unless the person has enabled remote management and is using the default password?

Those two rarely go hand in hand.

However, I think we'll see a lot of trojans with firmware payloads. How many people use the WRT54G? And how many access points are unsecured with the name "linksys"? Those people probably didn't change their admin password.

Simple solution: Hardware button. You have to press it to flash the router, and you have a minute after you press it to upload the firmware. Should be an easy thing to do and provide a great amount of protection.

Re:How is the mechanism exploited?

[kalirion]

Why would flashing even be allowed through remote management? My router comes with instructions to not even risk flashing through a wireless LAN connection, much less the whole big world wide net.

That's the best they could come up with

[Zerth]

Phlashing? And he calls his demo code PhlashDance? Good way to make this seem completely silly. "Damn it, we've been phlashdanced!" That'll really get management to up your security budget, if they ever stop laughing.

It figures that when "bricking" might be remotely appropriate, they pick something worse.

It could have been remote bricking, BOIP(brick over IP), brick-and-run, packet bricking, warbricking.

Even brick-o-gram(landshark).

Sigh...

Re:That's the best they could come up with

[trongey]

It could have been remote bricking, BOIP(brick over IP), brick-and-run, packet bricking, warbricking.

Even brick-o-gram(landshark). I vote for Brick-rolling.

Re:That's the best they could come up with

[Orbijx]

We're no strangers to v4. You know ipchains, and so do I. A full traceroute's what I'm thinking of. You wouldn't ping it with any other guy. :)

Re:thank you for another buzzword

[aproposofwhat]

nah - his tool's called PhlashDance, which made me go all warm and fuzzy at the thought of Jennifer Beals stamping on my fimware in her heels :P

Re:thank you for another buzzword

[SargentDU]

I agree! phlashing sounds like flashing! Stupid to use something that is phonically identical for different outcomes.

Surely this isn't that much of a problem

[Silver+Sloth]

As a targeted attack against a commercial venture any support team worth their salt will do patching as part of routine maintenance - don't we guys'n'gals? As an attack against mom and pop PCs there are so many hardware variants that any one piece of malware will have a very limited target.

To me this looks like talking up a non existent problem - but I'm open to persuasion otherwise.

This is new?

[Timothy+Brownawell]

I'm pretty sure I remember stories about viruses that could destroy hardware, by doing things like making the drives seek in "funny" ways (past the edge of the disc or something?) or driving wired-together pins to opposite voltages. Those sound *really* permanent, where a bad flash can be fixed by anyone with the proper equipment (JTAG programmer) unless it does that same sort of thing.

Re:This is new?

[MilesAttacca]

Indeed, early Commodore PETs reportedly suffered a "killer POKE" via their BASIC.

Re:This is new?

[lz2pt]

God, this is going back,

In the good old DOS PC days when 10Mb hard disks were 'big' and 'Stoned' was probably the only wild virus ever found on the lab machines..

There was an issue wrt Stoned I think, or some other virus of the time whose name escapes me, its final action was to zap the old MFM hard disks via some low level init call, but, this wasn't fatal as we could get the info back off them with a bit of faffing, however, the first generation of those new fangled IDE disks, the same init call permanently screwed the disks.

It killed a number of expensive large (40Mb) hard disks back then in the lab..thanks mainly to one serial offender who disabled the virus scanners on these new machines when they stopped him running infected code off floppies. (don't ask, the guy was a serious pain..)

I also remember a fun summer spent manually repositioning the heads on a bunch of MFM drives by trial and error which had 'gone faulty' after virus infestation, turned out there was a small grub screw which worked loose on an optical interrupter on the head positioning motor shaft if the drive was particularly hammered (lots of seeks over a short period of time etc). There was an opening of the case and a lot of twiddling and adjusting whilst watching the position of the heads over the platters (not carried out in a clean, dust free environment I hasten to add). As that was one brand of HD, I doubt it was a targeted effect of a virus though, just bad design.

My memory is vague on this, as I was more hardware design and Sun support..

Proof of concept

[Malevolent+Tester]

Dear Sir, I am the former son of the Nigerian dictator Sonni Abacha. I would like to give you several million dollars. To receive this, please add a static IP to your D-Link router and reboot it.

I used to work with a Sys Admin like that

[MosesJones]

He used to be able to turn any working piece of kit into a piece of metal art in about 20 seconds, EVERYTHING was always a BIOS issue and he would NEVER check with anyone before replacing the BIOS.

Lets be clear about how dumb this person was, he had a BIOS that worked on his test servers and would then apply that to all the other servers INDEPENDENT OF HARDWARE OR OS. He would then start the machines (which of course wouldn't start) declare them "broken" and say the issue was with the software.

We did some low level hardware stuff in our software and it did break the boxes sometimes so it took 2 months of painful testing and debugging which found nothing, it only came about because one of the team had a heavy night and decided to "rest" in the server room and saw the moron apply the BIOS to a server that had been running and then scurry out to blame the team again.

Basic rule after then was BIOS set to read-only and locked down with a secure password, to this day my BIOS has a password thanks to the sheer physical shock of realising how dumb some people can be.

Re:I used to work with a Sys Admin like that

[kalirion]

That's sounds like a good submission to The Daily WTF.

Re:New word overloading

[smooth+wombat]

Just another reason not to use Flash or even have it installed on your system.

This is why, Flash must die!

Hardware Virus

[Pikoro]

I seem to remember a virus back in the 486 days that would cause the hard drive to sweep back and forth between extremes and would keep sweeping until it hit some "resonant frequency" of the drive heads. At that point the heads would start oscillating on the vertical, causing it to strike the platter and physically damage the hard disc.

Anyone else remember this? I had only seen it once and have never been able to find a reference to it.

This would have been in the mid '90s. I have been wracking my brain over finding it since then.

Anyone else who has heard of this, reply and let me know.

Re:Hardware Virus

I experimented with a technique (that worked) on the Commodore 64. You could address the floppy drive directly to move the drive head to the innermost position, which was on the opposite side of the "track 0" microswitch. Then you deliberately crash the CPU on the drive. When it POSTs it moves the head inward to track 0 to initialize. Since the head is on the wrong side of the switch it never gets there, makes a terrible noise, and gives up.

Hardly a new phenomenon

[g051051]

This isn't exactly a new problem...in the early days, you could fry a monitor by setting the video card to absurd refresh rates, and you could destroy hard disks by issuing bogus stepping commands to the heads and slamming them into the stops.

Works in real life too !

[garett_spencley]

The last time I "phlashed" someone in real-life I received a permanent injunction and restraining order from a very nice judge in court. I guess you can call that a permanent denial of service.

Re:Works in real life too !

[hyperz69]

I guess your firmware didn't impress her.

source of the name

[straponego]

PHLASH.EXE is the name of Phoenix's BIOS upgrade tool.

I am not making this up: less than a week ago, I woke up thinking: what to firmware, BIOS, TPM, and IPMI have in common? They'd all be great vectors for bricking a machine.

Everything should have a factory reset switch

[davidwr]

I'm sorry, but every device out there should have two factory reset switches:

1 to reset user data, akin to a standard BIOS "reset to factory settings"
1 to re-flash the BIOS to the factory-installed version of the BIOS, to de-brick devices.

Furthermore, if there is anything a user can do that is designed to update the machine in a way that's irreversible without a password setting a BIOS or boot password, a hardware switch should be pressed as the information is saved. While this won't prevent social engineering, it will prevent pure software exploits from making the hardware unusable.

Re:Sometimes I wonder...

[trongey]

Sometimes I wonder the mindset that even goes into creating something like this. ... I can understand if mobster types are trying to do a virtual bank robbery,... Close. It's called extortion. You do this to one of a site's machines. Then you send the demand for payment with a threat to do it to the rest of their machines. It's been happening to gambling and porn sites for years since law enforcement agencies don't usually get in a hurry to apprehend people who attack those sites. They have been using DDoS, so this would just be a bigger hammer.

Re:thank you for another buzzword

nah - his tool's called PhlashDance, which made me go all warm and fuzzy at the thought of Jennifer Beals stamping on my fimware in her heels :P Hmmmm... What a pheeling.

Magic Bullet

[John+Hasler]

> "Unfortunately, there isn't a magic bullet..."

Yes there is. It's called a write-disable switch.

Already done in 1998

[RickRussellTX]

Wasn't this already done by the CIH (later called Chernobyl) virus, circa 1998? There was even an e-mail variant of it, based on the Loveletter worm.

This is not really new..

[mengel]

I recall a friend of mine having a little routine for TRS-80's that would:

• wait for a key press
• for decreasing n
  • turn on the tape cassete relay
  • wait n cycles
  • turn off the tape cassete relay

this would cause an increasing pitch whine, followed by a little whiff of smoke from the cassette relay.

Something about the people there always saying "there's nothing you can type on the computer that will hurt it..."

Re:Bricking & replacement parts

[Technician]

Not a very difficult fix for any tech savvy person with surface mount device reworking equipment - or a soldering iron, a steady hand and a great deal of faith in their ability (or practical experience) to rework SMDs with the wrong kit.


Truly spoken by someone who hasn't tried to buy a programmed flash part for a made in China board. Hint, the replacement board can be purchased but the replacement chip containing IP firmware is a little harder to obtain. Custom parts on the board (flash memory) are not imported in a programmed state. If you can extract the image from the executable without the aid of the boot loader, many of these blank chips and flash upgrade don't come with any way to install the initial code to load the initial firmware.

A new blank BIOS chip doesn't contain enough firmware to boot a floppy, USB memory stick, or CD ROM to flash the BIOS. You need a BIOS image and device programmer. Since neither is supplied and both are needed, your chances of obtaining a BIOS image and installing the firmware are slim to none.

A Blank clock flash memory chip from Mouser does not make a bricked board bootable enough to flash the new BIOS firmware.

If you want to try it, Pick up a blank unit here; Good luck
http://www.epn-online.com/page/new56862/mouser-stocks-silicon-laboratories-c8051f9xx-line-of-mcus.html