Godlike Productions Banner
03:56 AM
Join Now, Free! (& No Ads) | FAQ | Links | Link to Us | Contact | User Map
User Photo Album | Dooms Day Calendar | Radio! | GLP Store | Proxy Toolbar
ForumDiscussion TopicsAdvanced SearchNewsGallery
ForumTopicsAdv. SearchNewsGallery

News

  Saturday, August 30, 2008  
  Breaking News     Back
"Phlashing" attacks could render network hardware useless

Ars Technica

2008-05-21

Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP's Systems Security Lab, has identified a potential security flaw within a network's physical hardware rather than a typical desktop or server system. Smith's report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as "phlashing."

Attacking system firmware isn't a new tactic—the CIH/Chernobyl virus was capable of overwriting BIOS firmware back in 1998—but focusing such attacks on network hardware would be an unusual step, and could prove quite successful in at least the short term. According to Smith, the ongoing war between security vendors and malware authors will inevitably drive exploration into new, non-PC-centric attack vectors as loopholes within the PC ecosystem become increasingly harder to exploit. NEEDS could therefore become a future target of opportunity, especially considering the poor default security state most of these systems ship with.

Currently, NEEDS are treated as part of a network's topology rather than as individual devices requiring their own set of security procedures and practices. As a result, such devices may present a nearly unguarded attack vector, particularly if the remote management software for any given unit has bugs of its own. The "phlashing" attack vector Smith plans to discuss at EUSectWest next week involves exploiting these security flaws to launch what he refers to as a Permanent Denial of Service, or PDOS attack.

Such an attack would be launched by uploading a purposefully corrupted BIOS into a device, causing the system to crash. Depending on the configuration of the network in question, strategically crashing a small handful of routers could bring down a network or business. What's worse, Smith argues, is that the company or organization under attack would have no effective way of fighting back or repairing the damage short of replacing the hardware in question.

As Dark Reading's article on the subject points out, however, the question of whether or not hackers would even launch such attacks is open to debate. Commercial malware campaigns have historically been far more interested in utilizing systems for profit than in destroying them, and the ability to compromise a router or another embedded system's firmware would likely result in a number of attacks that sought to capitalize on this capability rather than destroy it.

There's also a significant level of risk associated with actively destroying a legitimate company's network hardware. Today, malware, and the need to protect from it, is an accepted part of IT security. Phishers and scammers of all types are certainly pursued, but the big law enforcement guns are typically reserved for high-profile cases where a great deal of money is actively changing hands. Destroying or crippling a company's network hardware is one of the fastest ways to draw attention to yourself, and most criminal organizations prefer to stay off the radar, not dance on top of it in an aluminum monkey suit.

PDOS attacks may never become a major threat, but Smith has a point when he talks about the ever-widening scope of malware. The criminal software industry has proven itself to be exceptionally adroit at adopting new and different attack vectors, and could conceivably shift its focus (or at least open a front) against an entirely different target. Strengthening network security by focusing on devices rather than PCs certainly wouldn't hurt anything, and it could provide protection against headaches down the road.

  Email Article

  Discuss in the Forum

Back

Vote for Us!
Vote For Godlike Productions!
Vote for Us!  Valid HTML 4.01 Transitional



Disclaimer:
This website exists for entertainment purposes only. The reader is responsible for discerning the validity, factuality or implications of information posted here, be it fictional or based on real events. Moderators on this forum make every effort to review the material posted on this site however, it is not realistically possible for our small staff to manually review each and every one of the more than 5000 posts GodlikeProductions gets on a daily basis. The content of posts
on this site, including but not limited to links to other web sites, are the expressed opinion of the original poster and are in no way representative of or endorsed by the owners or administration of this website. The posts on this website are the opinion of the specific author and are not statements of advice, opinion, or factual information on behalf of the owner or administration of GodlikeProductions. This site may contain adult content and if you feel you might be offended by such content, you should log off immediately.

Not all posts on this website are intended as truthful or factual assertion by their authors. Some users of this website are participating in internet role playing, with or without the use of an avatar. NO post on this website should be considered factual information on face value alone. Users are encouraged to USE DISCERNMENT and do their own follow up research while reading and posting on this website. Godlikeproductions.com reserves the right to make changes to, corrections and/or remove entirely at any time posts made on this website without notice. In addition, Godlikeproductions.com disclaims any and all liability for damages incurred directly or indirectly as a result of a post on this website.

This site is provided "as is" without warranty of any kind, either expressed or implied. You should not assume that this site is error-free or that it will be suitable for the particular purpose which you have in mind when using it. In no event shall Godlikeproductions.com be liable for any special, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not advised of the possibility of damage, and on any theory of liability, arising out of or in connection with the use or performance of this site or other documents which are referenced by or linked to this site.

Some events depicted in certain posting and threads on this website may be fictitious and any similarity to any person living or dead is merely coincidental. Some other articles may be based on actual events but which in certain cases incidents, characters and timelines have been changed for dramatic purposes. Certain characters may be composites, or entirely fictitious.

We do not discriminate against the mentally ill!

Fair Use Notice:
This site may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. Users may make such material available in an effort to advance awareness and understanding of issues relating to civil rights, economics, individual rights, international affairs, liberty, science & technology, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C.Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.
For more information please visit:
http://www.law.cornell.edu/uscode/17/107.shtml

This Disclaimer is subject to change at anytime.

Mail Webmaster with questions or comments about this site.

Page generated in 0.021s (1 queries)