A security attack that damages embedded systems beyond repair was demonstrated for the first time in London on Wednesday. The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems. The attack was demonstrated by Rich Smith, head …
The "ph" fad.
Alright, just stop it already with the "ph" stuff. Does anyone remember how it came into being and how it properly related to it's first usage? Phone freaking...aka phreaking...actually made sense. This malicious firmware flashing has nothing to do with phones!!! And honestly, "PhlashDance"?? Come on. What's next? "Oh no! We've been disco inphernoed!!!"
Signed updates = bad
The downside of requiring that firmware updates are signed by the manufacturer is that it becomes impossible to repurpose the devices in the way that NSLU2 (http://nslu2-linux/) and WRT54G (http://openwrt.org/) users have.
The best solution is to require physical access in order to perform a firmware update. For example, a switch that you press to enter "update mode", after which the web interface shows the upgrade dialog. If the cost of an extra switch is too much, just require that the reset button is pressed for 10 seconds when power is applied. The NSLU2 does something like this.
Because my pH level is too high. Nothing says "I haven't got a life" better than replacing Fs with PHs. STOP IT!</rant>
It was only a matter of time before this sort of thing happened. Embedded systems pose a larger risk of infrastructure exploitation because they're embedded, and simpler to predict.
Here's an example: Sky Broadband appear to provide lots of Netgear DG834-series routers to their customers, and assume that a exploit comes out to root a DG834 to run code of the attacker's choosing (DG834s are Lunix).
You have x number of vulnerable systems which can be egged in any way the malware author sees fit. Predictable systems in a predictable IP range, no port scanning required.
It's not a case of batten down the hatches or tin foil hats, but I do reckon it's high time that either the broadband suppliers who issue the kit, and / or hardware manufucturers made automatic updating a little easier, and - in the case of a nasty dev flub, pretty timely indeed.
Shouldn't these things have write-protect jumpers and/or a tiny ROM (normally disabled) for re-flashing purposes?
Actually, if you're the sort of mind here, there's a SECOND party that can benefit from this exploit... the router manufacturers.
Think about it--you send out a wide AOE PhlashDance to brick a particular competitor's set of routers, then tout your own as PhlashDance-proof (whether or not they ARE, it's just a price-jack, and managers would drool all over the idea *itself* anyways.) Win.
It's devious, but it only works as long as no one catches on.
I wish there was an BOfH icon.
Just ship kit with all remote access disabled by default. Make the firmware unable to be changed from outside the local network, regardless of security settings. Doesn't seem that hard.
Main motive? -in a kalidescope of agendas?
"There's no record of such an attack even occurring and other security watchers are sceptical over whether crackers could make money - the main motive for denial of service attacks - from such an approach."
I though the main motive of a denial of any type of service attack was to deny service? Which in any sevice-based economy would be QuITe a big issue, Virtually the Biggest and quite a disservice?
electronic warfare tool for countries and terrorists
Although this would not be so useful for blackmailers, this would be a great electronic warfare tool for countries and both state and non-state sponsored terrorists.
Disco inpherno - I love it :)
(long hated the ph thing)
Just as I was about to complain about the idiotic over use oph 'ph', i realised everyone else has... Why must everything with an 'ph' now be spelt with a phuking ph?
it gets to the stage where the use oph 'ph' and 'ph' is too diphphicult to diphpherentiate between
Phoible. (foi-bell) n. A weakness for spelling words in a whimsical manner.
Our alien lizard overlords...
...enjoy hacking our kit!
Why is this major news now?
Does anyone remember the CIH virus from the mid to late 90's?
Infected computers would overwrite their flash BIOS on certain days of the month.
Honestly I'm surprised that mischief makers haven't realised that they could overwrite firmware on local networks once they infect one machine. Most people leave the default admin passwords on everything from DSL routers to LAN connected printers. Get past the network barrier once, you own it.
Is there anybody out there?
"Both H D Moore of Metapolit fame and the Hack a Day blog reckon that exploiting vulnerabilities to plant malware in firmware is a far more insidious and dangerous type of attack than simply destroying systems."
They cannot be serious. Simply destroying systems allows One to entirely replace them with Better Beta Systems of One's Own Making and therefore in Control of Everything.
It doesn't get more Beneficial/Malicious than that....... but IT cannot be done by just any Old Hack with Tired and Worn Out Cracks for it needs AI Live and Agile Mind which can Connect with Much that is Apparently Not Already There but what can be Thought 42XXXXist and Therefore Most Definitely Is.
Such are in the Realms of amfM HyperRadioProActivity which are Regularly Registered here for Reading into dDeeper Understanding/Future Memory.
Surely the bad kind of flashing should be called Dirty Mac-ing. A botnet of such would be a Dirty Mac Brigade.
1) no ph abuse
2) It'll wind the cult of Jobs up
Outside the Network!
The obvious way to do this (hack) is a browser vulnerability. For your browser, the router is INSIDE. Infact ALL the routers I know only update via LOCAL (usually 192.168.yyyy.xxxx ) subnet.
For any ISP, you can assume the default Router IP is not changed. Other typical ones are local net 192.168.yyyy.1 or 192.168.yyyy.254 where yyyy is 0 to 255 and usually 0 or 1
Most people don't change default router password.
If you change your router default Admin password, it's unlikely this idea can be exploited. No outside access required. Only a vulnerable browser and malicious website (Active X anyone?)
@ Jeremy Southard
Well, not actually AT you mate, just in response... the "ph=f" thing... I've been doing it for over 30 years... I thought it was clever as a kid because technically it wasn't a swear word when I was actually typing or spelling FUCK.
It sems to have grown arms and legs since... sorry about that.
Sadly I think the "PHad" is here to stay
@ C Phurman
Unphortunately, your inophensive yet phleeting phlourish is conphirmed.
Spelling Jane with a 'y', I suppose?
Oh, and dotting 'I's with circles, or, hey! we could even draw those circles like tiny flowers!
RE:Is there anybody out there?
Is there anybody out there? ---> Am I coming in clear?
Fuion ---> Wonders if WonkaVision is having a malfunction...
"Most people don't change default router password.
If you change your router default Admin password, it's unlikely this idea can be exploited. No outside access required. Only a vulnerable browser and malicious website (Active X anyone?)"
I had a dream, and in that dream:
---> It is currently possible to remote exploit all SOHO routers that employ CMS.
---> Root password is stored inside firmwares such surrounded by cute quotes such as "root --> uid 0 -->The Lamma of all Evil"
---> Whole subnets can be "0wned", someone has forgotten to properly configure the Cisco ACL settings...
---> Even without CMS another tact can be employed to remote exploit without password. Who needs a password(s) when you are not required to use such to get the result.
In short: "Passwords" == overrated.
-=- End DNS Dream -=-
Alien because there is no Daemon icon???
I knew a truely lovely young lady called Jayne. The irony being that she dotted all her "i"'s with circles (Nice petals too ;oP)
This "PH" bidness
OK, in the beginning, it was cute, it was clever, it was sarcastic. Now it's spent, beat, wiped, played. Jumped the shark, already.
Still, where does that leave that old 18th Century English scientist who, iirc, discovered oxygen as a combustible gas in action but, not knowing what he'd discovered, named it "phlogiston"?