Thursday, May 22, 2008

"Phlashing" attacks could render network hardware useless

Ars Technica
By Joel Hruska | Published: May 20, 2008 - 07:40PM CT
http://arstechnica.com/news.ars/post/20080520-phlashing-attacks-could-render-network-hardware-useless.html  <--For Full Story

Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP's Systems Security Lab, has identified a potential security flaw within a network's physical hardware rather than a typical desktop or server system. Smith's report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as "phlashing."

Attacking system firmware isn't a new tactic—the CIH/Chernobyl virus was capable of overwriting BIOS firmware back in 1998—but focusing such attacks on network hardware would be an unusual step, and could prove quite successful in at least the short term.

[snip]

The "phlashing" attack vector Smith plans to discuss at EUSectWest next week involves exploiting these security flaws to launch what he refers to as a Permanent Denial of Service, or PDOS attack.

Such an attack would be launched by uploading a purposefully corrupted BIOS into a device, causing the system to crash. Depending on the configuration of the network in question, strategically crashing a small handful of routers could bring down a network or business. What's worse, Smith argues, is that the company or organization under attack would have no effective way of fighting back or repairing the damage short of replacing the hardware in question.

As Dark Reading's article on the subject points out, however, the question of whether or not hackers would even launch such attacks is open to debate.

[snip]

There's also a significant level of risk associated with actively destroying a legitimate company's network hardware. Today, malware, and the need to protect from it, is an accepted part of IT security. Phishers and scammers of all types are certainly pursued, but the big law enforcement guns are typically reserved for high-profile cases where a great deal of money is actively changing hands. Destroying or crippling a company's network hardware is one of the fastest ways to draw attention to yourself, and most criminal organizations prefer to stay off the radar, not dance on top of it in an aluminum monkey suit.

[snip]


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Introduction

Motto: If Gods wills, failure's no option and mediocrity not acceptable.

Mission: To be the best man I can possibly be, while realizing any good thing I do is of Christ and any bad thing is a result of my inherently sinful nature.

Guiding Scripture: Haven't I commanded you: be strong and courageous? Do not be afraid or discouraged, for the LORD your God is with you wherever you go.
~Joshua 1:9