Posted by: Ken Harthun
Cyber warfare, Opinion, Remote Code Execution, Security, Security management, Vulnerabilities
It has long been an “everybody knows” that viruses and other malware cannot physically damage hardware. We’ve all seen those alarming emails that say, “…the virus destroys Sector Zero, thus permanently destroying the hard disk,” a statement we know is rubbish; at worst, the disk is rendered incapable of booting an OS, but the drive is still operable and the data recoverable. Seems that now, however, an HP researcher has found a way to exploit security vulnerabilities to create a permanent DOS (PDOS) attack by thrashing embedded hardware. From The Register:
The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems.
The attack was demonstrated by Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, at the EUSecWest security conference in London on Wednesday [21 May 2008]. Smith told Dark Reading that such a “permanent denial of service” attack could be carried out remotely over the internet.
The attack would be carried out by exploiting flaws in remote management interfaces to gain access to the system and then flashing or fuzzing the firmware binaries to render the hardware useless. One such remote management interface is HP’s Integrated Lights Out (ILO) which is embedded in their ProLiant servers; however, Doug Hascall, an HP manager in charge of ILO firmware, believes the security architecture of the interface makes it invulnerable to the attack.
Security watchers, myself included, don’t see crackers destroying systems since there would be no money in it; rather, this attack could make it possible for them to plant malware inside of the firmware: a far more insidious threat. Moreover, a country’s enemies could use the technique as an effective cyberwarfare weapon either to take out critical infrastructure or to implant spyware to gather military intelligence.