Phlashing Attacks Could Destroy Your Hardware

A new type of security attacks, codenamed phlashing, could bring more damages than any other attack launched over the web: the need of hardware replacement.
According to various sources, security researchers have found that phlashing attacks, which could hit the hardware components of computers, may damage them and force owners to replace them. Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, has already demonstrated such an attack at EUSecWest, a security conference which took place in London, The Register informs.

The attacks, which are also named permanent denial-of-service (PDOS) attacks, are said to be more efficient yet cheaper than the traditional attacks in which hackers attempt to drop malware on certain computers, mostly thanks to the fact that it does not require botnets or other expensive resources.

"We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today," Rich Smith told Dark Reading. "Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue."

However, there are many reasons to hope that such attacks won't become too popular among hackers, especially thanks to the fact that attackers are usually interested in getting some revenues, no matter if we're talking about money or data access. For instance, attackers who attempt to drop malware on vulnerable computers sometimes look for private financial information which could be then re-sold or used for their own illegal activities.

It appears that these phlashing attacks mostly rely on firmware modifications which, once made, could break down all the hardware. However, one of the positive aspects is that not all users have the authorization to access the firmware, so phlashing attacks could remain only isolated cases for the time being. "Unfortunately, there isn't a magic bullet, but making sure the flash update mechanisms have authentication so as not just anyone can perform an update is a start. Beyond this, flash update mechanisms need to be designed with malicious attacks in mind," Rich Smith explained.

[Source: zdnet]