Flash memory is great technology. It's used in many diverse ways and is especially useful because it allows for mission-critical code to be changed on the fly when necessary. For example, you can flash a computer BIOS with core system-level updates, load new driver code into your printers, and load new mini-OS code or OS-helper code into a variety of devices such as disk drives, media players, mobile phones, PDAs, and other embedded systems.
Unfortunately, although flash-based devices are incredibly flexible, not everyone is aware of exactly which devices in their networks have such memory. What's even more of a problem is that some devices can have their flash memory updated without the need for any type of authentication. That poses a rather obvious problem, and Rich Smith of HP Systems Security Lab thinks it's destined to become a big security concern.
Last week at the EUSecWest conference in London (see the URL below), Smith revealed some of his research into a potential nightmare that he calls called Permanent Denial of Service (PDoS), which would be induced by a "Phlash" attack. That is to say, a Phlash attack is a condition in which an intruder flashes a device with faulty code that renders a device permanently disabled. You might have experienced this at your own hand if you've ever tried--and failed--to flash a WiFi router with new code only to discover that the update didn't complete properly and as a result your router completely stopped working.
eusecwest.com/speakers.html#PhlashDance
Smith thinks that because vendors are working feverishly to harden OSs and applications, intruders will eventually turn to new targets, namely flash-based devices. He points out that because Phlash attacks are a one-off type of attack, they might become more appealing because a botnet isn't necessary, as in distributed denial of service (DDoS) attacks. So, any sort of network-enabled device that has a flash update mechanism could potentially become a target of a Phlash attack.
Granted, many devices have authentication mechanisms that must be surpassed before a flash update can take place. However, there are a lot of devices in use today that either have no authentication mechanism or are shipped with default passwords that are never changed by device operators. The potential for a Phlash attack points out the need to examine and possibly augment your audit procedures. In short you need to know if you have any flash-enabled devices on your network, and if you do, which ones are vulnerable.
I don't know of any tool that can automate such an audit process; however, Smith has developed a generic fuzzing framework called PhlashDance that can help identify devices that are potentially vulnerable to Phlash attacks. Unfortunately he has no immediate plans to release that framework, so maybe we'll see someone else come up with a solution and make it generally available before the bad guys come up with one and start using it to identify potential targets.
The good news is that there are no known Phlash attacks happening at this point. In addition, some people think these attacks aren't likely to occur. These people base their opinion on the idea that simply destroying a device isn't attractive to bad guys because destruction doesn't necessarily bring the kind of financial rewards that extortion can bring. However, these attacks could start at any time--I wouldn't underestimate the willingness of a sociopath to do harm out of sheer spite, even if it means no financial reward. For many sick minds destruction in and of itself is more than enough of a reward. Therefore auditing your systems now, as best you can, is a good idea.
