A MAN WHO makes a living from talking up networking threats and creating fixes for non-existing ones, will deliver a controlled Permanent Denial of Service (PDOS) attack this week as a proof that there is such a thing.

Agent Smith, Head of Research for “offensive technologies & threats” at HP Security Systems Lab, claims that his own “phlashing” tool, dubbed Phlashdance can fill up your device with random data and botch up your firmware delivery system, literally bricking a network device until it is physically replaced or its firmware reprogrammed (fat chance). He plans to demonstrate it this week at the EUSecWest conference taking place in London.

Conversing with the insecurity editor at Dark Reading, Agent Smith pointed out that this is a one-shot one-kill attack with a high cost to the target, while DDOS attacks usually require a lengthy, concentrated effort, (usually dozens or hundreds of zombies, unaware of what’s going on). This would make PDOS more or less the sniper rifle of the network world – but, alas, it has never been fired in the wild, says Smith.

Hijacking one’s network device and fuzzing its firmware should be pretty easy, as this is the standard operating when you actually upgrade it yourself. But since remote connections to these devices are usually over non-secure protocols, there is a risk that someone could hook up your device with some naughty code. Botching up the firmware on a network device probably happens more often than you'd think.

Maybe it’s time for network device manufacturers to beef up security protocols on their devices. Maybe. µ

L’Inq
Dark Reading