By Joel Hruska
May 20, 2008
Most computer security coverage focuses on the PC realm, but Rich Smith, head of HP's Systems Security Lab, has identified a potential security flaw within a network's physical hardware rather than a typical desktop or server system. Smith's report focuses on a class of devices he refers to as Network Enabled Embedded Devices (NEEDS for short), and how such systems could be attacked at the firmware level through a process he refers to as "phlashing."
Attacking system firmware isn't a new tactic—the CIH/Chernobyl virus was capable of overwriting BIOS firmware back in 1998—but focusing such attacks on network hardware would be an unusual step, and could prove quite successful in at least the short term. According to Smith, the ongoing war between security vendors and malware authors will inevitably drive exploration into new, non-PC-centric attack vectors as loopholes within the PC ecosystem become increasingly harder to exploit. NEEDS could therefore become a future target of opportunity, especially considering the poor default security state most of these systems ship with.
Currently, NEEDS are treated as part of a network's topology rather than as individual devices requiring their own set of security procedures and practices. As a result, such devices may present a nearly unguarded attack vector, particularly if the remote management software for any given unit has bugs of its own. The "phlashing" attack vector Smith plans to discuss at EUSectWest next week involves exploiting these security flaws to launch what he refers to as a Permanent Denial of Service, or PDOS attack.
Such an attack would be launched by uploading a purposefully corrupted BIOS into a device, causing the system to crash. Depending on the configuration of the network in question, strategically crashing a small handful of routers could bring down a network or business. What's worse, Smith argues, is that the company or organization under attack would have no effective way of fighting back or repairing the damage short of replacing the hardware in question.
As Dark Reading's article on the subject points out, however, the question of whether or not hackers would even launch such attacks is open to debate. Commercial malware campaigns have historically been far more interested in utilizing systems for profit than in destroying them, and the ability to compromise a router or another embedded system's firmware would likely result in a number of attacks that sought to capitalize on this capability rather than destroy it.
There's also a significant level of risk associated with actively destroying a legitimate company's network hardware. Today, malware, and the need to protect from it, is an accepted part of IT security. Phishers and scammers of all types are certainly pursued, but the big law enforcement guns are typically reserved for high-profile cases where a great deal of money is actively changing hands. Destroying or crippling a company's network hardware is one of the fastest ways to draw attention to yourself, and most criminal organizations prefer to stay off the radar, not dance on top of it in an aluminum monkey suit.
PDOS attacks may never become a major threat, but Smith has a point when he talks about the ever-widening scope of malware. The criminal software industry has proven itself to be exceptionally adroit at adopting new and different attack vectors, and could conceivably shift its focus (or at least open a front) against an entirely different target. Strengthening network security by focusing on devices rather than PCs certainly wouldn't hurt anything, and it could provide protection against headaches down the road.
No comments:
Post a Comment