Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable.
Rich Smith, head of HP's Systems Security Lab, discovered the vulnerability and demonstrated the attack at the EUSecWest security conference in June 2008. In a real-world execution, an attacker could use remote firmware update paths in network hardware, which are often left unprotected, to deliver corrupted firmware and flash this to the device. As a result, the device would become unusable.
The likelihood of phlashing attacks is under some debate. Like other types of exploits, DoS has become increasingly profit-driven. Although phlashing would be cheaper to execute and more damaging than a traditional DoS attack, its potential for gain is limited because once the network hardware has been rendered useless, the victim has no incentive to pay the attacker. The attacker's only prospect for gain would be to threaten to attack and demand a payoff to refrain from doing so. However, as suggested on the Hack a Day blog, the same attack vector could be more effectively used to flash a device with malware-embedded firmware.
Continue Reading About phlashing
- On ars technica, Joel Hruska explains how 'Phlashing attacks could render network hardware useless.'