Skip to comments.Stop Software Attacks From Destroying Your Servers
Posted on 07/06/2011 7:43:40 AM PDT by ShadowAce
Stuxnet-style malware that attacks computer hardware could put your company out of business by physically destroying the servers, networking equipment and storage resources in your data center. Unlike Stuxnet, however, this type of malware is easy to create.
That's the stark warning Itzik Kotler issued at the HackInTheBox hacker convention in Amsterdam last month. Kotler is the chief technology officer of the information security company Security Art.
Software attacks that stop the physical hardware from ever working again are known as Permanent Denial of Service (PDoS) attacks. The Stuxnet virus -- which attacked Iran's nuclear facilities -- was so complex that many security companies concluded it must have been the work of one or more government agencies rather than individual hackers.
But that doesn't mean all PDoS attacks have to be difficult to devise, according to Kotler. "Think about it -- you can "brick" an iPhone or iPod accidentally when you try and jailbreak it," he pointed out. Back in 2008 at EUSecWest, HP researcher Rich West demonstrated that NAS, security and networking appliances can be vulnerable to malware that downloads malicious firmware and flashes the appliance with it, rendering the hardware unusable. For that reason there has been a trend toward ensuring that appliance firmware updates are digitally signed by the manufacturer.
It's not just appliances that are susceptible to "phlashing," as flashing with deliberately defective software is known. You can brick a server or router by phlashing the CPU with damaged or malicious microcode, or by phlashing the BIOS with garbage. Although it is usually possible to reflash a server BIOS to get it working again, Kotler pointed out that if 5,000 servers on the same network had their BIOS phlashed at the same time, the consequences would still be devastating to the organization that was the victim of the attack. Other hardware, such as graphics cards, disk drives and high-end network interface cards with TCP Offload Engine (TOE) can also be permanently diasbled by phlashing with damaged firmware.
But what about causing real physical damage to computer hardware? Software attacks can cripple hardware easily, Kotler said. "We are used to software damaging other software, but people forget that software controls hardware. That means you can alter software to make hardware perform operations that slowly damage it over time, and you can also make hardware damage other bits of hardware."
Some simple ways that malicious software can damage your server hardware include:
while true; do dd if=/dev/xxx of=/dev/xxx conv=notrunc; done
creates an infinite loop of disk read and write requests, which will quickly cause a server hard drive to fail through heat damage, while:
hdparm -S 1 /dev/xxx while true; sleep 60; dd if=/dev/random of=foobar count=1; done
dd if=/dev/urandom of=/dev/xxx
Since there is little specific that companies can do to defend against PDoS attacks beyond using signed firmware updates when they are available, Kotler said he believes it may only be a matter of time before PDoS attacks become a more popular alternative.
As a hardware type, I’ve always been wary of allowing the s/w to access certain portions of the memory and control mechanisms (regardless of the so-called benefits it produces).
Having lost this argument many times, it’s somewhat refreshing to finally have my concerns vindicated.
All of my servers are impenetrable, and will continue running, no matter what happens. (I'm off work this week! muahahahaha)
Reminds me of the old Bastard Operator From Hell support call with a secretary, "Oh, you just need to discharge the excess static buildup in your computer. Flipping the power switch back and forth about 40 times should do it."
*click* *click* *click* *click* ... *POP!*
Seriously though, it's funny what higher technology brings. I remember back in the 80s it was impossible to damage a home computer's hardware through software. There was even a joke program about it once in an Atari magazine.
Thanks for the post.
Flash firmware updates are problematical at best. Disaster when unintended.
LOL! I love that headline
This isn’t on topic, but I have a question. I have a recovery drive (D) on my computer (HP) - that allows me to take my computer back to a ‘factory’ level... Is it possible for a hacker to get into the recovery drive?
Absolutely. You can get into it yourself very easily. The standard MS explorer will get you there and then display a warning from HP not to monkey with any of the files. Explorer won’t take you any deeper in, but the commandline interface (cmd on most systems, or powershell if you’ve got it) will not only take you there, it will allow you to list the files therein and write out their contents. I just did this on my Vista system, which I haven’t done any real customization to, and it didn’t sqwak in the least.
That partition can be accessed quite easily. If I can do it through the commandline console when I’m logged in as a user (i.e., I’m not logged in as administrator), then any hacker who can get user privileges on your system can access that partition.
If that malware causes physical effects such as CPU heat generation, excess disk activity, or (old hands will remember this one) overdriving your CRT monitor, the damage is physical and the component must be replaced. That's one reason a system administrator monitors that sort of thing, and destructive disk activity in particular will cause a very noticeable decrease in performance.
This is true of workstations as well as servers but the focus of the article is on servers because that's where the maximum damage may be done if damage is what you have in mind. Mostly for workstations these days the intention is not destruction but to hijack them for other, criminal, commercial uses such as spam botnets; it really isn't worth a criminal's time to toast your BIOS just for fun.
Generally speaking, if your recovery partition has been hacked, then I would regard it as being a write-off; if it’s been infected by malware, you might try running your anti-virus on it, although you might have to pull the drive and put it into an external enclosure first (that way, any protective malware on the c: drive cannot load at boot to protect the other malware).
That being said, it would probably be easiest to find out if you can purchase a recovery disk for your system from the manufacturer; it will depend on the individual manufacturer, but I do believe that Dell, for example, has those available for a lot of older systems. Be forewarned though that if the system is more than a few years old, you may have to pay at least $20 or more for the disk and you may have to wait quite a while before it gets shipped.
Bottom line, check with the manufacturer to see what they have. If they don’t have it because they no longer sell it, then you might google around to see if some third-party company purchased the manufacturer’s remaining stock and is now selling it.
Thanks for the help - got this computer in ‘07 - might be time to replace it anyhow. I’ll call HP - check on the cost and time to fix etc... What a mess - again, thanks for your help.