We often talk about security risks that are used often, but there exists one that can completely destroy a users computer, and one that has little protection. The attack method is called PDOS, and although it was once thought as being theoretical, It is cheaper and much more efficient than a denial of service attack, or malware (depending on what the attacker wants to do with his victim) and all that is required is an extreme in-depth knowledge of what hardware the target is using.
What is a PDOS attack? It basically damages a system’s hardware to such an extent that will require the owner to replace it in order for the computer to continue functioning. It does this by attacking the most vulnerable, most overlooked component in a computer: embedded devices. It does this by finding out what type of embedded device is used, and flashing or plashing (malicious term of flashing) the device so it becomes completely corrupt.
It has successfully been performed by Rich Smith, head of research for HP Systems Security Lab, and was done at EUSecWest security conference in London. He developed a tool he called ‘PhlashDance’ which corrupts the binaries of a firmware and then flashes those corrupt binaries to the system. Most systems are vulnerable from this since they usually get firmware updates automatically and aren’t developed for mitigating malicious attacks, and some mechanisms don’t have authentication from the user so anyone could perform a firmware update. The benefits of a PDOS attack for the attacker are that it’s a one-shot attack and afterwards it requires nothing more from the attacker, unline a DoS or DDoS attack.
However, there are more drawbacks then benefits. A PDOS attack is extremely hard to perform due to intricate knowledge that the user must have of the system’s hardware. Also there is really no benefit for the attacker, since they just crash the system rather than infecting it. There is no way for it to spread, making it very unlikely for an attacker to spend the time developing let alone use.
Smith has no plans to release ‘PhlashDance’ and this remains as the only proven use of a PDOS attack in public. Even though this is a very big risk, it benefits no one and the attacker wouldn’t get any profit from an attack like this. Overall, while it is very unlikely to happen, it is public in some systems, which makes for an interesting scenario: What if someone decided to use it?