LONDON — Remote attacks that can damage a network’s hardware severely enough to render it useless no longer are the stuff of science fiction.Last week at the EUSecWest security conference, Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, demonstrated a so-called phlashing attack, a sort of permanent denial-of-service attack (PDOS) that comprises hardware sabotage.

Unlike distributed denial-of-service attacks, which often are used to annoy or conceal other motives like malware insertion or phishing, PDOS attacks are designed to cause extensive, permanent damage and cost network owners money.

“We aren’t seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today,” Smith told DarkReading.com, a website that analyzes and reports about security vulnerabilities.

Although a PDOS attack of the type Smith demonstrated would result in costly hardware replacement for the victim, it would be much less expensive than a DDOS attack. DDOS attacks require investment from the attacker for the duration of the event, but PDOS attacks represent one-shot dynamite.

During the demonstration, Smith used a “fuzzing” tool he developed not only to detect vulnerabilities, but also as a proof-of-concept vehicle for launching attacks. The PhlashDance tool “fuzzes” the code within network-enabled systems’ firmware update protocol. Because firmware updates normally are set to install automatically, the protocols typically aren’t difficult to access — and disastrous results can ensue.

“Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker,” Smith said. “Once the firmware has been corrupted, no further action is required for the DOS condition to continue.”

Thankfully, Smith said he hasn’t seen any PDOS attacks “in the wild” yet. However, he recommended system administrators take steps to protect themselves.

“Unfortunately, there isn’t a magic bullet [to protect against PDOS attacks], but making sure the flash update mechanisms have authentication so as not just anyone can perform an update is a start,” he said. “Beyond this, flash update mechanisms need to be designed with malicious attacks in mind.”