What is Phlashing?

Phlashing is a technique which can be used to permanently disable hardware by loading a corrupted BIOS onto the hardware. In a simple example of phlashing, a digital camera could be rendered inoperable by destroying the firmware which is used to run the camera. A phlashing demonstration was performed for security professionals in May 2008, illustrating the potential dangers of this technique, although many professionals were skeptical about whether or not phlashing would actually be used in the wild.

This technique relies on the fact that electronics like computers, routers, cameras, scanners, and other peripherals rely on firmware to run, and such firmware needs to be updated periodically. As a result, manufacturers set their equipment up in such a way that it is easy to update the firmware, and in many cases poor security protocols are in place, leaving the electronics vulnerable to attack.

When someone updates the firmware on a device, it is known as “flashing,” and the word “phlashing” is clearly derived from the more legitimate sense of firmware updates. As anyone who has upgraded firmware knows, flashing can be a dicey business, as any interruption in the process can brick the hardware, rendering it inoperable. When something is phlashed, the bricking would be deliberate.

In terms of hacking tools, phlashing isn't terribly effective, unless the goal is to get revenge. Some security professionals have suggested that phlashing could be used by griefers, for example, or by hackers who attempted to bring down a server with a Denial of Service Attack first. Phlashing is sometimes referred to as a “Permanent Denial of Service Attack,” in a reference to this, as the destruction of vital hardware like routers and servers would certainly result in an interruption of service.

Phlashing could also potentially be used to take over a piece of hardware, by updating firmware which allowed for easy remote access. This could create a major security breach, especially if the hardware involved was a server or router, as large amounts of sensitive information passes through servers and routers.

In response to the threat of phlashing, organizations concerned with electronic security have suggested that it may be time to develop less vulnerable firmware to protect consumers and the industry in general.