SYNful Knock is no Stuxnet, says researcher

'Nation state' resources? Naah, just assembler

Yet another set of shivers is running up spines at Cisco, with a researcher from Grid32 claiming that “rooting” the company's IOS firmware isn't as hard as people think.

The issue of compromised firmware arose in August when the company first warned that its ROMMON firmware images could be replaced with a compromised version by a malicious admin.

The vulnerability, since dubbed “SYNful Knock”, has since been spotted in the wild, with Cisco working hard to identify embaddened boxen.

It's been widely assumed the only reason SYNful Knock and similar attacks aren't widespread is the arcane nature of firmware hacking – and that's what Grid32's Luca Hall has decided needs wider discussion.

In this paper (PDF), Hall says the idea that a firmware-based attack “involves advanced knowledge or nation state level resource” is a “common misconception”.

While the 32-page paper isn't quite messing about with trivia, Hall reckons the work involved needs far, far less than such sophistication: “a week‘s worth of studying PowerPC assembly, a week‘s worth of studying disassembly, and about a week‘s worth of writing code and debugging time” is sufficient, he claims, for anyone with the basics of assembly language under their belt to create a firmware-based rootkit.

“Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest”, Hall concludes. ®




Biting the hand that feeds IT © 1998–2019