Security Assumptions About Ilo And Its Environment; Comparing The Ilo Processor To Other Service Processors; Phlashing; Ilo Strengths Against Common Attacks - HP AB500A - Integrated Lights-Out Advanced Technology Brief

Security assumptions about iLO and its environment

Persons with physical access to a server can alter the host server and the iLO setup. Therefore, it is
assumed that any individual with unrestricted access to the inside of a server enclosure is a super-user
or administrator. These individuals may be able (by design) to delete, modify, or reset user account
information for Lights-Out management security components. For example, someone with access to the
inside of a server can access the security override jumper and reconfigure iLO through ROM-Based
Setup (RBSU), reprogram the iLO ROM, or reprogram the boot block.
Lights-Out incorporates layers of security and uses industry-standard methods to make the server as
secure as possible. For example, cryptographic keys employed in iLO use a minimum key length of
128 bits and conform to published industry standards.
HP manufactures the servers using iLO with a process designed to protect sensitive information. Unless
authorized by a "Factory Special" manufacturing process, HP retains no record of initial or default
management security keys and data any longer than the manufacturing process requires. The
manufacturing process does not expose sensitive key or password data to manufacturing personnel in
a manner that can be used to later compromise security of the iLO processor. Each server using iLO
ships with a unique, unpredictable iLO password as the default Administrator account password. This
ensures security out-of-the box. Customers with specific security requirements can order HP servers
with pre-configured iLO passwords or use HP deployment utilities to assign customer-specific
passwords.
The iLO processor automatically enforces generation of new, unique, and site-specific keys used by
SSL once a customer deploys the server. HP cannot determine these site-specific keys. The iLO
management processor does not transmit these keys or any other information to HP from a customer
location.

Comparing the iLO processor to other service processors

The iLO management processor and feature set have been widely accepted as the standard for
servers and data centers employing remote management. The evidence to support this assertion can
be found in numerous technical forums and blogs. However, this has also led to the adoption of the
iLO name as a generic reference for all management processors and led to some misinformation
concerning the true capabilities of iLO.

Phlashing

One example of misinformation is the claim that iLO is susceptible to "phlashing" Phlashing is a
permanent denial of service (PDOS) attack. At this point, phlashing attacks are theoretical, but the
possibility of such attacks was made clear in a June 2008 demonstration by Rich Smith, head of
research for offensive technologies and threats at HP Systems Security Lab. PDOS attacks could take
1
advantage of weaknesses in the installation process of network-based firmware updates. The
installation of rogue firmware through a PDOS attack could allow unauthorized remote server access
or even permanently damage the hardware.
The iLO processor is not susceptible to phlashing, as described in the following section.

iLO strengths against common attacks

Vulnerabilities that could potentially enable phlashing and other more common attacks are
unencrypted ports, lack of authentication and audit trails, vulnerability to brute force attacks, no
1 EUSecWest security conference 2008 – "PhlashDance, discovering permanent denial of service attacks against embedded
systems" - Rich Smith, HP Labs
4