Home Latest News New Techniques for Hiding Malware in SSD Firmware Discovered

New Techniques for Hiding Malware in SSD Firmware Discovered


A new set of attacks against Solid-State Drives (SSDs) has been discovered by Korean researchers. These attacks allow malware to be deployed in places where security solutions and users are unable to reach it.

The attacks are targeted at drives with flex capacity features and hidden sections on the device known as over-provisioning areas, which are used by SSD manufacturers for performance optimization on NAND flash storage systems.

One of the attacks uses non-erased information to target an invalid data area located between the Over-Provisioning (OP) area and usable SSD space, the size of which is determined by the two. With the firmware manager, an attacker can modify the size of the OP area to create exploitable invalid data space. The issue is that, in order to save resources, most SSD manufacturers do not erase the invalid data area, assuming that breaking the mapping table’s link can prevent unauthorised access. As a result, an attacker could exploit this flaw to get access to sensitive data. Furthermore, data that has not been deleted for six months can be disclosed by the NAND flash memory.

The OP area is used as a secret place to hide malware that can be erased or monitored by a user in the second sort of attack. Two storage devices SSD1/SSD2 are supposed to be attached to a channel. Both SSDs have a 50 percent OP area and after an attacker hides a malware code in SSD2, they can swiftly limit SSD1’s OP area to 25 percent while increasing SSD2’s OP area to 75 percent. Simultaneously, the malicious code is stored in a hidden SSD2 space that can be activated at any time by resizing the OP area. Furthermore, using 100 percent area makes it more difficult to detect.

Flex capacity is a feature in SSDs that allows storage devices to automatically adjust the sizes of raw and user-allocated space to improve the efficiency using write workload volumes.

SSD manufacturers should delete their OP area using a pseudo-erase algorithm without compromising performance for protection against the first attack. The recommended countermeasure for the second attack is to implement valid-invalid data rate monitoring systems that monitor the ratio in SSDs in real time. This can alert the user if the invalid data ratio unexpectedly rises, and it can erase data in the OP region in a verifiable manner.

Recommended for You

Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads