Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.
Korean researchers devised a series of attacks against solid-state drives (SSDs) that could allow to implant malware in specific memory locations bypassing security solutions.
The attacks work against drives with flex capacity features and allow to implant a malicious code in a hidden area of SSDs called over-provisioning. This memory location is used for performance optimization on NAND flash-based storage systems.
“The Micron Flex Capacity feature is designed to unleash the true capabilities of storage media by giving IT administrators the ability to tune their SSDs to meet specific workload characteristics such as performance, capacity and endurance.”
The operating system and any applications running on it have no visibility on the over-provisioning, this means that security software is not able to inspect their content looking for a malicious code.
Many storage devices can vary the size of the OP area in real-time to optimize performance. A larger size of the OP area can ensure better performance. The OP area can be set for example by a maximum of 50%. An invalidation data region is created by varying the OP area that can be changed by the user or by the firmware manager. However, a threat actor can reduce the size of the OP area using the firmware manager generating an invalid data area. This attack could lead to an information-disclosing attack.
“Assuming that the hacker can access the management table of the storage device, the hacker can access this invalid data area without any restrictions.” reads the research paper. “Without the need for special forensic equipment, as a computer user, a hacker can access these invalid data areas of the NAND flash memory. Depending on sensitive information is stored in the invalid data area, computer users can feel more or less alarmed by this”
