HomeNewsMalware Hide-in-SSD Firmware gets a makeover found

Malware Hide-in-SSD Firmware gets a makeover found


Last Updated on 10/01/2022 by Sanskriti

A new set of assaults against Solid-State Drives has been devised by Korean researchers (SSDs). These attacks allow malware to be deployed in places where security systems and users are unable to reach it.

The assaults are aimed at drives with flex capacity features and hidden sections on the device known as over-provisioning areas, which are used by SSD manufacturers for performance optimization on NAND flash storage systems.


One of the attacks uses non-erased information to target an invalid data area located between the Over-Provisioning (OP) area and usable SSD space, the size of which is determined by the two.

  • With the firmware manager, an attacker can modify the size of the OP region to produce exploitable invalid data space.
  • The problem is that, in order to save resources, most SSD manufacturers do not wipe the incorrect data area, assuming that severing the mapping table’s link will prevent unauthorized access.
  • As a result, an attacker could exploit this flaw to get access to sensitive data. Furthermore, data that has not been removed for six months can be revealed by the NAND flash memory.

The OP region is utilized as a covert location to hide malware that can be erased or monitored by a user in the second sort of assault.

  • Two storage devices SSD1/SSD2 are supposed to be connected to a channel.
  • Both SSDs have a 50 percent OP area, therefore if an attacker places malware code in SSD2, they can swiftly reduce SSD1’s OP area to 25% while increasing SSD2’s OP area to 75%.
  • Simultaneously, the malicious code is stored in a hidden SSD2 space that may be accessed at any time by resizing the OP area. Furthermore, employing 100% area makes it more difficult to identify.

Flex capacity is a feature in SSDs that enables storage devices to automatically alter the sizes of raw and user-allocated space to improve performance when writing workload volumes are used.

What to do in such a situation?

SSD makers should clean their OP region using a pseudo-erase algorithm without compromising performance to protect against the first assault. The recommended countermeasure for the second assault is to install valid-invalid data rate monitoring devices that monitor the ratio in SSDs in real-time. This can alert the user if the invalid data ratio unexpectedly rises, and it can erase data in the OP region in a verifiable manner.

Sanskriti loves technology in general and ensures to keep TheDigitalHacker audience aware of the latest trends, updates, and data breaches.
- Advertisment -

Must Read

Data Science Drives Personalized Marketing and Customer Engagement to New Heights...

Personalized marketing and customer engagement are crucial for businesses to thrive in the current digital era. Because data science makes it possible for marketers...