Firmware attack can drop persistent malware in hidden SSD area

Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that’s beyond the reach of the user and security solutions.

The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.

Hardware-level attacks offer ultimate persistence and stealth. Sophisticated actors have worked hard to implement such concepts against HDDs in the past, hiding malicious code in unreachable disk sectors.

How flex capacity works

Flex capacity is a feature in SSDs from Micron Technology that enables storage devices to automatically adjust the sizes of raw and user-allocated space to achieve better performance by absorbing write workload volumes.

It is a dynamic system that creates and adjusts a buffer of space called over-provisioning, typically taking between 7% and 25% of the total disk capacity.

The over-provisioning area is invisible to the operating system and any applications running on it, including security solutions and anti-virus tools.

As the user launches different applications, the SSD manager adjusts this space automatically against the workloads, depending on how write or read-intensive they are.

Full article

Scroll to Top