Researchers from Korea have developed a new set of attacks against Solid-State Drives (SSDs). These attacks allow the deployment of malware in locations that are out of reach of security solutions and users.

The attacks target drives with flex capacity features and hidden areas on the device called over-provisioning areas used by SSD makers for performance optimization on storage systems based on NAND flash.

The first attack

One of the attacks targets an invalid data area using non-erased information and available between the Over-Provisioning (OP) area and usable SSD space, whose size is based on the two.
  • An attacker can make changes to the size of the OP area with the firmware manager to create exploitable invalid data space.
  • The issue is that most SSD manufacturers do not erase the invalid data area to save on resources and assume that breaking the link of the mapping table can stop unauthorized access.
  • Thus, an attacker can use this issue to obtain access to sensitive information. Moreover, the NAND flash memory can disclose data that has not been deleted for six months.

The second attack

In the second type of attack, the OP area is used as a secret place to hide malware that can be wiped or monitored by a user.
  • It is supposed that two storage devices SSD1/SSD2 are attached to a channel. 
  • Both of the devices have a 50% OP area, and after an attacker hides a malware code in SSD2, they can quickly limit the OP area of SSD1 to 25% and increase SSD2’s OP area to 75%. 
  • At the same time, the malware code is stored inside a hidden area of SSD2 that can be activated at any time by resizing the OP area. Further, using 100% area makes it harder to detect.

What are flex capacity features?

Flex capacity is a feature in SSDs that allows storage devices to adjust the sizes of raw and user-allocated space automatically to obtain better performance by using the write workload volumes.

What to do?

For protection against the first attack, SSD manufacturers should wipe their OP area using a pseudo-erase algorithm without affecting performance. For the second attack, the recommended countermeasure is to implement valid-invalid data rate monitoring systems to watch the ratio in SSDs in real-time. This can warn the user in case the invalid data ratio rises suddenly and provide an option to verifiably wipe data in the OP area.

Cyware Publisher