Security News > 2021 > December > Firmware attack can drop persistent malware in hidden SSD area

The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.

One attack modeled by researchers at Korea University in Seoul targets an invalid data area with non-erased information that sits between the usable SSD space and the over-provisioning area, and whose size depends on the two.

The research paper explains that a hacker can change the size of the OP area by using the firmware manager, thus generating exploitable invalid data space.

In a second attack model, the OP area is used as a secret place that users cannot monitor or wipe, where a threat actor could hide malware.

After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%. At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area.

As a defense against the first type of attack, the researchers propose SSD makers wipe the OP area with a pseudo-erase algorithm that would not affect real-time performance.

News URL

https://www.bleepingcomputer.com/news/security/firmware-attack-can-drop-persistent-malware-in-hidden-ssd-area/