Security News > 2021 > December > Hiding malware inside the flex capacity space on modern SSDs
The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.
Flex capacity is a feature in SSDs from Micron Technology that enables storage devices to automatically adjust the sizes of raw and user-allocated space to achieve better performance by absorbing write workload volumes.
One attack modeled by researchers at Korea University in Seoul targets an invalid data area with non-erased information that sits between the usable SSD space and the over-provisioning area, and whose size depends on the two.
The research paper explains that a hacker can change the size of the OP area by using the firmware manager, thus generating exploitable invalid data space.
After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%. At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area.
While the research demonstrates that the OP area on Micron SSDs can be used to store malware, it is unlikely that such attacks are taking place in the wild right now.