Hackers are hiding in the SSD with malware!

Hackers can hide in the SSD with malware, according to data from researchers at Korea University.

Korean researchers have developed a series of attacks against SSDs (solid-state drives) that allow them to place malware out of the reach of the user and security solutions. These attacks, which apply to drivers with flexible capacity capabilities, target a hidden area on the device called over-provisioning, which is now widely used by SSD manufacturers for performance optimization in NAND flash-based storage systems.

How do ssd malware work?

These hardware-level attacks are very secretive and permanent. Flexible capacity uses a feature found in SSDs from Micron Technology that allows storage devices to automatically adjust the dimensions of raw and user-allocated space to achieve better performance by absorbing write workload volumes.

Malware SSD

This process, called over-provisioning, is a dynamic system that creates and sets a buffer that typically receives 7% to 25% of total disk capacity. It is invisible to the operating system and the applications running on it, including security solutions and anti-virus tools. The SSD administrator automatically adjusts this field for workloads, depending on write or read density.

How is the SSD attack carried out?

An attack modeled by researchers at Korea University in Seoul simulated the attack by targeting an invalid data field between the available SSD field and the Over-provisioning (OP) area, which contained undeleted information, depending on the two in size. The resulting research paper revealed that a hacker could use the firmware manager to change the size of the OP field, thereby creating an exploitable invalid data field.


The problem here is that many SSD manufacturers choose not to delete invalid data fields to save resources. This field remains full of data for long periods of time, under the assumption that disconnecting the mapping table is sufficient to prevent unauthorized access. Malware that exploits this weakness can potentially gain access to sensitive information.

Activities in NAND flash memory can reveal data that has not been deleted for more than six months, the researchers said. In a second attack model, the OP field can be used as a secret location where a threat actor can hide malware, track it, or delete it.


To simplify the description, it is assumed that the two storage devices SSD1 and SSD2 are connected to a channel. Each storage device has 50% OP space. After storing the hacker malware in SSD2, it immediately reduces the OP area of SSD1 to 25% and extends the OP area of SSD2 to 75%.

The software code is included in the hidden area of SSD2. A hacker who gains access to the SSD can reactivate the OP field and enable embedded malware code at any time. It will not be easy to detect such malicious behavior by hackers, as normal users have 100 percent user space on the channel.

How can we take precautions?

As a defense against the first type of attack, researchers recommend that SSD manufacturers delete the OP field with a pseudo-deletion algorithm that will not affect real-time performance. Because the obvious advantage of such an attack is that it is hidden. Detecting malicious code in OP fields is not only time consuming, but also requires highly specialized forensic techniques.

Malware SSD

For the second type of attack, a potentially effective security measure against injecting malware into the OP field is to implement valid-invalid data rate monitoring systems that monitor the rate inside SSDs in real time. When the invalid data rate suddenly increases significantly, the user can receive an alert and the option of a verifiable data deletion function in the OP field.

Finally, the SSD management application must have strong defenses against unauthorized access. In a statement, the researchers said:

İlgili Makaleler

Başa dön tuşu