One of the attacks targets an invalid data area using non-erased information and available between the Over-Provisioning (OP) area and usable SSD space, whose size is based on the two.
The First Attack
- An attacker can make changes to the size of the OP area with the firmware manager to create exploitable invalid data space.
- The issue is that most SSD manufacturers do not erase the invalid data area to save on resources and assume that breaking the link of the mapping table can stop unauthorized access.
- Thus, an attacker can use this issue to obtain access to sensitive information. Moreover, the NAND flash memory can disclose data that has not been deleted for six months.
The second attack
In the second attack, the OP area is used as a secret place to hide malware that can be wiped or monitored by a user.
- It is supposed that two storage devices SSD1/SSD2 are attached to a channel.
- Both of the devices have a 50% OP area, and after an attacker hides a malware code in SSD2, they can quickly limit the OP area of SSD1 to 25% and increase SSD2’s OP area to 75%.
- At the same time, the malware code is stored inside a hidden area of SSD2 that can be activated at any time by resizing the OP area. Further, using 100% area makes it harder to detect.
What to do???
For protection against the first attack, SSD manufacturers should wipe their OP area using a pseudo-erase algorithm without affecting performance. For the second attack, the recommended countermeasure is to implement valid-invalid data rate monitoring systems to watch the ratio in SSDs in real-time. This can warn the user in case the invalid data ratio rises suddenly and provide an option to verifiably wipe data in the OP area.
Trending cyber news 