Hackers are now dropping malware into SSD drives through firmware updates
Cyberconscious security experts can repeat the keys to preventing getting hacked like a mantra. Among the bits of advice? Update your firmware to ensure nothing goes awry, ensuring all issues are patched immediately before they can become gaping holes in your cybersecurity.
But that advice may no longer be relevant if South Korean researchers have anything to do with it. In a new recent paper, academics at Korea University in Seoul have outlined how solid-state drives (SSDs) can be cracked open with malware that goes beyond the reach of traditional antivirus scanning and user access.
The methods they use to take advantage of a technique SSD manufacturers harness in order to improve the performance of their drives. A hidden area on devices provides over-provisioning, optimizing performance for flash-based storage systems that use NAND. Over-provisioning works by having storage devices constantly redraw the size of raw and user-allocated space. Up to a quarter of a drive’s disk capacity is given over to a buffer that can be used to process workload volumes, freeing up the remainder of the drive to be used normally.
Over-provisioning is invisible
The issue that the South Korean researchers took advantage of is that the over-provisioning section of any SSD is, for all intents and purposes, invisible to the user, any applications, and the operating system on the device. That means anti-virus tools ignore it. The authors of the paper presented a number of different options to secret away malware in that hidden area of an SSD, placing an invalid data area with non-erased information between normal, visible SSD space and the invisible over-provisioning section.
Hackers can change the size of the over-provisioning section on an SSD, creating space that essentially is lost to visibility. That means they can snoop around on data that has previously been stored there but hasn’t been deleted – with the researchers able to dredge up data on NAND flash memory that is six months old.
The other alternative method of attack is simply to take advantage of the fact that no man’s land on an SSD is often not rewritten or deleted regularly. By deploying malware in that space, it’s possible to exist undetected for months.
“Even if you are not a malicious hacker, a misguided employee can easily free hidden information and leak it by using the OP area variable firmware/software at any time,” they write.
Leveraging more options to launch chaos
It’s just another example of the way that white hat researchers are highlighting issues that black hat hackers are likely to be already exploiting – all without us knowing about it. By bringing attention to these issues, the hope is that companies like Micron, which produces and provides such SSDs, can patch the vulnerabilities and ensure that users are protected.
It remains an issue, however, that the battle between hackers and those trying to protect us from their attacks is a cat and mouse game, and one where the bad guys regularly seem one step ahead at all points. When the old maxims of cybersecurity start to crumble, it becomes a problem for rank and file users to keep up with what they’re meant to be doing.
The academics proposed solutions for drive manufacturers to allay the risk of falling victim to this attack vector, which they hope will be adopted by the manufacturers in future work. But it just goes to show how risky these things can be.