TECH

Korean scientists discover malware injected into an empty partition that is inaccessible to the user and security tools

Korean researchers have successfully simulated two types of attacks that exploit vulnerabilities in some solid state drives (SSD), whose exploitation allows malware to be injected into an empty partition that is inaccessible to the user and security tools. Attacks of this type are relevant for SSDs with over-provisioning functionality, and malware distributed with their help is nearly impossible to detect.

Over-allocation is widely reported by manufacturers to optimize the performance of NAND flash drives. The space allocated for this function is usually inaccessible to the user and any applications, including security tools, but it has been found that it can be used by attackers to inject malware.

One of the attacks was modeled by researchers at the University of Korea in Seoul. It is based on a vulnerability that targets data deleted from the operating system but physically still stored in the drive's memory. Exploiting the vulnerability allows an attacker to resize the area allocated for the over-provisioning role so that the medium continues to store more remote information. As remote data can be stored in an area inaccessible to the user for several months, exploitation of this vulnerability could open access to potentially sensitive data.

When simulating a second attack using over-provisioning, the researchers used two SSDs. The vulnerability allows an attacker to inject malware and adjust the amount of inaccessible storage space so as not to arouse the victim's suspicion. This approach also allows you to access remote data that is not physically removed from SSD memory.

According to the researchers, using a pseudo-erase algorithm that physically deletes data without impacting performance will help address the issue of over-provisioning vulnerabilities. SSD manufacturers will likely focus on fixing these issues.

Image source: Arxiv.org