Do you take care of your SSD? Beware of new malware using Over-Provisioning

Korean researchers from Korea University in Seoul created a model of two attacks that exploit the empty space of SSD disks (Over-Provisioning (OP) pool), proving how new malware can attack our computers. Fortunately, it was only discovered by researchers, not hackers, so now manufacturers armed with this knowledge can counteract such attacks.

It seems it is possible to develop malware that uses SSD Over-Provisioning

When you buy a 1-TB drive, you always get 9XX-gigabytes of disk space. This is sometimes even worse with SSDs, the manufacturers of which deliberately block access to a dozen or even several dozen GB to create a special pool of free space, thanks to which, even after filling up the SSD, we can be sure that the memory chips will be used evenly. Some SSD owners even do this on their own, creating a partition with 90 or sometimes even 80% of the available disk space.

According to the study, this OS inaccessible space of an SSD is ideal for new malware (malicious software) that can manipulate the disk and read data from this level. The malware code ends up in this “empty space”, guaranteeing itself security. In practice, it can then read potentially sensitive data that was previously in the so-called Invalid Data Area, which is the area between the OP and the available memory. For example, data deleted by the user is sent to it.

Also read: Test pendrive Kioxia TransMemory U366 64 GB

According to the source, many SSD manufacturers do not remove the invalid data area. This is all done to save resources, assuming that breaking the connection of the mapping table is enough to prevent unauthorized access. The second attack requires the presence of disks connected in the system within one partition (eg RAID 0). Then the malware can adjust the capacity of both disks without any symptom to take advantage of the OP area in the form of a secret place that users cannot monitor or erase, where a hacker could hide even more nasty malware.