Micron statement on potential industry vulnerability in optional ATA interface command

Micron Technology | January 2022

We are aware that a paper recently published via IEEE Xplore titled, “Forensic Issues and Techniques to Improve Security in SSD With Flex Capacity Feature,” has raised security questions about the variable over-provisioning capability in industry devices that use the ATA standard set max address command, including the Micron 5200 SSD. Micron takes data security very seriously, and we strive to design with exacting security standards. We welcome research in this field and value collaborations that will improve the security of our products. Any time a potential security concern for one of our products is brought to our attention, Micron conducts a detailed investigation to assess whether our products might be susceptible to such a vulnerability.

Our thorough analysis determined that there is no vulnerability in our products that could be exploited as described in the referenced paper.

During our investigation we did identify a related potential vulnerability that is theoretically possible in two of our product lines, the Micron 5200 and 5300 data center SATA SSDs. In order to exploit this potential vulnerability, the attacker would have to have privileged authorization to issue special commands to the drive, and therefore it is unlikely to be exposed to users in a virtualized cloud infrastructure or enterprise data center. Nonetheless, Micron will be issuing an optional firmware update that will address this potential vulnerability to any customer who is concerned about this issue for the affected products.

Please contact your Micron sales representative with any questions.