When analyzing the external data storage Verbatim Store 'n' Go Secure Portable SSD, Matthias Deeg found out that the validation of the firmware for the USB-to-SATA bridge controller INIC-3637EN only consists of a simple CRC-16 check (XMODEM CRC-16).
d39be10e67c9b627d81d5563e3043fc1643ed064d12773022e54946e4d13c40cWhen analyzing the Verbatim Executive Fingerprint Secure SSD, Matthias Deeg found out that the validation of the firmware for the USB-to-SATA bridge controller INIC-3637EN only consists of a simple CRC-16 check (XMODEM CRC-16). Thus, an attacker is able to store malicious firmware code for the INIC-3637EN with a correct checksum on the used SPI flash memory chip (XT25F01D), which then gets successfully executed by the USB-to-SATA bridge controller.
6fe888a83e3d60fa3dff9cbd864af7c01af27b2dbd4a6cda8d208d3d0a240337When analyzing the Fingerprint Secure Portable Hard Drive, Matthias Deeg found out that the validation of the firmware for the USB-to-SATA bridge controller INIC-3637EN only consists of a simple CRC-16 check (XMODEM CRC-16). Thus, an attacker is able to store malicious firmware code for the INIC-3637EN with a correct checksum on the used SPI flash memory chip (XT25F01B), which then gets successfully executed by the USB-to-SATA bridge controller.
5cf09b9a6a7dc17bc2bc9248633676029f1f2f7c319f1bda1a93395588b69053When analyzing the external SSD Verbatim Store n Go Secure Portable HDD, Matthias Deeg found out that the validation of the firmware for the USB-to-SATA bridge controller INIC-3637EN only consists of a simple CRC-16 check (XMODEM CRC-16). Thus, an attacker is able to store malicious firmware code for the INIC-3637EN with a correct checksum on the used SPI flash memory chip (XT25F01D), which then gets successfully executed by the USB-to-SATA bridge controller. For instance, this security vulnerability could be exploited in a so-called "supply chain attack" when the device is still on its way to its legitimate user. An attacker with temporary physical access during the supply could program a modified firmware on the Verbatim Keypad Secure, which always uses an attacker-controlled AES key for the data encryption, for example. If, later on, the attacker gains access to the used USB drive, he can simply decrypt all contained user data.
7098d1b68edc002a1e51f5c5258de96984b038b74b703b8420355811a28fb504When analyzing the USB drive Verbatim Keypad Secure version 3.2 Gen 1 Drive, Matthias Deeg found out that the validation of the firmware for the USB-to-SATA bridge controller INIC-3637EN only consists of a simple CRC-16 check (XMODEM CRC-16). Thus, an attacker is able to store malicious firmware code for the INIC-3637EN with a correct checksum on the used SPI flash memory chip (XT25F01D), which then gets successfully executed by the USB-to-SATA bridge controller.
52c1bd34c6801f46e1bba55d25c92e6597c84cbd41ec64b03d514cd0fa54e98f
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed