Western Digital has now informed customers of a security vulnerability that allowed attackers to force the re-issue of SanDisk SecureAccess passwords and then access the users’ protected files. The security update has started.
SanDisk PrivateAccess, formerly known as SanDisk SecureAccess, is used to store and protect sensitive files on SanDisk USB flash drives. In the process, however, a vulnerability has now been discovered that undermines the extra protection for the data. This is reported by Bleeping Computer. “SanDisk SecureAccess 3.02 used a one-way cryptographic hash with a predictable salt, making it vulnerable to dictionary attacks by a malicious user,” said Western Digital in a newly released security advisory.
Brute force attack to force passwords
“The software also used an insufficiently computational password hash that would allow an attacker to force user passwords through brute force, which would result in unauthorized access to user data.” We strongly recommend our customers to update this software immediately to protect their vault devices, “said Western Digital.
The vulnerability (CVE-2021-36750) was fixed with the release of SanDisk PrivateAccess version 6.3.5. The new version now uses PBKDF2-SHA256 together with a randomly generated salt. To update the PrivateAccess Vault, you need the latest version of the iXpand Drive Mobile App or the Windows or macOS Desktop App. As a precaution, Western Digital recommends making a backup of the data with the integrated backup function before updating.