Verbatim Store 'n' Go HDD Insecure Encryption Design (CVE-2022-28384)

Key Vulnerability Information Advisory ID: SYSS-2022-005 Product: Store 'n' Go Secure Portable HDD Manufacturer: Verbatim Affected Version(s): GD25LK01-3637-C VER4.0 Tested Version(s): GD25LK01-3637-C VER4.0 Vulnerability Type: Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240) Risk Level: High Solution Status: Open Manufacturer Notification: 2022-01-31 Public Disclosure: 2022-06-08 CVE Reference: CVE-2022-28384 Author of Advisory: Matthias Deeg (SySS GmbH) Vulnerability Overview The Verbatim Store 'n' Go Secure Portable HDD is vulnerable to an offline brute-force attack due to an insecure design, allowing an attacker to gain unauthorized access to encrypted data by finding the correct passcode. Vulnerability Details Insecure Design: The device uses an AES 256-bit hardware encryption engine but employs AES-256 in ECB mode, which can be exploited. Offline Brute-Force Attack: The cryptographic key for data encryption, derived from the passcode, can be brute-forced by testing all possible passcodes between 5 and 12 digits. Solution No solution has been provided by SySS GmbH for this security issue. Disclosure Timeline 2022-01-31: Vulnerability reported to manufacturer 2022-02-11: Vulnerability reported to manufacturer again 2022-03-07: Vulnerability reported to manufacturer again 2022-06-08: Public release of security advisory

Goal Reached Thanks to every supporter — we hit 100%!

Verbatim Store 'n' Go HDD Insecure Encryption Design (CVE-2022-28384)