SanDisk SecureAccess bug allows brute force vault passwords

Western Digital fixed a security vulnerability that allowed attackers to brute force SanDisk SecureAccess passwords and gain access to protected user files.

SanDisk SecureAccess (now renamed SanDisk Private Access) helps store and protect sensitive files on SanDisk USB flash drives.

“SanDisk SecureAccess 3.02 used a one-way cryptographic hash with a predictable salt, which made it vulnerable to a malicious user’s dictionary attacks,” Western Digital explained in a security advisory released Wednesday.

“The software also used a password hash with insufficient computational effort that would allow an attacker to brute force user passwords leading to unauthorized access to user data.”

The failure (CVE-2021-36750) resulting from the key derivation function issues shown above has been resolved with the release of SanDisk PrivateAccess version 6.3.5, which now uses PBKDF2-SHA256 with a randomly generated salt.

How to Upgrade to PrivateAccess Vault

You can find detailed information here about upgrading your installation and migrating from the SecureAccess vault to the new PrivateAccess vault.

This requires updating the iXpand Drive mobile app and Windows and macOS desktop to the latest released versions.

“We urge our customers to install this software update immediately to keep their safes safe,” Western Digital added.

“As with any upgrade, it is best to back up your data before installing the upgrade. Back up your data using the built-in backup feature in the Tools menu.”

PrivateAccess Safe
Image: Western Digital

In related news, Western Digital has confirmed a speed-crippling SN550 SSD flash change in August (with write speed decreases of up to 50%) after replacing the WD Blue SN550’s NAND flash memory, l one of its most popular M.2 NVMe SSD models. .

Although it did not alert customers to the change, the company said that in the future it will also introduce new model numbers during hardware changes that affect the performance of its products.