Incredible, this ...uses HTTPS and does not verify certificate ... FFS ... you should probably also check which SSL/TLS versions are supported ... given the missing validation, it might use SSL3 or something worse ...
Samsung's 'Magician' for SSDs can let crims run evil code
The CERT Coordination Centre at Carnegie Mellon University has just popped two items onto storage admins to-do lists. Item one: Go get version 5.1 of Samsung Magician, stat. The application lets users manage the Korean company's solid state disk drives by doing things like updating firmware, performing secure erasure or …
COMMENTS
-
-
-
Tuesday 20th June 2017 19:03 GMT Captain DaFt
Re: Stupid is as stupid does
"It boggles my grey matter that companies of this size are still making silly security mistakes."
It's my observation that the bigger the company, the more they adhere to the mantra: "Do it cheap, deliver it yesterday, fix it someday." that tends to produce results like this.
-
Wednesday 21st June 2017 03:38 GMT Ian Joyner
Re: Stupid is as stupid does
Captain DaFt: >>It's my observation that the bigger the company, the more they adhere to the mantra: "Do it cheap, deliver it yesterday, fix it someday." that tends to produce results like this.<<
Mostly, I agree. This is why some of us here point out that Apple is different in not doing cheap, testing, and releasing when they are ready. OK, they might just be saying it, but from what us industry insiders observe, it is mostly the case. They don't rush products to market like Samsung and others. As discussed in another Register forum, Apple's testing of the new APFS before going live was amazing - despite the nonsense detractors were throwing up about it.
-
-
-
-
Tuesday 20th June 2017 08:23 GMT Christian Berger
I wonder how security would be...
... if we'd all just avoid the obvious problems. I mean updating firmware shouldn't be so common you need a GUI application for that. Then if you download something of the internet, you should at least use TLS certificate pinning, or sign the firmware itself. (however do not have mandatory firmware signing for local updates, as that would prevent people from patching the firmware themselves)
-
-
Tuesday 20th June 2017 14:16 GMT Christian Berger
Re: I wonder how security would be...
Well, Samsung has 2 advantages with this:
a) They develop their own chips, so they have a head start when it comes to working with them. They can already write and test the firmware for early prototypes or even for simulations of those chips.
b) They market themselves as a premium company, so they would even have a bit more time for such things than the competition. Well tested Firmware would be a big advantage justifying the price premium.
-
-
-
Tuesday 20th June 2017 08:43 GMT Anonymous Coward
Bricked SSDs/WD/Seagate RMAs with firmware infections/mods? These companies must know.
You wonder how many WD and Seagate hard drives , Sandisk/Samsung SSDs are returned as "bricked" but found to have been the result of a firmware infection/modified firmware, in order to destroy a Raid Array for instance.
Maybe this should be a statutory disclosure. Storage Companies seem to avoid the flak Microsoft get in terms of security, but a drive's firmware is just as vunerable, just as much a hack target and if it succeeds, can do a lot more damage.
-
-
Tuesday 20th June 2017 11:23 GMT Dan 55
Magician, eh?
It'd be magic if Samsung actually managed to get https working properly for one of their products.
He also found that the programmers failed to use SSL encryption for secure connection when transmitting certain data. They use it on some data transmissions but not others, and usually not on ones that need it most.
"They made a lot of wrong assumptions about where they needed encryption," he says, noting that "it's extra work to move between secure connections and unsecure connections." This indicates that they didn't do it inadvertently but were making conscious decisions not to use SSL in those places, he says.
-
Tuesday 20th June 2017 12:26 GMT Richard Lloyd
Not much of a wizard for me
I have an SM961 M.2 SSD, but on the rare occasion I boot into Windows 10 (I'm in Linux >95% of the time), the Samsung Magician software doesn't want to know about my SSD because it's an OEM variant - this is a ridiculous policy to have really and it prevents me for getting any firmware updates for the SSD :-( Needless to say, I quickly uninstalled the Magician software from my Windows setup and it's never coming back...
-
Tuesday 20th June 2017 15:25 GMT Anonymous Coward
Because this shouldn't worry anyone either...
From Samsung Magician 5.1 Consumer Edition:
<snip>
3. CONSENT ON DATA USE AND TRANSFER
You understand and agree that Samsung will collect, use and transfer internationally data relating to your device, including technical information about the systems and applications, application programs and devices associated with and connected to your device, in order to provide product support, engage in statistical research, upgrade our software and provide other related services. This data may be shared with other Samsung affiliates worldwide and our service providers for these purposes.
</snip>
YMMV with the Enterprise Edition
-
Tuesday 20th June 2017 16:56 GMT GettinSadda
VLC Explot Seems Live!
VLC seems to have a similar hole, and it is being exploited.
Note that I have not 100% verified this is not a false alarm.
However, my copy of VLC Player 2.2.4 just offered to download the latest version and I got the following pop up from BitDefender:
"The file {local\temp}\vlc-2.2.6-win32.exe is infected with Gen:Variant.razy.181333."