It feels like high-capacity SSDs are getting cheaper all the time, but in the words of a security researcher known as Ray Redacted on Twitter, there are still some deals that are too good to be true. In the spirit of discovery, he bought a “30TB” external SSD from AliExpress for $31.40, which also happens to be listed on Walmart’s website for $39 (I am linking it for educational and entertainment value, please do not buy it).
For those of you who are following this thread but not understanding the scam:
Scammer gets two 512MB Flash drives. Or 1 gigabyte, or whatever. They then add hacked firmware that makes it misreport its size.
Windows reports EXACTLY 15.0 terabytes. Not 14.89, Not 14.78
— Ray [REDACTED] (@RayRedacted) August 26, 2022
But when you go to WRITE a big file, hacked firmware simply writes all new data on top of old data, while keeping directory (with false info) intact.
H2Testw actually WRITES & then RE-READS its data. But the scammer slowed the bus down from 5 gigabits per second to .48 gigabits
— Ray [REDACTED] (@RayRedacted) August 26, 2022
On the inside, this “SSD” looks like two small-capacity microSD cards hot glued to a USB 2.0-capable board. This board’s firmware has been modified so that each of these cards reports its capacity as “15.0TB” to the operating system, for a total of 30TB, even though the actual capacity of the cards is much lower. This is another giveaway; Windows reports drive capacities in gibibytes (1,024 mebibytes) or tebibytes (1,024 gibibytes), while drive manufacturers use gigabytes (1,000 megabytes) and terabytes (1,000 gigabytes). This is why a 1TB drive normally only has a reported capacity of 930-ish GB, rather than a nice round number.
The drive is even more clever when it comes to tricking people into thinking it’s working. It preserves the directory structure of whatever you’re copying, but when it’s “copying” your data, it just keeps writing and rewriting over the tiny microSD cards. Everything will look fine until you go to access a file, only to find that the data isn’t there.
Replies to Ray Redacted’s thread are full of alternate versions of this scam, including multiple iterations of the hot-glued microSD version and at least one that hid a USB thumb drive inside a larger enclosure.
Fake USB storage devices are neither new nor rare, though this one makes spectacularly egregious claims about its price-per-gigabyte. When it comes to buying storage online, common-sense advice is best: stick to name brands, buy from trustworthy sellers (not just retail sites you trust—the Walmart listing is sold by “JD E Commerce America Limited,” whatever that is), and know that if a deal seems too good to be true, it almost certainly is.
https://arstechnica.com/?p=1876366