SDHC/SDXC Memory Card with embedded wireless LAN functionality FlashAir™ may have a security vulnerability related to the generation and management of WPA2 key

  • October 17, 2017
  • Toshiba Memory Corporation

Toshiba Memory Corporation is informing our valued customers of a potential WPA2 wireless LAN protocol vulnerability with the Toshiba Memory FlashAir™ (“Product”) has been identified. This vulnerability is related to the generation and management of key information which is utilized for encrypting data. With this vulnerability there exists a possibility that the data transmitted between the Product and wireless LAN devices such as smartphone can be compromised.
The WPA2 is used widely for wireless LAN. We have discovered that this behavior exists when the FlashAir™ W-04 (“Software Update Affected Product”) is used in “STA (Station)” mode or “Internet pass thru” mode. Therefore, we strongly recommend that you do not use the connection of the Software Update Affected Product* to the wireless LAN using the “STA (Station)” mode or the “Internet pass thru” mode until the software has been updated (mentioned below). Unavoidably if you need to connect the Software Update Affected Product using the “STA” mode or the “Internet pass thru” mode, please make sure that the service area is secured from attackers so as to prevent the Product from connecting to fake access points. Furthermore, please be aware that attackers can considerably amplify the signal intensity using a high gain antenna.
To correct this issue we are now in the process of addressing this vulnerability via a software update which is expected to be released on or before the end of December, 2017. Please update the software when it is released. Even if FlashAir™ is used in the “AP (Access Point)” mode, the Wi-Fi device connected to it (“Device”) could exhibit this vulnerability and transmitted data could still be compromised.
We also ask customers to check this vulnerability of the Devices prior to connecting to the FlashAir™ W-03, FlashAir™ W-02 and FlashAir™ Class6, which connect by “AP” mode to the Devices, as well as the Software Update Affected Product. About the vulnerability of the Devices, please contact to Devices’ customer and/or technical support.
If you have any questions about this vulnerability of the Product, please contact the technical support representative and we will be happy to support you. For information regarding how to reach the technical support representative, please visit
https://www3.toshiba.co.jp/semicon/contact_e/cgi-bin/q_form.cgi

Software Update Affected Product Information

Software Update Affected Product
Model
Capacity Label


SDHC/SDXC Memory Card with embedded wireless LAN functionality FlashAir™ W-04
SD-UWA064G 64GB
SD-UWA032G 32GB
SD-UWA016G
16GB
  • Note: “Internet pass thru” mode is disabled by default on the FlashAir™ W-04.

Explanation of the vulnerability

Toshiba Memory Corporation as found a vulnerability of the WPA2 protocol used for wireless LAN encryption. This vulnerability is related to the generation and management of key information that encrypts the data transmitted.

Vulnerability Threat

There exists the possibility that data transmitted between the FlashAir™ W-04 and a wireless device may be compromised.

Workaround

A Software update will be released on or before the end of December, 2017. Until this new software has been released, we strongly recommend that you do not use the connection of the Software Update Affected Product* using the “STA” mode or the “Internet pass thru” mode.
The “AP” mode is enabled by default on the FlashAir™ W-04.
If you have set the “Wireless LAN mode (APPMODE)” following the technical information provided on the website for developers “FlashAir Developers”, please see “Wireless LAN mode (APPMODE)”.
If you are using FlashAir™ iOS or Android™ App, while connecting to Wi-Fi network to FlashAir™, open “Settings” > “FlashAir settings” > “Internet pass thru mode” and then you can check and/or change the mode.
If you are prompted to enter ”MASTERCODE” enter the ”MASTEROCDE”

Open "Settings" > "FlashAir Settings" > "Internet pass thru mode" and then you can check and/or change the mode.
Open "Settings" > "FlashAir Settings" > "Internet pass thru mode" and then you can check and/or change the mode.

In the case of FlashAir™ Configuration Software
Insert the FlashAir™ into a PC. Open ”FlashAir Configuration Software” > ”Network settings” and then you can check and/or change the mode.

Open "FlashAir Configuration Software" > "Network settings" and then you can check and/or change the mode.
  • WPA2 is a trademark of Wi-Fi Alliance.
  • Android is a trademark of Google Inc.
  • All other company names, product names, and service names may be trademarks of their respective companies.