If someone tries to sell you 30TB of solid-state storage for under $40, consider turning around and running, no matter how many clipart rockets they use in their photos.
It feels like high-capacity SSDs are getting cheaper, but in the words of a security researcher known as: Ray edited on twitter there are still some deals that are Too good to be true. In the spirit of discovery, he bought a “30TB” external SSD from AliExpress for $31.40, which also happens to be listed on the Walmart website for $39 (I’m linking it for educational and entertainment value, please don’t buy it).
For those of you following this thread but not understanding the scam:
Crook gets two 512MB Flash drives. Or 1 gigabyte, or whatever. Then they add hacked firmware causing it to misreport the size.
Windows reports EXACTLY 15.0 terabytes. Not 14.89, Not 14.78
– Ray [REDACTED] (@RayRedacted) August 26, 2022
But if you’re going to WRITE a large file, the hacked firmware just writes all the new data on top of the old data, leaving the folder (with false info) intact.
H2Testw WRITES then READ its data. But the scammer slowed down the bus from 5 gigabits per second to 0.48 gigabits
– Ray [REDACTED] (@RayRedacted) August 26, 2022
On the inside, this “SSD” looks like two small-capacity microSD cards hot glued to a USB 2.0 compatible board. The firmware of this board has been modified so that each of these boards reports its capacity as “15.0TB” to the operating system, for a total of 30TB, although the actual capacity of the cards is much lower. This is another giveaway; Windows reports drive capacities in gibibytes (1,024 mebibytes) or tebibytes (1,024 gibibytes), while drive manufacturers use gigabytes (1,000 megabytes) and terabytes (1,000 gigabytes). This is why a 1TB drive normally only has a reported capacity of 930GB, rather than a nice round number.
The drive is even smarter when it comes to making people think it works. It retains the folder structure of anything you copy, but when it “copies” your data, it just keeps writing and rewriting across the tiny microSD cards. Everything looks fine until you open a file, only to find the data isn’t there.
Replies to Ray Redacted’s thread are full of alternate versions of this scam, including multiple iterations of the hot-glued microSD version and at least one that hid a USB stick in a bigger case.
Fake USB storage devices are not new or rare, although this device makes spectacularly blatant claims about price per gigabyte. When it comes to buying storage space online, common sense advice is best: stick with name brands, buy from reputable sellers (not just shopping sites you trust – the Walmart listing is sold by “JD E Commerce America Limited”, whatever that means). also), and know that if a deal seems too good to be true, it almost certainly is.
