Slashdot Mirror
Cracking a Crypto Hard Drive Case
juct writes "A label on the box reading 'AES' does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is typical of many similar products. They found that the 128-bit AES hardware encryption claimed in advertisements was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack." The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.
Would something like TrueCrypt, where you can easily look at the source, be a better solution? At the very least, it could avoid problems like these.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
I think this is actually true in some cases. I once worked on some 2.4ghz radios from a certain vendor, and if you forgot the admin password you could expose them to the net and they could "unlock" them (YIKESOMG). They also had a version where you gave them the MAC of the radio and they gave you a special "unlock" password over the phone. Yea. It wasn't even random either, it was an english word iirc. The world of proprietary network gear = ugh. I prefer building them myself using Soekris or similar.
Obligatory blog plug: http://www.caseybanner.ca/
The only exception I've read about is SEAL but IIRC that's still patented by IBM.
Actually, this is nothing new. A couple of months ago the dutch colleagues at tweakers.net had a couple of great reports on how crappy the 'fingerprint security' USB drives are. Most of them are ont he same level of crappyness this one is.
Quack damn you!
er wait, sorry. well some companies REALLY do rely on copyright for security. An example is the ASSA key and lock company. They make some really nice keys, but what makes them hard to copy? Copyrights on the "code" represented by the teeth on the keys.
This is totally different than a patent on a real cool key, it's a copyright on the "data" that essentially is the serial number for sales account, dealer, region, and country.
Their whole selling point is that no one can copy a key if it's copyrighted. I mean, shit...it worked for other industries... (:
THL phish sticks
The good thing about having the crypto performed in the enclosure is, that you can perform this kind of analysis. Had the same "encryption" been implemented directly on the disk or in a usb stick, it might not have been noticed, that it was so weak. My take on this is to never trust the crypto performed by such an enclosure unless there is a software implementation doing the exact same thing, and that one has been carefully inspected. The point of doing the encryption in hardware is performance, it does not add any additional security.
Do you care about the security of your wireless mouse?
Stop suggesting software and give us viable (ie secure) hardware alternatives.
What are the not-so-cheap external enclosures?
[Fuck Beta]
o0t!
I have an AES-encrypted ext3 partition on some portable drive somewhere (using the encrypted loopback device) and I once had the impression that it has the same problem, just XORing every sector with the same 512-bit key. Am I the onlt one? I don't have the drive here right now to check it out, unfortunately..
Why havn't they been charged with fraud and false advertising.
If I sell you a padlock, claiming that its made of steel, when actually its made of a Silly Putty and rubber bands, then I'm going have my day in court. Why Tech vendors seem TOTALLY immune to this kind of prosecution.
Puts me in mind of SecuLock (was that the name?), they were featured here a while back, they make "secure" USB memory sticks, they claimed AES encryption, killswitches and other bells and whistles, but if you were to have a quick look at one of the DLL's exports, you can see a an Unlock routine. You see, the user's password wasn't used as a key, Oh no, they had one global key and a simple IF to check the passwords.
Though this is much, much worse, it beggars the question; how can we berate employees for losing disks and laptops, when the vendors are happy to look us in the eye and lie to us, about standards that I was able to implement when I was about 16.
It's either government interferance (remember, the USA's law forcing vendors to embed backdoors for them), or its just plain lazy, either way, it's got to stop.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
(forget Windows crypto, it's littered with backdoors unless configured JUST right, which is not an easy task and definitely not default). care to cite a source? i know a couple of people who would vehemently argue that windows crypto is very secure indeed and would be interested to read more about it.
By and large, language is a tool for concealing the truth. -- George Carlin
Agreed. This is exactly what freecom did when they sold me a usb bluetooth adaptor with an antenna. I dropped it one day, and the little case popped open. OK, that happens; no big deal. What WAS a big deal though, was the antenna -- it was simply a bit of plastic, swinging from a hole in the case. There were no wires attached to this, nothing else near it that even suggested it might have accidentally been shipped with a "placeholder" or something like that. It was simple, unadultered fraud. The antenna might as well have been made by Tomy, which is a shame, as otherwise, it worked fine, and the antenna probably was unnecessary after all (I bought that model FOR it's antenna figuring it wouldn't hurt, and might help).
What do freecom gain from this? Something like $5, I'd guess, after the store etc. take their cuts.
What do they lose? Me, as a an IT industry purchaser, ever buying their products again. Me telling other IT people on slashdot what I think of Freecom.
What could they have done instead, to compete with manufacturer X's? "We're confident in our product's reception/transmission, and have no need for gimmicks like the antennas manufacturer X uses." I probably would have bought a lot more of their stuff after that.
Dumbasses.
Well, welcome to the new world of IT. Now it's official that we got the first fake products that the time has come, IT security has become an issue.
... well, sometimes), later they hired some sort of goons who could credibly talk the average HR guy under the desk in IT babble, and a few went on and hired real IT people.
How do you know? Well, companies finally realize that yes, we want some sort of security. They usually have no idea about it (how should they, their administrators are usually some goons hired from the street who know how to use a mouse, what makes them administrators is that they know that TCP/IP ain't the Chinese secret service. MAYBE they can build a VPN tunnel). But encryption?
You know what the brass level says in this case: "Ain't there some product we can buy?" And in comes stuff like this. Stuff that promises security. Nobody can verify it (in the average company), but their admin might even have heard of AES, knows it's decent and thus buys the product. Why? Hey, it says "AES encryption" on the box!
We'll see a lot more products like this in the near future. Then, in about 2 years, companies will realize that they will have to spend money on people to get real security. It's just like it was with the advent of networking and later when "the internet" came into companies. First, they tried to buy products (which were just as shoddy as this one, promising "easy installation" wonders only to work
It will be the same with security. Today you have the "buying the wonders" phase. Give it two years and companies will start to train or hire security people. Yes, many will stick with the goons with better fast-talking skills than IT skills, but some will go for good security people.
So, personally, I'd start digging into that sector. We'll see more of that soon.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.