Cracking a Crypto Hard Drive Case

juct writes "A label on the box reading 'AES' does not ensure that your data are protected. heise examined a hard drive enclosure with an RFID key that is typical of many similar products. They found that the 128-bit AES hardware encryption claimed in advertisements was in fact a simple XOR encryption that they were able to break easily with a known plaintext attack." The manufacturer of the drive examined has announced that the product is being retooled and will be reintroduced later this year, presumably with actual AES encryption.

How about a software solution?

[palegray.net]

Would something like TrueCrypt, where you can easily look at the source, be a better solution? At the very least, it could avoid problems like these.

Re:How about a software solution?

[davmoo]

There's another disadvantage to hardware encryption like this product, even if it worked correctly, and why I also favor something like TrueCrypt (which is infact what I use) even if it might make a bit more work for the computer. The maker says "this is our special chip, and here's the source for our firmware for you to inspect"...now, how do you *know* that's really the firmware that's on that chip? Very few of us are in a position where we could take that source and make our own chip. In a situation where I want to be assured of security, I'm going to not only use TrueCrypt, I'm going to compile it myself.

Re:How about a software solution?

I'm going to not only use TrueCrypt, I'm going to compile it myself.

That won't help you. You need to read Reflections of Trusting Trust by Ken Thompson: http://cm.bell-labs.com/who/ken/trust.html

Re:So what happens...

[kcbanner]

I think this is actually true in some cases. I once worked on some 2.4ghz radios from a certain vendor, and if you forgot the admin password you could expose them to the net and they could "unlock" them (YIKESOMG). They also had a version where you gave them the MAC of the radio and they gave you a special "unlock" password over the phone. Yea. It wasn't even random either, it was an english word iirc. The world of proprietary network gear = ugh. I prefer building them myself using Soekris or similar.

Re:XOR encryption can be good

[RupW]

Stream Ciphers also use XOR, but are much more convenient to use and could very easily be used to encrypt a hard drive. The problem is that very few stream ciphers allow you to quickly seek to an arbitrary point in the stream - so unless you just want to read the entire drive sequentially you're SOL.

The only exception I've read about is SEAL but IIRC that's still patented by IBM.

This is nothing new

[SchizoDuckie]

Actually, this is nothing new. A couple of months ago the dutch colleagues at tweakers.net had a couple of great reports on how crappy the 'fingerprint security' USB drives are. Most of them are ont he same level of crappyness this one is.

WTF?

[EddyPearson]

Why havn't they been charged with fraud and false advertising.

If I sell you a padlock, claiming that its made of steel, when actually its made of a Silly Putty and rubber bands, then I'm going have my day in court. Why Tech vendors seem TOTALLY immune to this kind of prosecution.

Puts me in mind of SecuLock (was that the name?), they were featured here a while back, they make "secure" USB memory sticks, they claimed AES encryption, killswitches and other bells and whistles, but if you were to have a quick look at one of the DLL's exports, you can see a an Unlock routine. You see, the user's password wasn't used as a key, Oh no, they had one global key and a simple IF to check the passwords.

Though this is much, much worse, it beggars the question; how can we berate employees for losing disks and laptops, when the vendors are happy to look us in the eye and lie to us, about standards that I was able to implement when I was about 16.

It's either government interferance (remember, the USA's law forcing vendors to embed backdoors for them), or its just plain lazy, either way, it's got to stop.

Freecom equally bad

[CarpetShark]

Trust is a precious resource that you must cultivate; it's not a boomerang. Never risk throwing it away.

Agreed. This is exactly what freecom did when they sold me a usb bluetooth adaptor with an antenna. I dropped it one day, and the little case popped open. OK, that happens; no big deal. What WAS a big deal though, was the antenna -- it was simply a bit of plastic, swinging from a hole in the case. There were no wires attached to this, nothing else near it that even suggested it might have accidentally been shipped with a "placeholder" or something like that. It was simple, unadultered fraud. The antenna might as well have been made by Tomy, which is a shame, as otherwise, it worked fine, and the antenna probably was unnecessary after all (I bought that model FOR it's antenna figuring it wouldn't hurt, and might help).

What do freecom gain from this? Something like $5, I'd guess, after the store etc. take their cuts.

What do they lose? Me, as a an IT industry purchaser, ever buying their products again. Me telling other IT people on slashdot what I think of Freecom.

What could they have done instead, to compete with manufacturer X's? "We're confident in our product's reception/transmission, and have no need for gimmicks like the antennas manufacturer X uses." I probably would have bought a lot more of their stuff after that.

Dumbasses.