Some organisations (e.g. pharmaceutical companies, medical researchers) mandate that all employees have physically encrypted portable drives. The presumption is that "bad but enough encryption" is better than "non technical user can't work out how to use an encrypted filesystem". The really sensitive stuff is walked around on both…
LOL. This is about as secure as the spin dials on luggage. The hardware contains the pin # in memory that (presumably) decrypts the key, just like any mechanical lock contains the combination (in its physical configuration) that unlocks it.
And if the pin implementation is this hackneyed, I have a feeling that the so-called encryption is anything but.
> And if the pin implementation is this hackneyed, I have a feeling that the so-called encryption is anything but.
Totally. I'd be super curious to know is anyone's just tried plugging the hard drive into another controller. Won't surprise me at all if the "security" here is just not starting the USD drive controller without the correct pin being entered. There isn't any evidence here for enough hardware to turn that pin into an encryption key and encrypt/decrypt data on the fly. (I guess it's possible that's all built into the USB controller?)
Clearly, a company advertising encrypted drives could and should do better than this. Good on this researcher for calling out shoddy workmanship and posting about it.
This is a warning to people with access to highly sensitive data. But for everyday stuff, you do need to keep the value of your data in perspective.
It took a security researcher 40 hours to crack this thing. Should you store state secrets on this? No, it can be cracked by a determined adversary. Would I feel safe storing my personal financial data on a device like this one? Meh, sure, good enough.
What is even the point of encrypted drives over just using filesystem encryption managed by the OS? I'm guessing some minor portability benefit across OSs but is this really worth trusting the OEM over?
There is no truly portable FS encryption managed by OS. I've not seen OS encryption which will allow mount the same drive e. g. in Windows and in FreeBSD. Or even to connect an encrypted drive to a Smart TV (which likely is Linux bused, but would not allow to install unsigned firmware).
This is a USB hard drive though. Even a cheap laptop can encrypt data faster than you can transfer over USB.
Maybe I might understand if this was some kind of server SSD but even then im not sure it would make sense.
That is true today. It hasn't always been true.
In fact Microsoft's own BitLocker dropped reliance on hardware encryption to workaround this same problem. And now that the performance impact is minimal it makes sense to default to software.
> Clearly, a company advertising encrypted drives could and should do better than this. Good on this researcher for calling out shoddy workmanship and posting about it.
I'm not even convinced these companies can implement the core functions of their firmware properly. Why would anyone trust their proprietary cryptography solution? It's just insane.
Well, now that it's cracked, others will have a much easier time. And if you have more than $290 saved, you're already over minimum wage if it takes 40 hours to crack, so I would not consider that thing to be secure enough. Plus, even if you do consider these things secure enough, why would you pay extra to have less security when you can encrypt your normal drive that you already have for free and get a much higher level of security?
Ironkey are a bit different in that they were actually designed by hackers to be tamper-proof. The bar is a bit higher on that one. Alex Stamos jokingly offered to crack it for a percentage. AFAIK nobody has actually broken those yet.
Some organisations (e.g. pharmaceutical companies, medical researchers) mandate that all employees have physically encrypted portable drives. The presumption is that "bad but enough encryption" is better than "non technical user can't work out how to use an encrypted filesystem". The really sensitive stuff is walked around on both…
LOL. This is about as secure as the spin dials on luggage. The hardware contains the pin # in memory that (presumably) decrypts the key, just like any mechanical lock contains the combination (in its physical configuration) that unlocks it.
And if the pin implementation is this hackneyed, I have a feeling that the so-called encryption is anything but.
> And if the pin implementation is this hackneyed, I have a feeling that the so-called encryption is anything but.
Totally. I'd be super curious to know is anyone's just tried plugging the hard drive into another controller. Won't surprise me at all if the "security" here is just not starting the USD drive controller without the correct pin being entered. There isn't any evidence here for enough hardware to turn that pin into an encryption key and encrypt/decrypt data on the fly. (I guess it's possible that's all built into the USB controller?)
Clearly, a company advertising encrypted drives could and should do better than this. Good on this researcher for calling out shoddy workmanship and posting about it.
This is a warning to people with access to highly sensitive data. But for everyday stuff, you do need to keep the value of your data in perspective.
It took a security researcher 40 hours to crack this thing. Should you store state secrets on this? No, it can be cracked by a determined adversary. Would I feel safe storing my personal financial data on a device like this one? Meh, sure, good enough.
What is even the point of encrypted drives over just using filesystem encryption managed by the OS? I'm guessing some minor portability benefit across OSs but is this really worth trusting the OEM over?
There is no truly portable FS encryption managed by OS. I've not seen OS encryption which will allow mount the same drive e. g. in Windows and in FreeBSD. Or even to connect an encrypted drive to a Smart TV (which likely is Linux bused, but would not allow to install unsigned firmware).
This is a USB hard drive though. Even a cheap laptop can encrypt data faster than you can transfer over USB.
Maybe I might understand if this was some kind of server SSD but even then im not sure it would make sense.
That is true today. It hasn't always been true.
In fact Microsoft's own BitLocker dropped reliance on hardware encryption to workaround this same problem. And now that the performance impact is minimal it makes sense to default to software.
> Clearly, a company advertising encrypted drives could and should do better than this. Good on this researcher for calling out shoddy workmanship and posting about it.
I'm not even convinced these companies can implement the core functions of their firmware properly. Why would anyone trust their proprietary cryptography solution? It's just insane.
Well, now that it's cracked, others will have a much easier time. And if you have more than $290 saved, you're already over minimum wage if it takes 40 hours to crack, so I would not consider that thing to be secure enough. Plus, even if you do consider these things secure enough, why would you pay extra to have less security when you can encrypt your normal drive that you already have for free and get a much higher level of security?
Ironkey are a bit different in that they were actually designed by hackers to be tamper-proof. The bar is a bit higher on that one. Alex Stamos jokingly offered to crack it for a percentage. AFAIK nobody has actually broken those yet.