Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for March 2009

Raidon Staray-S Series Cracked

leave a comment »

Here’s a link to a recent and well-documented cracking session by Christiane Rütten at The H Security. In it the Staray S325, put out by Raidon, is found to have multiple vulnerabilities and is thoroughly cracked. The moral of the story: even hardware encryption is of no benefit if implemented on budget drives with poor encryption.

http://www.h-online.com/security/Cracking-budget-encryption–/features/112548

As always, stay safe and avoid a false sense of security.

Written by Alice

March 30, 2009 at 20:22

MXI Attempts To Block Malware But Doesn’t Get It Quite Right

with one comment

Perhaps in a response to Bob’s analysis of the MXI Stealth MXP device, the manufacturer has responded with a technology that purports to prevent malicious code from being written to the “read only” partition of their Stealth MXP secure hardware encrypted flash drive.

In a very strangely worded press release on February 17, 2009, the company announced “MXI Security Expands Lockdown Delivery Service to Help Enterprise Customers Fight Malicious Software”. This allows enterprise customers to use their ACCESS Enterprise software to set a “unique management code” that guarantees that the software on devices cannot be modified by anyone except the end customer.

We tested this functionality on a Stealth MXP device. Basically a user or administrator can set a code or password which must be entered correctly when performing a software update to the “read only” partition. We set this access code, and then tried to update the software on the “read only” partition. As advertised, the software update was not successful without first entering the access code.

mxiupdatebruteforceable

However, we also determined that this access code is not protected against brute force password guessing! Unlike the device password, it seems that you can try an infinite number of access codes. We tried an incorrect code 100 times, and then we entered the correct code, and the device again allowed us to load malicious software onto the “read only” partition.

mxibrutesuccessful

It’s strange that a security company would miss out on such an obvious vulnerability. Any attacker wishing to infect a user’s device with malware could do a brute force attack on the access code of the device in order to overwrite the “read only” partition.

Even if the devices correctly prevented a brute-force password guessing attack on the access code, this still would not prevent a malicious attacker from infecting their own new device, and leaving it in the company parking lot where an employee might pick it up and plug it in to an internal company computer.

I agree with Bob’s initial comment that secure devices should actually require a valid digital signature on the software before allowing an update to happen.

As always, stay safe and avoid a false sense of security.

Written by Alice

March 5, 2009 at 14:48