Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

MXI Attempts To Block Malware But Doesn’t Get It Quite Right

with one comment

Perhaps in a response to Bob’s analysis of the MXI Stealth MXP device, the manufacturer has responded with a technology that purports to prevent malicious code from being written to the “read only” partition of their Stealth MXP secure hardware encrypted flash drive.

In a very strangely worded press release on February 17, 2009, the company announced “MXI Security Expands Lockdown Delivery Service to Help Enterprise Customers Fight Malicious Software”. This allows enterprise customers to use their ACCESS Enterprise software to set a “unique management code” that guarantees that the software on devices cannot be modified by anyone except the end customer.

We tested this functionality on a Stealth MXP device. Basically a user or administrator can set a code or password which must be entered correctly when performing a software update to the “read only” partition. We set this access code, and then tried to update the software on the “read only” partition. As advertised, the software update was not successful without first entering the access code.

mxiupdatebruteforceable

However, we also determined that this access code is not protected against brute force password guessing! Unlike the device password, it seems that you can try an infinite number of access codes. We tried an incorrect code 100 times, and then we entered the correct code, and the device again allowed us to load malicious software onto the “read only” partition.

mxibrutesuccessful

It’s strange that a security company would miss out on such an obvious vulnerability. Any attacker wishing to infect a user’s device with malware could do a brute force attack on the access code of the device in order to overwrite the “read only” partition.

Even if the devices correctly prevented a brute-force password guessing attack on the access code, this still would not prevent a malicious attacker from infecting their own new device, and leaving it in the company parking lot where an employee might pick it up and plug it in to an internal company computer.

I agree with Bob’s initial comment that secure devices should actually require a valid digital signature on the software before allowing an update to happen.

As always, stay safe and avoid a false sense of security.

Advertisements

Written by Alice

March 5, 2009 at 14:48

One Response

Subscribe to comments with RSS.

  1. But doesn’t this mean that the original article was incorrect? It doesn’t look like you can put sutff on the software area of the device without a password, right?

    Justin

    March 17, 2009 at 09:00


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: