Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for the ‘Synology: BIO-250U’ Category

Breaking the Security of an Encrypted Hard Drive with Biometrics

leave a comment »

In these days of data protection regulations, it’s encouraging to see some vendors starting to deliver encrypted hard drives. Here is an article that looks at the BIO-250U AES encrypted hard drive by Synology.

We found the following attack on this biometric and password-protected encrypted hard drive to have echoes of the attacks on flash drives below. Basically by modifying a single register in an unlocker program, you are able to defeat the biometric security, and the drive just opens up. The password is similarly insecure.

What this points to for biometric devices is a potential weakness in encryption key management. For example, if a password-protected device uses the password to derive an encryption key (this would not meet FIPS 140-2 requirements), then the biometric chip would somehow have to store the password so that when you authenticate, you can decrypt the data.

Another approach would be for the encryption key to be randomly generated (this is in compliance with FIPS 140-2 requirements), and then stored encrypted by some derivation of the password. Again though, the biometric device would need a copy of this password derivation in order to decrypt the AES encryption key. If the architecture doesn’t use some kind of secret key sharing, then you are simply relying on the biometric device to say “please unlock” the encrypted data. That’s the basis for many of these biometric device hacks.

As always, stay safe and avoid a false sense of security.


Written by Alice

January 9, 2009 at 22:33

Posted in Synology: BIO-250U