Report. Investigating secure USB sticks. Investigating secure USB sticks Classification PUBLIC

Transcription

1 Report Investigating secure USB sticks Classification PUBLIC Unique Copy Number Internet Release RE: Secure USB stick audit Date 26 November 2007 Version 1.4 Author P.J. Bakker et al. Business Unit Fox Crypto Pages 41

2 PUBLIC This document is classified as public. No formal access restrictions apply to this document. The distribution of this document may however be limited to the addressee(s) as listed on the document management distribution list. If you feel you have received this document in error, you can close this document and return it to Fox-IT. Misuse of this document or any of its information is prohibited and will be prosecuted to the maximum penalty possible. Fox-IT cannot be held responsible for any misconduct or malicious use of this document by a third party or damage caused by its contained information. Fox-IT Forensic IT Experts B.V. Olof Palmestraat LM Delft P.O. box AP Delft The Netherlands Phone: +31 (0) Fax: +31 (0) [email protected] Internet: Copyright 2007 Fox-IT Forensic IT Experts B.V. All rights reserved. No part of this document shall be reproduced, stored in a retrieval system or transmitted by any means without written permission of Fox-IT. Violations will be prosecuted by applicable law. The general service conditions of Fox-IT Forensic IT Experts B.V. apply to this documentation. Trademark Fox-IT and the Fox-IT logo are trademarks of Fox-IT Forensic IT Experts B.V. All other trademarks mentioned in this document are owned by the mentioned legacy body or organization.

3 Management Summary In the years 2005 and 2006 the Dutch government was plagued by leakage of secure information due to the loss of USB sticks. In addition more and more important information is stored on USB sticks for storage or transportation. Loss of these USB sticks often means loss of this information as well. In case of sensitive information it is important to prevent other parties to obtain this information. A possible solution to this problem would be to use secure USB sticks to store the sensitive information. A number of manufacturers of USB sticks have created secure alternatives to the normal USB stick. The idea behind the secure USB sticks is that there is some form of authentication needed to obtain the data from the USB stick. In case a secure USB stick is lost it should not be a problem since the finder of the USB stick does not have the means to authenticate to the device and therefore can not obtain the information stored on the device. Fox-IT tracked down a selection of the available so-called secure USB sticks on the market today and has taken a look at them to see if they are really as secure as the manufacturers claim they are. This investigation looks at the ability of a selection of secure' USB sticks to prevent unauthorized access to the user data when the devices are lost or stolen. The devices looked at in this investigation are the RiTech BioSlimDisk icool, the RiTech BioSlimDisk v2.0, the Kingston DataTraveler Elite, the Kingston DataTraveler Elite Privacy Edition, the Intuix S500, the MXI MXP Stealth, the SafeBoot Phantom and the Kobil midentity During the investigation the devices were thoroughly analyzed for possible security weaknesses. Where possible, attacks for these weaknesses were implemented in order to check the validity of the analyzed weaknesses. These attacks were both physical and logical in nature. It can be concluded that it was possible to obtain the data from both the BioSlimdisk 2.0 and BioSlimdisk icool edition by reading out the storage memory directly, bypassing the security mechanism. Because of this both BioSlimdisks are not regarded secure. The Kobil midentity did succeed in protecting the private data since it was not possible to obtain the data without the correct authentication information. This makes the Kobil midentity the most secure USB stick in a Lost-and-found scenario. In case the USB stick is used not only to protect against loss or theft, but against active attackers as well, there is a viable attack possible against this USB stick. In that case the midentity provides less security than the MXI MXP Stealth and the Safeboot Phantom. For the Kingston DataTraveler Elite, Kingston DataTraveler Elite Privacy Edition, Intuix S500, MXI MXP Stealth and Safeboot Phantom the used password is the weakest factor. For the Kingston DataTraveler Elite Privacy Edition the impact of this attack is smaller since this stick requires users to choose a marginally strong password. In case of the MXI MXP Stealth and the Safeboot Phantom this attack doesn t make the device insecure as long as two factor authentication is used. In addition the password strength can be enforced by the factory for the latter devices. This leaves Fox Crypto to conclude that the tested USB sticks can be ranked for security in case of a normal Lost-and-found scenario in the following order: Secure 1. Kobil midentity 2. MXI MXP Stealth and Safeboot Phantom (With strong password enforcement) 3. Kingston DataTraveler Elite Privacy Edition (If strong passwords are used) 4. Kingston DataTraveler Elite and Intuix S500 (If strong passwords are used) Insecure BioSlimdisk 2.0 and BioSlimdisk icool In case the USB stick should protect against more than simple loss or theft, such as active attackers for the data, the current version of the Kobil midentity is not a valid solution. Update for internet release version: Some vendors have requested that a comment is included in the report on release. These literal comments can be found at the end of the respective chapters. Fox-IT has not verified these responses and does not guarantee their correctness.

4 Table of Contents Management Summary Introduction Scope of investigation Constraints Attack Scenarios Method of investigation Analyzing documentation Hardware dissection Raw memory reading USB traffic capturing Brute force attacks Common attack possibilities Bypass authentication Brute force the user s password Online and offline brute force attack Preventing brute force attacks Attack on the encryption algorithm Key length Encryption Mode Attack the fingerprint authentication Investigated USB Sticks RiTech BioSlimDisk The software The hardware Attacks Summary and conclusion Vendor s comment M-Systems mdrive 500 based Features The software KeySafe DTE_privacy_launcher The hardware Attacks Brute force the user password Cracking the encryption algorithm used Summary and conclusion MXI MXP Stealth and SafeBoot Phantom Features The software The hardware Attacks Cracking the authentication mechanism Cracking the encryption algorithm used Summary and conclusion Vendor s comment Kobil midentity Features... 34

5 9.2 The software The hardware Attacks Side track Possible attack scenario Investigation Summary and conclusion Vendor s comment Conclusion Bibliography Glossary List of Figures Figure 3.1: A soldered BGA flash (left) and an EEPROM programmer (right)...9 Figure 3.2: SnoopyPro in action...9 Figure 4.1: ECB Encryption mode[10] Figure 4.2: CBC Encryption mode[10] Figure 6.1: BioSlimDisk 2.0 and icool Edition Figure 6.2: PCB of BioSlimDisk 2.0 (left) and icool (right) Figure 6.3: Resin covered memory chip Figure 7.1: Intuix S500 and Kingston Datatraveler Elite Figure 7.2: KeySafe+ disk format screen Figure 7.3: KeySafe login screen Figure 7.4: DTE_privacy_launcher unlock screen Figure 7.5: DTE_privacy_launcher systray menu Figure 7.6: mdrive 500 Hardware (front + back) Figure 7.7: mdrive with Flash memory write enable pins connected to ground Figure 8.1: MXI MXP Stealth and SafeBoot Phantom Figure 8.2: MXP Stealth unlock tool, Fingerprint (left) and password authorization (right) Figure 8.3: MXP Stealth management software Figure 8.4: MXP Stealth PCBs, top PCB (top) and bottom PCB (bottom) Figure 8.5: Scraping off the resin Figure 8.6: Chip obfuscated by sanding of the top Figure 8.7: Memory chip soldered for reading Figure 8.8: MXP Stealth casings opened one way or another Figure 8.9: Top PCB connected to EEPROM reader through connector Figure 8.10: Serial port connected to fingerprint processor Figure 9.1: The Kobil midentity Figure 9.2: First time initialization Figure 9.3: Front side of Kobil midentity PCB Figure 9.4: Back side of Kobil midentity PCB Figure 9.5: Writing a new EEPROM (left) that forces both LEDs on (right)... 36

6 1 - Introduction 1 Introduction In the years 2005 and 2006 the Dutch government was plagued by leakage of secure information due to the loss of USB sticks. Starting in January with the loss of an USB stick by an employee of the MIVD containing secret information [5]. Followed in February by a captain of the armed forces who left his USB stick with confidential information in a rented car [6]. These incidents lead the Ministry of Defense to advise all its employees not to use USB sticks to transport confidential and secure information [3]. A possible solution to this problem would be to use safe USB sticks. A number of manufacturers of USB sticks have already created secure alternatives to the normal USB stick. The idea behind the secure USB sticks is that there is some form of authentication needed to obtain the data from the USB stick. In case a secure USB stick is lost it should not be a problem since the finder of the USB stick does not have the means to authenticate to the device and therefore can not obtain the information stored on the device. At least this shouldn t be possible in theory. Fox-IT tracked down a selection of the available so-called secure USB sticks on the market today and has taken a look at them to see if they are really as secure as the manufacturers claim they are. To do this a couple of different attack scenarios have been set-up and the sticks have been tested within a number of constraints. In chapter 2 and 3 of this report the scope and method of this investigation is discussed. In chapter 4 some background information is given about common weaknesses of USB sticks. Chapter 5 introduces the USB sticks that are investigated in this investigation. Chapters 5 up to 9 discuss the different USB sticks investigated and the results of the investigation into those USB sticks. Finally chapter 10 presents the conclusions of the investigation. Update for internet release version: Some vendors have requested that a comment is included in the report on release. These literal comments can be found at the end of the respective chapters. Fox-IT has not verified these responses and does not guarantee their correctness. PUBLIC 6/41

7 2 - Scope of investigation 2 Scope of investigation The goal of this investigation is to Investigate if it is possible to retrieve the user data from a secure USB stick with a limited amount of resources. This investigation mainly focuses on the scenario where a USB stick is lost and is found by a malicious individual, a small group of terrorists, a journalist or any other small party that want s to obtain the data. We assume that the USB stick is found in such an interesting environment that the attacking party is willing to invest around 20 man days or 25,000 Euros into recovering the data. The term secure USB sticks that is used in this investigation is defined in the following way: It is a small removable device for storing non-volatile digital data that uses a USB interface for communication. The device uses Flash memory chips for data storage. The device has some sort of protection against unauthorized access of the contained user data. This investigation focuses on a small selection of the secure USB sticks currently on the market. Which USB sticks are included in the selection and which criteria are used are discussed in chapter Constraints Based on customer usage, the investigation only examined so-called zero-footprint usage of the secure USB stick. This means that no software installation of any kind is required for the usage of the USB stick. In almost all cases a software application has to be started to interact with the device, but this application is started from the USB stick itself and requires no further installation actions. In case extra software needed to be installed to add additional security to the USB stick or the PC in general, this was not performed. One reason is that installation of extra software violates the zerofootprint constraint. In addition other products can provide this support as well and are thus not seen as a feature of the USB stick. 2.2 Attack Scenarios The main scenario that is investigated is the Lost-and-found scenario. In this scenario the USB stick is lost by the owner and found by someone else. The finder doesn t likely know the owner of the USB stick, so it is not possible to obtain the authentication data in any way from the owner of the device. Most times this scenario also applies to a simple theft from a USB stick. All attacks that can be performed in this case are focused on bypassing or cracking the authentication system. Apart from the Lost-and-found scenario the more advanced Obtain-return-obtain scenario can also happen. In this case the USB stick is lost by or stolen from the owner. The thief/finder in this case does know the owner of the USB stick and is willing to return the USB stick to the owner. Before returning the USB stick to the owner the thief/finder will first alter the behavior of the USB stick. The modification in behavior publishes, in some way, the authentication information to a hidden location on the USB stick whenever the owner first unlocks the USB stick. After a while the attacker steals the USB stick again and can now access the user data using the stored authorization information. This scenario is less likely then the Lost-and-found scenario because the attacker risks exposure by obtaining the USB stick for a second time. Scenarios in which the software on the host computer that uses the USB stick is altered or malicious software is injected into the host to obtain the authorization information are not considered in this investigation. PUBLIC 7/41

8 3 - Method of investigation 3 Method of investigation To determine if the user s data can be retrieved from a USB stick without having the user to authenticate, the following investigation methods are used: Analyzing documentation Hardware dissection Raw memory reading USB traffic capturing Brute force attacks More complex attack and investigation methods exist, like timing attacks or side channel attacks. These techniques have not been used in this investigation because in practice all investigated USB sticks can also be broken using the simpler methods described above. Timing attack and side channels attacks also require sophisticated measuring equipment that fall outside the current allocated budget. The following paragraphs go into more depth regarding the different methods of investigation. 3.1 Analyzing documentation A lot of information is gathered by looking at the manufacturer-supplied documentation. This can be either the public available documentation, like manuals and whitepapers, or in some cases also some non-publicly available documentation, like design documents, supplied to Fox Crypto for this investigation. It should be noted that any data available in these documents can also be reverse engineered from the device itself and thus only provide a shortcut for the investigation. Data sheets of individual chips inside the USB Sticks are also used if the manufacturer and type of the chips can be determined. 3.2 Hardware dissection To find out more about the design of the USB sticks all sticks are disassembled. This way the type and brand of the chips used can be established. However some of the manufacturers obscured the chips used on their USB stick. In these cases attempts are made to establish the type and brand by looking at the packaging of the chip and the pin configuration. By figuring out the specific parts of an USB stick a lot of information can be learned about the possible weak spots that might be present on a device. 3.3 Raw memory reading USB sticks contain one or multiple ROM memory chips to store the user data and configuration of the device. In most of the cases the data on the memory chips can not be accessed directly but is first interpreted by the controller of the USB stick before passed to the host computer. This way the controller can deny access to parts of the data on the memory chips. To obtain all data from a memory chip, the memory chips can be read out raw. This means that the memory chip has to be removed from the USB stick and is connected to an external reading device. This way data on the memory chip can also be written if the chip is not read-only. Fox Crypto uses this technique in its investigation. To read and write the memory chips an interface card inside a PC is used in combination with custom-written software. To connect the chips to the interface card the chips need to be soldered as shown in figure 3.1. This setup has been used to read out both EEPROMs and Flash memory chips, which are functionally equal. Later on in the investigation an EEPROM reader was used to read out EEPROMs. An EEPROM reader isn t required to do attacks done in this investigation but it saves a lot of time because it doesn t require the chips to be soldered. Instead the chips can be plugged into a socket, see figure 3.1. PUBLIC 8/41

9 3 - Method of investigation Figure 3.1: A soldered BGA flash (left) and an EEPROM programmer (right) 3.4 USB traffic capturing USB sticks use an USB connection for communication between the device utilizing the storage, most likely a computer, and the USB stick. The protocol that USB sticks use on top of the USB protocol is standardized and is defined in the USB Mass Storage Class specifications [8]. However the Mass storage class specification doesn t include any mechanism for unlocking a secure device through a password or other means. Therefore most secure USB sticks have a vendor-dependent extension to the protocol or use a separate additional protocol for unlocking the device and performing other configuration tasks. To find out what mechanism is used the USB connection can be snooped. This means that all traffic from and to the USB device is captured and analyzed. Snooping can be done in hardware on the USB bus, but can also be done in software. In this investigation software snooping is used because hardware snooping is less cost efficient. Figure 3.2: SnoopyPro in action The software used in this investigation for USB snooping is called SnoopyPro, shown in figure 3.2. SnoopyPro[9] is a windows program that can snoop the USB traffic from and to a specified USB device. PUBLIC 9/41

10 3 - Method of investigation 3.5 Brute force attacks Most of the secure USB sticks use some form of encryption to prevent unauthorized access to user or device data. Most of the times the used encryption algorithm is sufficiently strong to make brute force attacks impossible within a normal time frame. However in some cases where there are strong suspicions about the used key or parts of the key and the encrypted plaintext, a brute force can be used to determine if this suspicion is correct. An example scenario is the case where the key is suspected to be saved in a certain part of the memory and the plaintext is known. In this case all random bytes strings with a length equal to the key length can be used as key to see if the cipher text decrypts to the known plaintext. To perform these attacks custom tools have been written by Fox Crypto. But in most cases these attacks can also be performed with publicly available tools. More on brute force attacks will be discussed in chapter 4 Common attack possibilities. PUBLIC 10/41

11 4 - Common attack possibilities 4 Common attack possibilities There are a number of common attacks possible against USB sticks to obtain the user data from the device in case of a Lost-and-found scenario. Fox Crypto identified the following three attacks that might be used against the USB sticks: Bypass authentication Brute force password Attack on the encryption algorithm Attack the fingerprint authentication Apart from these attacks that are common to all USB sticks there might also be other attacks against a specific USB stick based on its design. The following paragraphs will discuss the different common attacks. 4.1 Bypass authentication All secure USB sticks need some sort of authentication to access the user data. The easiest way to attack a secure USB stick would be to bypass this authentication. One way to do this would be to read out the flash memory of the USB stick directly using another device. This attack can be prevented by using cryptography to encrypt the data on the flash. But this attack can only be prevented if the encryption key used to encrypt the data is based on the authentication data or is stored somewhere very secure. If not, the encryption key could probably be obtained from somewhere in the device. 4.2 Brute force the user s password Because users generally choose insecure passwords it is attractive to do a brute force attack on the user s password. In such an attack different passwords are tried until the correct one is found. This attack exists in a number of variations. The simplest way to brute force a password is to try every possible sequence of allowed characters. Another method is try different words from a dictionary. It is also possible to combine these two variations into one more advanced one that combines dictionary words with random patterns. A brute force attack can be performed online and offline. And a number of protections against both can be implemented in a product. The following paragraphs describe these concepts further Online and offline brute force attack In case of an online brute force attack the password that should be tried is send to the device and the device will answer if it is the correct password. Downside of an online attack is that the password validation on the device is in most cases not optimized for speed and the device has a limited amount of processing power, making an online attack rather slow. In case of an offline attack the password validation algorithm of the device is known and the needed configuration to validate the password is obtained from the device. This way the brute forcing of the password can be done on normal computer, on a network of multiple computers or even on dedicated cracking hardware. This makes an offline attack much faster and thus more plausible to succeed. The only problem with offline brute forcing is that the validation algorithm and location of the configuration stored on the USB stick are needed Preventing brute force attacks One possible way to prevent a brute force attack is to limit the maximum number of login tries per minute, for example a timeout can be added before returning the result of a login attempt. This will limit the number of passwords that can be tried within a certain amount of time. However this method will only work against online attacks. In addition it has to be implemented correctly. Because if the maximum number of passwords per minute is configurable the attacker might be able to disable the prevention by altering the configuration. Another possible method to prevent brute force attacks is to keep a counter of the amount of wrong passwords tried. If the counter exceeds a preset limit the device can deny any future login attempts for a PUBLIC 11/41

12 4 - Common attack possibilities limited amount of time or forever. Again this method only work against online attacks and if the limit is configurable it has to be implemented correctly. Otherwise it may be increased to a very large amount or maybe even totally disabled. Another way to get around this prevention is to reset the wrong password counter. This might be done by replacing the current content of the memory containing the counter with an old copy of the data. Or the memory containing the counter can be made read-only making it impossible for the device to increase the counter. To protect against offline brute force attacks the configuration needed for validation of the password should be stored in a secure place that can only be read by the USB stick. This can be done by embedding some memory for the configuration into the chip that performs the password validation. Of course this memory shouldn t be readable from outside the chip. Another way would be to store the configuration encrypted in a flash chip on the USB stick. However this would still require some secure memory inside the chip that does the password validation to store the encryption key used to encrypt the configuration. To protect against both online and offline attacks a combination of the above described methods should be used. If a maximum password try counter is used to prevent against online attacks it should be noted that the wrong password try counter should be stored inside the chip that does the password validation. Storing the counter encrypted on an external flash isn t sufficient because in that case the counter could simply be reset by replacing the flash content with an old copy. 4.3 Attack on the encryption algorithm Another possible attack is to crack to encryption algorithm, as cryptography is required to protect the data. Currently most modern encryption algorithms, like AES, are not vulnerable to attacks. Though it can occur that weaker algorithms are used or vulnerabilities are found in other, previously thought secure, algorithms. Over time it can even happen that the calculating power of computers increases to a certain level that cracking the encryption algorithm becomes possible. Two main points that influence the security of an encryption algorithm are the key length and the encryption mode used. These subjects will be discussed in the following paragraphs Key length For disk encryption, like for example on an USB stick, symmetric encryption algorithms are used. These are fast, easy to implement in hardware and good for bulk encryption 1. Symmetric algorithms that are considered secure at this moment include Triple DES (3DES) and AES. For example a 128-bits AES key gives = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys. Trying every key possible would cost at least 28,298,643,536,297,358,531,636 centuries on a 4.0 GHz PC. Algorithms that aren t considered secure include DES, which only takes a matter of weeks to brute force. Key lengths considered secure for this document include the key lengths for AES (128 bits) and 3DES (112 bits). 1 Asymmetric encryption algorithms are not used because of there low encryption speeds. PUBLIC 12/41

13 4 - Common attack possibilities Encryption Mode The mode in which a cryptographic algorithm is used also determines if any information can be obtained from the cipher text. The mode in which a symmetric encryption algorithm is used defines how different blocks of encrypted data are linked together. For the following discussion basic cryptographic knowledge is presumed ECB The simplest mode is Electronic Code Book (ECB) mode. In this mode every block of plaintext data is directly encrypted with the key, see Figure 4.1. Figure 4.1: ECB Encryption mode[10] The use of ECB mode for disk encryption results in a few weaknesses in a product: Block moving The most important is that there is a one-on-one relationship between the plaintext blocks and the ciphered text blocks. This means an attacker can determine which blocks of encrypted data contain the same plaintext data. Blocks that are identical in encrypted form contain the same unencrypted data. As a result it is possible to move blocks around without it mattering for the cryptographic process. An example is a USB stick that does encryption of the entire data and is thus not readable from the outside. But for user convenience a password hint is kept. This hint is stored encrypted as well, but is decrypted before shown to the user. Moving a secret block to the location of the public hint results in exposure of this hidden information. Content guessing In some cases it is also possible to guess the content of a block by its location or the rate of repetition. For example parts of a file system header are constant and occupy a fixed place. This can help in brute force attacks to validate the output. Code books And finally ECB is also vulnerable to building code books. This means that if the attacker knows the plaintext of a certain block he could look up the key in a pre made database using the plaintext and cipher text. However the size of the keys used nowadays prevents this code book from being built, due to the limited size of the currently available storage possibilities. Due to these limitations this mode isn t very often used for encryption in general. If it is used in disk encryption it is because this mode is the most easy to implement and the way people without real cryptographic background would use an encryption algorithm. PUBLIC 13/41

14 4 - Common attack possibilities CBC Another mode that is commonly used for disk encryption is Cipher Block Chaining (CBC) mode. In this case the cipher text of the previous encryption block is added to the plaintext of the block to encrypt using an exclusive OR operation, see Figure 4.2. Therefore a direct relationship is created between sequential blocks. Figure 4.2: CBC Encryption mode[10] As a result the previous blocks are required to decrypt a block and thus the same plaintext will almost never result in the identical encrypted text. Thus moving around blocks is not possible either as this only produces garbled up data. However a big disadvantage of this mode is that if one block changes all superseding blocks have to be re-encrypted. To prevent the whole disk from having to be re-encrypted if one block changes on an encrypted disk, the disk is formatted in smaller sectors. At the beginning of every sector a known initial vector is used. This way only the blocks after a changed block up to the end of the sector have to be reencrypted if a block is changed. This minimizes the impact on the performance. One important thing when using CBC mode in this way is that the initial vector of a sector should be different for every sector. If not it would be possible to see which sectors contain the same data and the sectors can be moved around just like be ECB mode. Because a sector in CBC mode is much bigger then an encryption block in ECB mode these weaknesses are less urgent for CBC mode then for ECB mode since the information obtained is much less fine-grained. This weakness can simply be prevented by choosing the initial vector for a sector based on the sector number. More encryption modes exist that can be used but they are very rarely seen in the usage of disk encryption. 4.4 Attack the fingerprint authentication Some of the USB sticks included in this investigation use a biometric fingerprint authentication to protect against unauthorized access. Fingerprint authentication is also vulnerable against a number of attacks. For instance Ton van der Putte and Jeroen Keuning describe a simple method for faking fingerprints in [4]. A similar method is described in [2] by Tsutomu Matsumoto, e.a.. Another possible attack against fingerprints that has been proposed is a smart brute force attack on the fingerprint template as described by Umut Uludag and Anil K. Jain in [7]. This attack was able to break the authentication of 160 accounts with an average of 195 tries needed. This would make fingerprint authentication with the described fingerprint reader less secure than 2 character password authentication. In this investigation no attacks on the fingerprint authentication systems have been performed in practice. PUBLIC 14/41

15 5 - Investigated USB Sticks 5 Investigated USB Sticks Fox Crypto made a small selection of the secure USB sticks currently available on the market for this investigation. To find out which secure USB sticks are currently on the market Fox Crypto queried its clients and suppliers and searched the internet. Fox Crypto used the following criteria to do a final selection of the available USB sticks: The USB stick should be zero footprint The global design of the USB stick should look like it can indeed be secure However the investigation also includes some USB sticks that where chosen because of special interest from Fox Crypto s customer in these USB sticks. A large number of USB sticks use the same underlying hardware and software platform. In this case only a small subset of available USB sticks has been chosen. The final selection of USB sticks for this investigation consists of the following sticks: RiTech BioSlimDisk icool RiTech BioSlimDisk v2.0 M-Systems mdrive 500 based o Kingston DataTraveler Elite o Kingston DataTraveler Elite Privacy Edition o Intuix S500 MXI MXP based o MXI MXP Stealth o SafeBoot Phantom Kobil midentity PUBLIC 15/41

16 6 - RiTech BioSlimDisk 6 RiTech BioSlimDisk Ritech International Ltd. produces an USB stick that uses fingerprints to prevent unauthorized data access. There are two different versions of the BioSlimDisk, The BioSlimDisk 2.0 and the icool Edition (See Figure 6.1). Both BioSlimDisks claim to be driverless. The icool ships with software that allows Windows logon using fingerprint authentication and Files/Folders encryption capabilities. This software is optional in use. Another difference between the icool and BioSlimDisk 2.0 is that the fingerprint reader of the icool is a swipe sensor, while the reader of the 2.0 is a normal static fingerprint reader 1. Figure 6.1: BioSlimDisk 2.0 and icool Edition 6.1 The software The BioSlimDisk icool is shipped with software that allows Microsoft Windows logon and file encryption using the BioSlimDisk. The Windows logon functionality is not interesting in this investigation but the encryption feature would be. However the encryption used is only 56-bit blowfish, which isn t considered very secure anymore. Furthermore to use this feature software and a driver need to be installed, so it is not considered zero footprint anymore. Because the USB stick does not rely on the encryption it isn t considered part of the zero-footprint USB stick and is thus not installed for this investigation. The BioSlimDisk 2.0 does not use any software. 6.2 The hardware The hardware of both BioSlimDisks consists of two Printed circuits boards (PCBs), see Figure 6.2. One PCB contains the chips for the fingerprint reader and the other contains the USB controller, flash memory and other chips. Most of the chips are obscured using a resin on top of the chips to prevent the chip brand and type from being read. The pins of the Flash memory are also covered with resin. Both BioSlimDisks have a fingerprint reader and controller from Upek. 1 With a static sensor the finger is placed on the sensor and read out. With a swipe sensor the finger has to be moved over a smaller sensor from top to bottom. As a result no usable fingerprint residu is left on the sensor. PUBLIC 16/41

17 6 - RiTech BioSlimDisk 6.3 Attacks Figure 6.2: PCB of BioSlimDisk 2.0 (left) and icool (right) The most obvious attack is to read out the flash memory raw. This way the BioSlimDisk s biometric access control can be bypassed. The BioSlimDisk doesn t have any cryptography features built into the hardware and thus the data is stored in plaintext in the flash memory. A protection measurement taken against reading out the flash raw is that the pins of the flash memory are covered with resin, see figure 6.3. However this resin can be removed fairly easily using a hot air gun and then scraping it off. Figure 6.3: Resin covered memory chip As a proof known data has been written to the BioSlimdisks. The flash chip was desoldered and read out raw. The same known data could be recovered, proving this attack to be successful. For the BioSlimDisk icool a second attack is possible. The Upek fingerprint controller used in the BioSlimDisk stores the fingerprint templates inside the chip. If the BioSlimDisk wants to authenticate a user to the storage it asks the Upek controller to match the supplied finger to the templates. If there are no fingerprint templates defined in the fingerprint controller the device will enter first-time-enroll mode. The icool has a feature that allows the fingerprint reader to be used for other purposes then just authentication to the disk, by allowing direct access to the fingerprint reader. This mode, called the G+ mode, can be selected by setting a switch at the back of the device. The G+ mode allows direct access to the fingerprint controller. Because of this it is possible to alter or delete the stored templates. By deleting all fingerprint templates in the controller the BioSlimDisk icool will ask the user to enroll new fingers when set to normal storage mode. This allows the attacker to enroll his own fingerprints. Since the data on the flash is not wiped by this action, it also allows the attacker to access all data stored on the device. PUBLIC 17/41

18 6 - RiTech BioSlimDisk Implementing this attack is fairly easy. A program was written that deletes all fingerprint templates in the connected Upek fingerprint reader. Using this program every BioSlimDisk icool can be compromised within a minute without having to open up the device. 6.4 Summary and conclusion The Ritech BioSlimDisk 2.0 and icool are both USB sticks that use a fingerprint scanner for authentication to the information stored on the device. The BioSlimDisks can be used with a zero footprint, meaning that no drivers have to be installed. The important chips of the BioSlimDisk are covered with a resin to obfuscate the type of chip. Also the pins of the flash chip are covered with resin to prevent desoldering. However the resin can easily be removed using a hot air gun and then scraping it off. By reading the flashes raw using a flash memory reader it is proven that the data on the flashes is unencrypted. Because the data in the flashes is not encrypted Fox Crypto does not regard the USB stick as secure. The raw reading of the flash is something that anybody with a little bit of electro technical background and a steady hand can do. The resin that should prevent desoldering the flash does not work at all and can easily be removed. The BioSlimDisk icool is even less secure because the fingerprint controller can be accessed from the host computer. This allows an attacker to manipulate the fingerprint templates and therefore gain access to the device without having to take it apart. Both these devices are thus considered totally inadequate in protecting data from an attacker. 6.5 Vendor s comment Literal comment by the vendor received on 26 October 2007: Comments of Ritech to Fox-It report In response to Fox-it report review, two Bioslimdisk models are evaluated, Bioslimdisk icool and Bioslimdisk1.1 where both editions are discontinued products of RiTech. icool edition allows users to set the entry level of security and the type protection depending on how it was utilized. If device is set to G+ mode, it provides users with a convenient method to manage simple applications, when needed; users can utilize the Storage mode for higher security without installing G+ software. On the subject of G+ mode, 56bit Blowfish encryption can be used to encrypt data on PC and there was no clear evidence that it can be hacked. The BioSlimDisk1.1 which was also reviewed on Fox-it report represents the earliest versions of RiTech first developments which had been discontinued since 2005 and was marked EOL. Fox-IT failures to recognise that these devices are obsolete and tests conducted on these devices are irrelevant. Today, RiTech has a line of BioSlimDisk products made available to the public. Bioslimdisk2.0 is just one of a few models from Ritech, developed as a basic edition providing users with the most basic protection (fingerprint protection) meet the needs for level-1 basic protection i.e. for an average user with simple day to day protection when data is on the move. With a low-entry encryption it is difficult to avoid people with malicious intention who have sophisticated equipments and good electronics soldering knowledge. So we always recommend the use of free encryption programs like true crypt or PGP to encrypt data then store into the Bioslimdisk2.0 for added protection. Overall, Bioslimdisk2.0 is still a safe device to use for average users and still the only device that does not require software intervention or driver support. You can plug into anything that has a USB-port; it even works with projectors, monitors or LCD-TV that has a USB-port, thus, making it the one and only true multi-platform device available in the market till today. RiTech also offers a professional edition that is designed to use in highly sensitive environments; it is available for users who demands higher security. The Bioslimdisk Signature is developed for users who require level-2 security i.e. for professionals who need ultimate protection to store sensitive corporate information up to restricted/confidential data. Signature is equipped with AES-128bit hardware encryption, dual-fingerprint capabilities and tamper-protection capabilities which prevents malicious attacks from an intentional hack. It is purely designed and developed for governmental departments or corporate institutions who do not desire a product that runs on software or installing any 3 rd party application prior to fingerprint enrollment. Signature enrolls and verifies fingerprint solely on hardware, encrypt/decrypt on hardware, thus preventing exposure to remote software attacks. You will never know what is running behind the software when you double click on an *.exe file. PUBLIC 18/41

19 7 - M-Systems mdrive 500 based 7 M-Systems mdrive 500 based M-Systems developed a secure USB stick called the mdrive 500. The mdrive 500 uses hardware encryption and a password for authentication. Due to the hardware encryption the USB stick can reach very high transfer rates. M-Systems does not sell the mdrive 500 USB sticks itself, but sells the hardware design and software as OEM to other USB stick manufacturers. Products that are based on the M-systems mdrive 500 include: Kingston DataTraveler Elite Kingston DataTraveler Elite Privacy Edition Intuix S500 Disgo Pro and Disgo XKey Lenovo USB 2.0 Memory Key (ex IBM) Verbatim Store n Go Corporate Secure USB Drive Most of these USB sticks use the default mdrive hardware and software only modified in its appearance. Only the Kingston DataTraveler Elite Privacy edition uses different software and behaves different from the rest of the sticks. It is suspected that this drive is based on the mthrust framework, which is build on the mdrive hardware[11]. In this investigation the following mdrive 500 based USB sticks are examined: Kingston DataTraveler Elite Kingston DataTraveler Elite Privacy Edition Intuix S500 Figure 7.1: Intuix S500 and Kingston Datatraveler Elite The Kingston DataTraveler Elite and Intuix S500 have been chosen for their availability. The DataTraveler Elite Privacy Edition is chosen because its difference in behavior. Although the other mdrive 500 based USB sticks are not investigated, it is likely that any weak points found in both the Intuix S500 and Kingston DataTraveler Elite will also apply to the other mdrive based USB sticks. 7.1 Features The M-Systems mdrive 500 uses a password and data encryption to prevent unauthorized access to the user information. The Kingston DataTraveler Elite and the Intuix s500 allow the user to have a public and a private zone. The private zone is encrypted with AES-128 and is only accessible with the correct password. The Kingston DataTraveller Elite Privacy Edition only has a private zone and has a public readonly zone which contains the software for the device. The password on the Kingston DataTraveler Elite and the Intuix s500 can be anything from one up to sixteen characters. The Kingston DataTraveller Elite Privacy Edition requires the password to be at least 6 characters long and contain lower case letters, upper case letters and numeric numbers or special characters. PUBLIC 19/41

20 7 - M-Systems mdrive 500 based The drive has password brute force protection in hardware. This locks out the user if the password is entered incorrectly more times then a predetermined limit. If this happens, the drive can only be reused by reformatting the private zone. The password try limit of the Kingston sticks is set to 25 times and is times for the Intuix s The software M-Systems developed two software applications called KeySafe+ and MyKey to interact with the mdrive 500 USB stick. The KeySafe+ can unlock a private zone, reformat a device and change the password for a device. MyKey can also lock and unlock the device but offers some extra file synchronization and drive personalization option. Both the Intuix S500 and Kingston DataTraveler Elite ship with this software, although Kingston renamed the KeySafe+ application to TravelerSafe+ and the MyKey application to MyTraveler. Kingston also changed the user interface to meet the Kingston company style. The Kingston DataTraveler Elite Privacy Edition uses a software application called DTE_privacy_launcher instead of the TravelerSafe+ and MyTraveler applications. This application only allows (un-)locking of the disk and changing the password. In the next two paragraphs the working of the two applications, KeySafe+ and DTE_privacy_launcher, will be discussed. The working of the TravelerSafe+ is equal to the KeySafe+ software and will therefore not be discussed separately. The MyKey and MyTraveller software is not discussed because it doesn t provide any major new security features on top of the KeySafe+ software KeySafe+ The KeySafe+ application is a standalone application that doesn t require installation. Although it does copy itself to the user Document and settings folder when run to prevent the executable from becoming inaccessible when the private zone is mounted. The KeySafe+ software can perform three actions: - (un-)lock the private zone - Change the password - Format the device into a new public and a private zone. Figure 7.2: KeySafe+ disk format screen If you connect the mdrive USB stick for the first time the software will request the user to format the device. Figure 7.2 shows a screenshot of the format window. Formatting is done be selecting the size of the private zone and setting the password and hint. Once the device is formatted the user can unlock the 1 This was not documented by Intuix but was found by trial-and-error. PUBLIC 20/41

21 7 - M-Systems mdrive 500 based device using the unlock screen shown in figure 7.3. The unlock windows also allows the user to trust the current computer DTE_privacy_launcher Figure 7.3: KeySafe login screen The DTE_privacy_launcher application is a single executable that is, together with the manual, included on a read-only CD drive emulated by the USB stick. The DTE_privacy_launcher can: - (un-)lock the private zone - Change the password - Reformat the device The first time a Kingston DataTraveler Elite Privacy Edition is used the software will ask for some information about the owner, a password and a hint. The owner s information is optional and is only useful to identify the owner of a stick. The password is used to protect the information on the USB stick. The software requires it to be at least 6 characters long and contain lower case letters, upper case letters and numeric numbers or special characters. The hint can be used to store a hint about the used password. However the hint may not contain the password itself or something very similar. If an already initialized Kingston DataTraveler Elite Privacy Edition is inserted into the computer the DTE_privacy_launcher will only allow the user to unlock the stick or reformat it, see figure 7.4. Reformatting at this stage means that the user can set a new password without knowing the old one and all data already on the device will be lost. Figure 7.4: DTE_privacy_launcher unlock screen If the Kingston DataTraveler Elite Privacy Edition is unlocked the DTE_privacy_launcher will reside in the Windows systray. Figure 7.5 shows a screenshot of the tray icon with action menu. From here the software allows the user to change the setting like password and username, reformat the device which deletes all data and lock the private zone. PUBLIC 21/41

22 7 - M-Systems mdrive 500 based 7.3 The hardware Figure 7.5: DTE_privacy_launcher systray menu All mdrive 500 based USB sticks use the same hardware board within the USB stick. Figure 7.6 shows the mdrive 500 PCB. The PCB contains 3 basic components: - The mdrive 500 controller - 2x flash memory chips Figure 7.6: mdrive 500 Hardware (front + back) The two flash memory chips are connected separately to the mdrive 500 chip. This is probably done to be able to access the two flash chips in parallel to increase read/write speed. Interesting details are the two copper headers on the side of the PCB next to the flash memory chips. These headers are connected to the flash memory chips and are probably used in the fabrication of the USB sticks for testing. 7.4 Attacks Brute force the user password Because users in generally choose insecure passwords and the MyKey software doesn t put any constraints on the password, it is attractive to do a brute force attack on the user password. M-Systems foresaw this kind of attack and added an invalid password try counter. This causes the stick to lock when the password is entered incorrectly a limited number of times. Due to the anti brute force measure it isn t possible to do an online brute force attack. However, as discussed in chapter 4.2, if it would be possible to obtain the device configuration it might be possible to PUBLIC 22/41

23 7 - M-Systems mdrive 500 based bypass the online brute force protection or do an offline brute force attack. In case of the mdrive there are a number of possible options to store the configuration: - In the mdrive controller chip - On the flash - Encrypted on the flash and the key is also stored somewhere on the flash or is derived from some value stored on the flash. - Encrypted on the flash with a key that is burned into the mdrive controller chip at fabrication. The key is only known at fabrication time and will never leave the mdrive controller chip. To find out where the configuration is stored, the flash memory was read out raw. By making an initial reference copy of the flash, performing a bad password try and finally make second copy of the flash the location of the invalid password try counter could be determined. By comparing the different read out it was found that the invalid password counter is stored encrypted on the flash memory. Because the invalid password counter is stored on the flash memory it should be possible to reset the counter to an earlier value by writing an old copy of the flash back to the flash. In practice this is a very unpractical attack, because this would mean that after (maximum password tries 1) password tries the flash has to be desoldered, written and re-soldered on the USB stick. In case of the mdrive this even means that both flash chips have to be desoldered since the data is spread over both flashes. This makes this attack unpractical. A better alternative would be to prevent the device from updating the invalid password try counter. This can be done by making the flash memory read-only. To make a flash read-only the write enable pin should be pulled to a logical low level. Figure 7.7 shows a Kingston DataTraveler Elite from which the write enable pins on both flashes are attached to ground. With this setup the USB stick could be read, but as soon as it was written it crashed. This is probably because the device will notice that the writing of the data failed and will try again until it succeeds. Now when an attempt is made to unlock the device with an invalid password, it hangs. However when it is unlocked with the correct password, it hangs as well. So apparently the invalid password counter is also written on successful login to reset it to zero even if it is already zero. Since there is no way to see the difference between a successful unlock or an unsuccessful one this attack failed. Figure 7.7: mdrive with Flash memory write enable pins connected to ground By comparing the raw read outs of multiple Intuix and Kingston devices it was found that the maximum password try is stored unencrypted on the flash memory. The first flash chip contains two identical blocks that contain the basic unencrypted configuration of the device like the name and serial number of the device. This section also contains a value that is always equal to the maximum password try of the device. From the raw dumps it was not possible to determine how large this value can be or if it is possible to disable the brute force protection at whole. If it is not possible to disable the brute force protection then most likely the maximum password try can be increased to around 4.3 billion. This would still limit the attack to try every password from 0 up to 5 characters with a reduced character set. This attack has not been tried in practice. PUBLIC 23/41

24 7 - M-Systems mdrive 500 based The best way to brute force the password is still to find out the method of verification of the password. The most likely case is that a hash of the password is stored somewhere in the flash and the password is checked against that hash. However due to the limited time and the tremendous amount of work and time needed to read out the whole flash, Fox crypto has not determined where and how it is stored. Even though Fox crypto did not succeed in this kind of attack, it is not unlikely that with some more time and resources this attack will work. And even if the attacker fails to implement such an attack, someone else can still implement it in the future. In that case if the attacker still has a copy of the raw flash disks, he will still able to perform the attack and retrieve the data. Note that even if one of the attacks discussed in this paragraph would succeed there is still a simple counter measure. By choosing a strong enough password it will be impossible to brute force the password within a normal time frame. The Kingston DataTraveler Elite Privacy Edition has such a restriction on the password, making it more resistant against these attacks. However the minimum of 6 characters enforced by the software could still be considered too weak. If a verification algorithm like SHA-1 is used, all possible passwords up to 6 characters long can be tried in just 2.5 days with a Pentium GHz. A minimum of 8 characters is preferred Cracking the encryption algorithm used The mdrive uses 128-bits AES in ECB mode. The whole device is encrypted, including the public zone. But the flash memory also contains a small block of basic unencrypted device configuration. By analyzing this unencrypted block it was found that the key used to encrypt the public zone is stored in this section. Due to the way the information is stored at the lowest level on the mdrive, knowledge of this key did not directly allow decryption of the public data. The cause of this is the limited time for investigating the definitive mapping between the separate flashes located on the USB stick. It is possible though, because of the use of the ECB encryption mode, to check that this key actually decrypts the public section. Using this technique and by writing repeating patterns to the public and private zone, the use of most of the data could be determined. However at the beginning of the flashes there is some encrypted data that is not encrypted with the key for the public data but also doesn t contain the private zone data. Possibly this is firmware for the controller, but with what key this data is encrypted could not be resolved. So we can conclude that because the secure AES algorithm is used it is not possible to crack the encryption algorithm, but because of the way the algorithm is used a lot of information about the data can be recovered by analyzing the encrypted data. 7.5 Summary and conclusion The mdrive 500 is a secure USB stick developed by M-Systems that uses password authentication and hardware encryption to prevent unauthorized access to the user data. The mdrive also has a brute force protection which limits the amount of sub sequential invalid password tries. The mdrive USB sticks are not sold by M-Systems directly but are sold by various third parties under different names. The mdrive based USB sticks looked at in this investigation are the Intuix S500, Kingston DataTraveler Elite and Kingston DataTraveler Elite Privacy Edition. The Kingston DataTraveler Elite Privacy Edition differs from the standard mdrive 500 based USB stick in the fact that it uses other software, enforces password constraints and doesn t have a writable public disk section. Fox Crypto did a number of attacks but failed to retrieve the information from the device. Table 7.1 shows the different possible attacks that were identified by Fox Crypto and if this attack has been performed successfully. Attack Verdict Comment Reset Invalid password counter by writing back old memory copy Not possible Unpractical, This is very slow plus the flash or PCB will probably break after a while. Make the Invalid password counter read-only Not possible Because the device crashes on every login, successful or unsuccessful, it is not possible to detect a successful login. Adjusting the maximum password try In theory Not tried but might be possible if the maximum password try if it can be set to infinite. Attack can be PUBLIC 24/41

25 7 - M-Systems mdrive 500 based Offline brute force attack on password In theory prevented by choosing a strong password. The Kingston DataTraveler Elite Privacy Edition suffers less from this attack due the constraints put on the passwords. Not successful due to limited time. But might be possible in the future. Attack can be prevented by choosing a strong password. The Kingston DataTraveler Elite Privacy Edition suffers less from this attack due the constraints put on the passwords. Brute force attack on crypto Not possible Practically impossible because it will take more then a lifetime to crack. But used encryption mode does leak a lot of information about the data. Table 7.1: Attacks and results against the mdrive based USB sticks It can be concluded that although no data was retrieved from this device during this investigation, too many weak point are present to conclude that this device is the most secure. The strength of the encryption is totally based on the password strength of the user. Especially the fact that the device uses ECB mode encryption makes it too easy to determine with some more research where the password resides. This makes an offline brute force attack on the password immediately possible. PUBLIC 25/41

26 8 - MXI MXP Stealth and SafeBoot Phantom 8 MXI MXP Stealth and SafeBoot Phantom The MXP Stealth from MXI security is a secure USB stick that can use a password, fingerprint or both for authentication to the user data. The user data is stored encrypted on the USB stick. The Stealth performs encryption in hardware. The Phantom from SafeBoot uses the same hardware as the MXP Stealth. However the software has been esthetically modified by SafeBoot. The rest of this chapter will speak of the MXP Stealth, but because the hardware of the MXP Stealth and the Phantom are identical this also applies to the Phantom. If this is not the case the differences will be indicated. 8.1 Features Figure 8.1: MXI MXP Stealth and SafeBoot Phantom The MXP Stealth allows up to five users to be defined on the device. Each user can have its own private disk zone. Further more there can be one public disk zone configured. There are two user privilege levels. General users can only unlock their private zone and change their password/fingerprint. Administrators can also manage the users and device settings. The MXP Stealth allows three forms of authentication: password, fingerprint and two factor authentication combining password and fingerprint. The device has built-in anti brute force protection which locks a user when the maximum amount of password or fingerprint tries has been superseded. If password authentication is used the password must be between the 4 and 40 characters but there are no constraints on the characters used. To prevent unauthorized access to the private zones the data is stored encrypted using the AES algorithm in Cipher Block Chaining Mode (CBC) with a 256-bits key. 8.2 The software The software for the MXP Stealth consists of two main programs, an unlock tool for the users and a management console. The unlock tool, shown in figure 8.2, is a simple tool that can only unlock the stick for a given user using a fingerprint and/or a password. PUBLIC 26/41

27 8 - MXI MXP Stealth and SafeBoot Phantom Figure 8.2: MXP Stealth unlock tool, Fingerprint (left) and password authorization (right) The management console can be used to unlock the stick and change settings of the stick. The options that can be changed with the management console depend on the user level of the user. If the user is a normal user the management console only allows the user to unlock the stick, change its authentication data and view device information. If the user has administrative rights the management console allows the user to perform the following functions: Add and remove users Change user information Change other users authentication data Change anti brute force limits Manage disk partitions Change the False accept rate of the fingerprint sensor Changing of the user authentication data always requires the old authentication data of that user. The Management console also allows the device to be recycled. This means that the device is reset to factory default. To recycle the device a special recycle code is required which can be configured the first time the device is connected to a management station. Figure 8.3 shows a screenshot of the management application. Figure 8.3: MXP Stealth management software The software of the SafeBoot Phantom is functionally identical to the MXP Stealth. Only the graphics and the names used have been changed. 8.3 The hardware The MXP Stealth has the most complicated hardware design of all USB sticks discussed in this report. The USB stick consists of two PCBs connected with a small connector as shown in figure 8.4. The top PCB PUBLIC 27/41

28 8 - MXI MXP Stealth and SafeBoot Phantom contains the fingerprint sensor, the fingerprint processor, status LEDs and a serial memory. The bottom PCB contains the USB connector, an ARM microprocessor, a custom ASIC, an EEPROM+SRAM combo chip, an ATA to flash converter chip and the flash memory chips. Figure 8.4: MXP Stealth PCBs, top PCB (top) and bottom PCB (bottom). The ARM microprocessor is the heart of the USB stick. The processor is an ARM-based microprocessor with a built-in high speed USB flash memory controller and IDE controller. The processor does not have any built-in ROM memory. For storage of the firmware the externally connected EEPROM+SRAM combo chip is used. This chip also provides extra RAM for the processor. The fingerprint sensor and fingerprint processor are made by Upek. The sensor used is a swipe sensor. The fingerprint processor can match fingerprints internally and can store the templates of the enrolled fingerprint inside the chip. The Upek chip is connected to the ARM microcontroller using a serial communication interface. The USB stick also contains an ASIC chip that is connected to the microprocessor. Because it is an ASIC it is not exactly possible to determine the function of the chip. However it is suspected that this chip is a hardware crypto accelerator. Because the microprocessor doesn t seem to have any hardware crypto functions and is too slow to do encryption at an acceptable speed for USB sticks. The ARM microcontroller does not communicate to the flash memory directly but instead talks ATA to an ATA to flash converter chip. The usage of an ATA to flash chip might seem odd since the microprocessor has a built-in flash controller. However (part of) the hardware design is probably also used in the MXP Outbacker from MXI security. This is a secure USB hard drive unit, which explains the usage of ATA. Furthermore, by not managing the flash directly from the microprocessor there is no need for implementing a patented flash translation layer in the firmware. PUBLIC 28/41

29 8 - MXI MXP Stealth and SafeBoot Phantom Figure 8.5: Scraping off the resin The ARM microprocessor and EEPROM+SRAM combo on the bottom PCB are obfuscated to prevent attackers from discovering the type of the chip. In some, older, versions of the USB stick the obfuscation is done by putting some sort of resin on top of the chips. However, as shown in figure 8.5, this resin can easily be removed with a scalpel after heating it up with a hot air gun. In newer versions of the device the chips are obfuscated by sanding of the print on the top of the chip, see figure 8.6, which indeed makes it impossible to read the chip type information without specialized equipment. Figure 8.6: Chip obfuscated by sanding of the top Most chips on these PCBs, except for the flash memory and the small serial flash on the top PCB, are in the form factor of a Ball Grid Array (BGA). This means that the chips do not have pins on the side that connect to the PCB but are instead connected to the PCB by little pads on the bottom of the chip. This means that it is harder for attackers to listen in on the communication between the chips and to (de-)solder the chips. But as Figure 8.7 shows it isn t impossible to read out a BGA chip. PUBLIC 29/41

30 8 - MXI MXP Stealth and SafeBoot Phantom Figure 8.7: Memory chip soldered for reading One interesting bit about the MXP Stealth is that it doesn t use a plastic casing as all other USB sticks in this report. Instead the MXP Stealth consists of a metal casing that is clipped together. In theory this should make it much harder to open up the device without damaging it, in other words it should be more tamper evident. However we found that in practice the results would vary. Figure 8.8 shows some of the casings opened. The main problem with the casing was that the hooks that should lock the case weren t bent out enough or the weld between the outer casing and inner casing wasn t very strong. Figure 8.8: MXP Stealth casings opened one way or another The MXP Stealth uses the ecos operating system for its firmware. Furthermore the firmware uses the OpenSSL library. Updating of the firmware is possible but is protected to prevent attackers from replacing the firmware with modified firmware. 8.4 Attacks All common attacks for USB sticks as described in chapter 4 were tried on this USB stick. Paragraph describes attacks on the authentication mechanism like brute forcing the device and bypassing the authentication. Paragraph describes attacks on the encryption algorithm used Cracking the authentication mechanism Because the configuration of the device is stored unencrypted in the serial EEPROM on the top PCB of the device it is possible to read and alter it. By analyzing the configuration it was found that the configuration contained the following interesting configuration options: Maximum password and fingerprint tries PUBLIC 30/41

31 8 - MXI MXP Stealth and SafeBoot Phantom User privileges A hash for the password authentication The encryption key in encrypted form for the private zone of the user. This should make it possible to disable the brute force protection for a user, boost user privileges of a normal user to administrator, and perform an offline brute force attack in case password authentication is used by a user. Reading out and altering the configuration in the serial EEPROM isn t a big problem. Because the serial EEPROM is connected to the ARM microprocessor through a connector it is possible to access the EEPROM through the connector. Figure 8.9 shows a setup where the other half of the connector is directly connected to an EEPROM reader. This makes it just a matter of connecting the upper PCB of the USB stick to the connector to edit the configuration. Figure 8.9: Top PCB connected to EEPROM reader through connector Changing of the device configuration allows boosting the user privileges of a general user to administrator. However doing this doesn t threaten the security of the device since the administrator also isn t able to change or remove the password or fingerprint from a user without knowing the old password/fingerprint. Because the MXP Stealth does not force strong passwords by default 1 through the software, it is interesting to do a brute force attack on the password if password authentication is used. By changing the configuration in the serial EEPROM it was found that it is possible to disable the brute force protection. This allows attackers to do an online brute force attack. However because of the limited speed of the USB stick and the overhead of communicating between the attack PC and the USB stick this attack is very slow. Because of its speed an online attack will only be effective against very short passwords or easily guessable passwords. But since the hash data for the password is obtainable and the verification algorithm can be guessed by looking at the length of the hash, it is also possible to do an offline brute force attack on the password. Fox Crypto did some experiments with the password cracking tool Cain & Abel[1] and found that passwords with 7 characters can be cracked in 2.5 years on a Pentium GHz PC using the complete character set. Distributing this attack along 30 PCs would mean that the password can be cracked in one month. If only the basic alphanumeric character set would be used the same computer can crack a password of 9 characters in only 3.8 years, which is also in reach when the attack is distributed. Attacking the fingerprint authentication is more difficult since the information about the Upek fingerprint processor is not publicly available. But with some research it was found that the Upek fingerprint processor uses a serial connection to communicate with the ARM microprocessor. By connecting the data lines to a level shifter, as shown in figure 8.10, it is possible to use a standard computers serial port to listen in on the communication. By doing this it was found that when fingerprint authentication is used, a 1 MXI indicated that for larger clients this strong password enforcement can be installed in the factory. PUBLIC 31/41

32 8 - MXI MXP Stealth and SafeBoot Phantom key is appended to the fingerprint template. This key is probably used to decrypt the disk encryption key. This means that in the case where a fingerprint is used there is no possibility to decrypt the disk encryption key, and therefore the private zone, without either faking the fingerprint or obtaining the key from the Upek chip in another way. Figure 8.10: Serial port connected to fingerprint processor Because the Upek chip stores its templates including payload in an internal non-volatile memory it should be impossible to obtain this data from the chip without the correct fingerprint or very specialized machinery. Fox Crypto could not verify that it is impossible because this requires a full audit on the Upek chip which is outside of the scope of this investigation. Faking the fingerprint hasn t been tried in this investigation. However it is possible to change the False Accept Rate (FAR) of the Upek chip by changing its configuration through the serial interface. Increasing the FAR would mean that the sensor becomes more tolerant when matching a fingerprint against a template. Making it easier to fake or brute force the fingerprint Cracking the encryption algorithm used Reading out the flash memory showed that the data in the flash is stored encrypted. Because the usage of 256-bits AES to encrypt the data, it is impossible to obtain the data from the cipher data without the key. The AES algorithm is used in Cipher Block Chaining Mode (CBC) which is very good for the security, as discussed in paragraph However every sector the algorithm is initialized with the same Initial Vector (IV). This makes it possible to identify sectors with the same data and allows sectors to be moved around. This isn t a very big security issue and can easily be fixed by using an IV based on the sector number. This is a much cleaner solution. 8.5 Summary and conclusion The MXI MXP Stealth and SafeBoot Phantom are based on the same hardware design. These sticks are multi-user USB sticks that use password authentication and/or fingerprint authentication to prevent unauthorized access to a user s data. The user s data is stored encrypted on the device using 256-bit AES in CBC mode. Fox Crypto did a number of attacks and managed to obtain the user data in case the user used the password only authentication method and used a weak password. This was done by doing a brute force attack on the password. In case a fingerprint or strong password was used for authentication the private user data could not be retrieved. In case fingerprint authentication is used all security relies on the security of the fingerprint processor which has not been audited in this investigation. PUBLIC 32/41

33 8 - MXI MXP Stealth and SafeBoot Phantom Table 8.1 shows the different possible attacks that were identified by Fox Crypto and if this attack has been performed successfully. Attack Verdict Comment Disable the Brute force protection Possible Online brute force attack against the password should be possible. But isn t practical due to the limited speed. For biometric authentication it would give more room to play around with fake fingerprints. Boost user privileges Possible Not useful. Administrators aren t able to unlock the private zones of other users. Increase the False Accept Rate of the fingerprint reader In theory Should be possible by changing the fingerprint reader configuration. Not tested. Offline brute force attack on password. Possible Successfully performed this attack. Attack can be prevented by choosing a strong password. Brute force attack on crypto Not possible Practically impossible because it will take more then a lifetime to crack. Table 8.1: Attacks and results against the MXI MXP Stealth and SafeBoot Phantom Not using two-factor authentication with this device, makes the USB stick vulnerable to attack. With fingerprint-only authentication, the key can be extracted from the fingerprint chip by brute-forcing fingerprint templates or faking the fingerprint. Using password-only authentication places the total strength of the encryption of the password chosen by the user. The combination of both adds another layer to the user s password. But still the user s password is the weakest factor. 8.6 Vendor s comment Literal comment by the vendor received on 23 November 2007: MXI Security comments to Fox-IT report findings Section 8.2: The software described that accompanies the Stealth MXP provides standalone functionality that is not intended to be used for enterprise class deployments of our devices. We understand that at the time of the writing of the report that this was the only configuration software available but since then we have released ACCESS Enterprise which is used for enterprise customers wishing to securely manage and control large deployments of these devices. This solution allows additional policies to be set and enforced by corporate administrators. Such policies include minimum password length, password complexity rules, two-factor authentication (biometric and password), the number of finger enrolments, retry limits, and the software loaded on the read-only partition. Section 8.3: The casing issues disclosed in this section have been resolved. Earlier models of the device had some casing issues but since then have been addressed and devices are now certified to FIPS level 2. This level of validation includes physical testing and assures that the enclosures are tamper evident. Section 8.4.1: As stated earlier minimum password lengths and password complexity rules can be enforced using the enterprise solution. We find that the statistics on password cracking using the tools from Cain & Abel are interesting but must be considered with context. It is well known that weak passwords are subject to such attacks, which is why security-aware organizations would normally configure devices with sufficiently long and complex passwords. Regardless of this fact we also note that the tests were conducted using firmware version 4.6. Our latest firmware, version 4.20, has increased the password hashing iteration count by a factor of 1,000 which has the following impact on the quoted statistics if we extrapolate. A 9 character alphanumeric password would now require 3,800 years on the specified PC rather than the 3.8 years. Table 8.1: With respect to the offline brute force password attack we remind people that this is only feasible for weak passwords and would encourage the use of our latest firmware to make such attacks 1,000 times more expensive. Further to this we also encourage the use of our ACCESS Enterprise management software so that strong password policies can be enforced throughout the deployment of devices. PUBLIC 33/41

34 9 - Kobil midentity 9 Kobil midentity The Kobil midentity is a USB Stick and smartcard reader in one USB device. The USB stick contains a read-only public section with the software and a private section for the user data. The private section can only be unlocked using the PIN code of the smartcard inserted in the smartcard reader. The data on the private section is stored encrypted in the flash memory. The key used for encrypting the data is stored in the smartcard. The encryption and decryption of the private data is done by the Kobil software. The midentity comes in four different models: Light, Light+, Basic, Classic. The Light and Light+ are only used as authentication device and don t have storage capabilities. The Basic provide secure storage. The Classic combines the features of the Light and Basic. In this investigation the midentity Basic will be used. 9.1 Features Figure 9.1: The Kobil midentity The private zone of the midentity is protected by the PIN code of the smartcard. The PIN code must be at least 6 characters up to 30 characters long and may only contain numbers. The midentity has an anti brute force protection through the smartcard. This means that if the PIN is entered incorrectly 3 times, the device will lock. It can be unlocked using a PUK code, but if the PUK code is entered incorrectly 3 times, the smartcard is locked permanently and has to be replaced. The encryption used of the private zone is 3DES. 9.2 The software The midentity Basic comes with a simple application that can (un-)lock the private zone and change the PIN. The software resides on the read-only public section of the device. This emulates a CD-rom drive and will automatically launch the software using the Windows autorun capabilities when the midentity is inserted in the computer. When a device is used for the first time the software will ask the user to configure a PIN and a PUK, as shown in figure 9.2. If the device is already configured the device will ask for the PIN. If the PIN is entered correctly the private drive will be mounted. PUBLIC 34/41

35 9 - Kobil midentity Figure 9.2: First time initialization Once the device is unlocked the software will minimize to the Windows systray. From the systray menu it is possible to change the PIN of the device or to lock the device. 9.3 The hardware The hardware of the midentity consists of a single PCB as shown in figure 9.3 and figure 9.4. The heart of the device is a microcontroller with a built-in USB 2.0 transceiver. To support the microcontroller the PCB contains a RAM chip for the working memory and a serial EEPROM chip with the firmware. For the data storage the device contains a flash memory chip. The PCB also contains a smartcard socket to access the smartcard. Figure 9.3: Front side of Kobil midentity PCB Figure 9.4: Back side of Kobil midentity PCB PUBLIC 35/41

36 9 - Kobil midentity 9.4 Attacks Because the key used to encrypt the data on the device is stored in the smartcard it is not possible to obtain the key without PIN code. Smartcards are designed for security and can resist a large variety of attacks. When there is no fundamental flaw in the smartcard used it isn t possible to attack using a limited budget. The smartcard enforces anti brute force measures and prevents tampering with the password try counter. This also means that it is not possible to brute force the PIN code. A direct attack on the encryption algorithm used is also not possible. Although the DES algorithm isn t considered secure anymore, the 3DES algorithm is still secure. As a result there is no way thinkable in the Lost-and-found scenario that would release the private data to an attacker. And thus this makes this device the most secure in this category. 9.5 Side track Does this mean there are no weaknesses in this device? Well for the Lost-and-found scenario there are no methods found to obtain the private data from the device. But aside from that there are still some vulnerabilities that should be considered for this device Possible attack scenario The most dangerous attack perceived by Fox Crypto targets the firmware that is located in the device. If it is possible to replace or alter the firmware located in the device, this can seriously affect the security of the device. The firmware is currently located in the separate EEPROM. By replacing the firmware with an altered one that writes the encryption key to a hidden area it would be possible to obtain the private data in case of an Obtain-return-obtain scenario. Although it would require some time to investigate and understand the workings of the firmware. But once this is done it would be fairly easy to perform this attack Investigation This attack is found to actually be a serious threat for this device, especially when combined with the firmware upgrading capabilities of the microcontroller used. The combination makes it possible to replace the firmware with a new insecure firmware by just inserting the device into the pc (or other USB host like a PDA) owned by the attacker. Fox Crypto did a proof of concept of this attack where the locked and secure USB stick is inserted in a PC and the firmware is replaced without physically tampering with the device. As a result the behavior of the stick is altered so that the LEDs of the device keep burning. This attack can be performed using standard firmware loading tools available in public domain. Figure 9.5 shows an example in which a new firmware is loaded that enables both LEDs of the device. Figure 9.5: Writing a new EEPROM (left) that forces both LEDs on (right) One of the serious dangers of this attack is that an attacker can have long time access to the data on the USB stick. For example an office cleaner could modify the device s firmware. Once the firmware is modified the cleaner can read out all data on the stick whenever he/she has duty. This will be possible as long as there is physical access to the locked USB device and a limited amount of unsupervised time. Changing the password does not stop the attack! This type of attack is also possible on most other USB sticks by altering the software that unlocks the device if the software is run of the USB stick. However the big difference with this attack on the midentity is that all techniques used in the attack are well documented in the documentation of the PUBLIC 36/41

37 9 - Kobil midentity microcontroller used and no physical tampering is required. Furthermore, because the firmware is edited it is much easier to write the encryption key on the USB device without the owner noticing that the encryption key is leaked there. And because the firmware is edited, it is much harder for the owner to validate if the device has been tampered with. 9.6 Summary and conclusion The Kobil midentity combines a smartcard reader and USB stick in one device. By encrypting the flash memory of the USB stick and storing the keys in the smartcard the device prevents unauthorized access to the user data. The private storage can be unlocked by unlocking the smartcard, and is therefore protected against brute force attack through the smartcard. The encryption used to encrypt the private storage is 3DES. Because the usage of a smartcard, which is designed for security, to store the keys it is practically impossible to brute force the PIN code and obtain the secret encryption key. Further more the encryption used for the private storage prevents cracking. This makes Fox Crypto conclude that the Kobil midentity is very secure in case the USB stick is lost and found by an attacker. However Fox Crypto also found that the firmware could easily be replaced with a modified one without opening the device. This could mean that someone could borrow the USB stick for a short moment and replace the firmware with a new one that stores the PIN code to a secret area. After a while when the USB stick is used the attacker could borrow or steal the USB stick again and read all data on the device. It can be concluded that the Kobil midentity is very secure in case of a Lost-and-found scenario. However the midentity isn t sufficiently protected against Obtain-return-obtain scenarios. Kobil is in the process of updating the current version of the midentity to fix the implemented attack. This updated version should be available in Q Vendor s comment Literal comment by the vendor received on 5 October 2007: Update: KOBIL has confirmed that this issue has been fixed as announced and the current version of midentity does not contain this issue anymore PUBLIC 37/41

38 10 - Conclusion 10 Conclusion Fox Crypto investigated eight secure USB sticks and came to the conclusion that not all USB sticks were able to protect against attackers obtaining the data from the device without authorization. With both the BioSlimdisk 2.0 and BioSlimdisk icool edition it was possible to obtain the data by reading out the storage memory directly, bypassing the security mechanism. Because of this both BioSlimdisks are regarded not secure. The BioSlimDisk icool edition is even less secure because the enrolled fingerprints can be deleted after which an attacker can enroll its own. The Kobil midentity did succeed in protecting the private data since it was not possible to obtain the data without the correct authentication information. This makes the Kobil midentity the most secure USB stick in a lost-and-found scenario. One remark for the Kobil midentity is that in a scenario where the device can be obtained, returned to the owner and later on be obtained again the device is not as secure. Since the firmware of the device can very easily be replaced with a modified one that might store the authentication data to a hidden place. So, in case the USB stick is used not only to protect against loss or theft, but against active attackers as well, there is a viable attack possible against this USB stick. In that case the midentity provides less security than the MXI MXP Stealth and the Safeboot Phantom. The Kingston DataTraveler Elite, Kingston DataTraveler Elite Privacy Edition, Intuix S500, MXI MXP Stealth and Safeboot Phantom allow an attack on their password authentication in which the password is guessed (ie. a brute force attack). This makes it possible to obtain the private data in case the chosen password is too simple. For the Kingston DataTraveler Elite Privacy Edition the impact of this attack is smaller since this stick requires users to choose a marginally strong password. In case of the MXI MXP Stealth and the Safeboot Phantom this attack doesn t make the device insecure as long as two factor authentication is used. In addition the password strength can be enforced by the factory. This leaves Fox Crypto to conclude that the tested USB sticks can be ranked for security in case of a normal Lost-and-found scenario in the following order: Secure 1. Kobil midentity 2. MXI MXP Stealth and Safeboot Phantom (With strong password enforcement) 3. Kingston DataTraveler Elite Privacy Edition (If strong passwords are used) 4. Kingston DataTraveler Elite and Intuix S500 (If strong passwords are used) Insecure BioSlimdisk 2.0 and BioSlimdisk icool In case the USB stick should protect against more that simple loss or theft, such as active attackers for the data, the current version of the Kobil midentity is not a valid solution. PUBLIC 38/41

39 Bibliography Bibliography [1] Cain & Abel Homepage, [2] Matsumoto, T. e.a., Impact of Artificial "Gummy" Fingers on Fingerprint Systems, Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, Thursday-Friday January 2002 [3] Nu.nl, Defensie ontraadt gebruik USB sticks, 21 Juli 2006, [4] Putte, T. van der, and J. Keuning, Biometrical Fingerprint Recognition Don't Get Your Fingers Burned, IFIP TC8/WG8.8 Fourth Working Conference on Smart Card Research and Advanced Applications, pages , Kluwer Academic Publishers, 2000 [5] Security.nl, Geheime dienst verliest vertrouwelijke USB stick, 21 January 2006, [6] Security.nl, Defensie verliest weer USB stick met vertrouwelijke gegevens, 2 february 2006, evens.html [7] Uludag, U., and A. K. Jain, Fingerprint Minutiae Attack System. The Biometric Consortium Conference, Arlington, VA, September 2004 [8] USB Implementers Forum, Inc., Universal Serial Bus Mass Storage classs Specifications Overview, June 2003, [9] USB snoopy homepage, [10] Wikipedia, block cipher mode of operation, august 2006, [11] XKey Secure Data Storage, PUBLIC 39/41

40 Glossary Glossary 3DES AES ARM ATA BGA See Triple DES Advanced Encryption Standard; A modern symmetric encryption algorithm Advanced RISC Machines; A microprocessor architecture. Advanced Technology Attachment; Communication interface for hard disk s and other media generally used in desktop pc s. Ball Grid Array; A chip packaging type where the chip is connected to the PCB by a grid of small pads at the bottom of the chip. Bit Smallest possible unit within a computer. A bit can have a value of 1 or 0. Byte CBC DES ECB EEPROM Flash Microcontroller Packaging PCB PIN PUK RAM ROM SCSI Smartcard Transceiver 8 bits Cipher Block Chaining; An encryption mode that chains blocks together. Data Encryption Standard; Old symmetric encryption algorithm that isn t considered secure anymore. Electronic Code Book; An encryption mode that has an one on one relation between the in- an output. Electronic Erasable Programmable ROM; ROM memory chip that can be erased and reprogrammed electronically. A sort of EEPROM. Microprocessor with integrated communication interfaces and I/O ports. The form factor of a electronic chip(ic) Printed Circuit Board; The board on which the chips are mounted within a device and that contains the connections between the chips. Personal Identification Number; Numeric code used by users to authentication. Pin Unblocking Key; Numeric code that can be used to unblock the PIN if it has been blocked. Random Access Memory; Memory for volatile data that loses its content when powered down. Read Only Memory; Memory for non-volatile data that keeps its content when powered down but can not be written. Small Computer System Interface; Communication interface for hard disks and other media generally used in servers and used for USB Storage devices. Card with embedded microcomputer, for instance used as bank card or telephone card. Combined transmitter and receiver. PUBLIC 40/41

41 Glossary Triple DES USB Word Encryption algorithm that combines three runs of the DES together to get a larger key space. Universal Serial Bus; Serial interface to connected devices to a computer. 2 Byte PUBLIC 41/41