It's been a while since I did a security review for my site, so I was quite interested when the people at the Dutch site Tweakers.net asked me if I could take a look at the security of the iStorage DiskGenie. Since my previous reviews, I've learned a bit more about hacking microcontrollers and since I was keen on finding a subject to try my newfound skills on, I decided to agree to have the device sent to me.
The DiskGenie came in a fairly standard cardboard box. The device comes in various sizes; as you can see, I've got the 250G version.
Unpacking, part 1. The disk is delivered with a pouch and a Y-split USB-cable for PCs which can't deliver the needed voltage on one single USB-port. The disk itself is quite nice to look at: the enclosure is made of a rubbery plastic which doesn't leave any fingerprints. It reminds me of the lid of my ThinkPad laptop.
The enclosed leaflet is a nice intro into how the drive works, with more info obtainable in the full manual. Basically, the disk is shipped wit the default password being '123456'. Enter that, press the unlock-key and the disk becomes readable. To change the password, you have to enter a special administration mode by holding two keys and entering the old password, followed again by the unlock-key. When you want to unlock the disk, you get 50 tries. After that, you have to enter a special code (described in the manual) and then you can try for another 50 times. After that, the disk locks up and you can only reset it, erasing all the data on the disk. To make things even more irritating for a wannabe brute-forcer, every 6 tries the disk has to be un- and replugged. To give feedback to the user, there's a RGB-led that lights up in different colours to indicate the mode the drive is in. It can also blink to indicate e.g. the password is wrong.
One of the nice things, by the way, is that this disk is completely OS-agnostic: the manual has partitioning and formatting instructions for Windows and Mac OSX, but I could get it to work under Linux with no problems whatsoever. This means I don't get to do any disassembly of x86 programs but have to look into the hardware to see how secure the thing is.
1 Next »