Do you like my hacking? If so, please consider leaving something in the
Fediverse (Mastodon etc): @Sprite_tm@social. spritesmods.com
And again, it seems that some manufacturers don't even have a basic sense of security. The BIO-250U has a reason for that: as I stated in my previous review, it's almost impossible to do a fingerprint-scan leading to the unlocking of a drive in software without introducing serious security flaws, and the meagre 8-bit processor contained in the enclosure just isn't powerful enough to do fingerprint-matching. Given this hardware, this solution was the best the engineers could do, and as long as you see the HD as a gadget or toy, it is enough.
The iUSBs failure to keep its data secret is way worse, though. Strong encryption using a password and software-based authentication and decrypting is something that was perfected a long time ago: free software like TrueCrypt, LUKS and many others have implemented it securily. Therefore, it is inexcusable that a device for which you pay extra has this kind of hole in its security. To give an indication of how secure both devices are: it's almost trivial to create a downloadable program which anyone could use to get to the 'secret' data on both HDs
The conclusion of this hacker: If you're interested in the gadget-ness of a fingerprint-unlockable HD, you can consider the BIO-250U. While it isn't secure by a long shot, I can understand that using your finger to unlock your data at least is interesting. If you like the iUSB because of its looks, its price or its backup features, go ahead and buy it. If you're looking for something even a tiny bit secure, though, buy a standard USB-drive and use something like TrueCrypt. It isn't perfect, but at least it won't reveal your data by flipping one byte in memory.
I'd like to thank Bjorn Heirman from mobile-harddisk.nl, the shop selling these (and many other) USB harddisks for offering me these HDs and allowing me to publish the results.
« Prev 6
8 commentsHuh. I was a bit surprised reading the comments here - I found the instructions regarding the partition table hack to be completely clear and easily understandable. I suppose I probably know more about the subject than most though, having played around with that stuff when I was a kid (while I was still on DOS, no less - using Turbo Pascal and real mode interrupt calls - nowadays, in Linux, things like what was described is trivial with standard tools). Still, anyone more than just idly interested really shouldn\'t have any trouble figuring it out, IMO...
C'mon, I'm not trying to create a howto to cracking the devices here. It's sufficient to say that if the drive sees an empty partition table when it's powered up, it'll disable all protection measures, even if the 'protected' data still is on-disk. Because the partition table is writable at all times, that's a huge security gap.
His Linux instructions are vague.. I think he is reverting to a pre-warp (Windows-only) phase :( anyway he uses: http://www.ollydbg.de/ on Windows.
Can you elaborate a bit more on how your friend got around the drive in linux? The way you put it is really unclear (or is that intentional?) Also, what debugging suite do you use? I want to try my u3 based flash drive (which I wiped so I can use it as a normal drive).
Nice job! I always see USB enclosures like this that advertise security. It's almost pathetic how so many use simplistic hardware with a "Windows Application" - I myself use BSD and Linux.
Excellent work! Glad to see some of this shoddy engineering being exposed to sunlight. Found your article from the slashdot.org firehose. Mike
Well, companies only want to sell, so they want to make the disks look secure, not actualy be secure. This is all marketing.
It's nice to know at least one vendor is honest. Yay, mobile-harddisk.nl!