In association with heise online

Who would have expected that decryption would be so easy? Indeed, the bar is so low that even novice attackers will have no trouble getting over it. When decryption is possible at the lowest block level, any possible security provided by the RFID chip becomes completely worthless, so we didn't conduct any further tests.

heise Security has since received a statement from Innmax, the manufacturer of the IM7206 controller chip used, confirming our findings. The IM7206 merely uses AES encryption when saving the RFID chip's ID in the controller's flash memory. The company explained that actual data encryption is based on a proprietary algorithm. The company claims the IM7206 only offers basic protection and is designed for "general purpose" users. In contrast, the more expensive IM8202 controller chip is being designed for users with greater security requirements; they claim it will offer true 128-bit AES encryption for data – but the chip is still in the development phase.

Hard drive enclosure manufacturer Drecom also confirmed our findings and is busy working on a solution. Easy Nova product manager Holger Henke says that the improper label "128-bit AES Hardware Data Encryption" for Data Box PRO-25SUE was the result of Innmax's misleading formulation of its controller specifications. Henke says that a new Easy Nova case could be released by the end of the year with the improved IM8202 controller. For the time being, the company says it will continue to market the current module as providing "simple encryption."

The Easy Nova product isn't the only hard drive enclosure on the market that uses the IM7206. You should assume that other products based on the controller also suffer from the same flawed encryption. The following crypto hard drive enclosures also use the IM7206 and are therefore likely to be vulnerable to the same attacks:

These manufacturers have been alerted, but we have yet to receive replies from them.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit