Backdoor suspected in Verbatim's crypto NAS
When testing NAS systems with integrated encryption, The H's associates at heise Security found an unexplained second key in Verbatim's PowerBay Databank – the vendor has been informed, but has so far declined to comment.
Although the tester had only assigned one password, an analysis of the administrative data in the partition header showed that the system had defined two keys. Verbatim uses the Linux Unified Key Setup (LUKS) encryption standard, which allows the definition of multiple passwords that will then unlock the master key for decrypting the hard disk. When testing comparable systems by other vendors, only one password showed up as expected. The findings suggest that Verbatim adds another key as a precautionary measure – for instance in order to help customers who have lost their passwords.
However, no reference to a secondary key could be found in the documentation. An enquiry about this peculiarity has been left unanswered by the vendor. A week ago, the press office confirmed that the request had been received and said that it will try to provide an answer. At the time of writing (1 August) no further response from Verbatim has yet been received.