Comments

Chris December 8, 2011 2:05 PM

Though there is some kind of override as you can have the code reset by returning it to the manufacturer…

Sean December 8, 2011 2:13 PM

” the Crypteks can be sent back to its maker to have the code reset.”

So who’s gonna be the first to figure out how to disassemble it?

Justin Bowler December 8, 2011 2:19 PM

Cool — although it somewhat violates the principle of a real cryptex.

The idea is supposed to be that you can pass a secret down through generations. This device is probably worthess in 20 years — and its secrets lost forever.

Imagine a version invented in 1995 that pugged into your parallel port…

Chris December 8, 2011 2:30 PM

I’ll admit it looks pretty, but it seems obvious to me that the description is sort of backwards: “If isn’t enough, it offers 256-bit AES”

I can’t imagine the combination lock would survive more than about an hour against a determined hack saw. Assuming they did a decent job of the “bonus” 256-bit AES that will increase the hour to until well after nobody remembers what USB was.

John Thurston December 8, 2011 2:32 PM

{Chuckle} Housed in an aluminum case? I don’t need to spin the rings to open it. Give me a hack-saw blade. If I can’t find one of those, I’ll just grind it open on a curb.

If there are no negative consequences for attempted violent entry, it had better be really tough.

Clive Robinson December 8, 2011 2:53 PM

@ Justin Bowler,

“Imagine a version invented in 1995 that pugged into your parallel port..”

I don’t have to imagine, for my sins I have a lot of “old kit” I still use, including software from the late eighties / early 90’s. In one case it’s for PCB manufacture that still has “Parallel Port Dongles” to prevent unlicenced use…

The fact that the company is nolonger in existance and can’t provide a replacment dongle should the two I’ve got go wrong, means I’ve had to reverse engineer it.

I had two choices, reverse engineer the hardware or the software, at the time it was easier for me to reverse engineer the hardware (it’s bassed around a 1Kbit E2PROM) so my two official dongles are locked in the fire proof safe, whilst my unoficial “dongle and parallel port” replacment for the AT Bus is doing sterling service.
And yes I’ve made a USB version now it looks like I might well have future problems getting hold of an AT Bus compatable replacment computer motherboard…

The stupid thing is I should just have reverse engineered the software fifteen or twenty years ago, it would have saved me a lot of time in the long run.

But then I’ve always got a hardware cludge some where to support some customer I did a design for who will come back for a change, it’s why I still keep my Apple ][e.

Dirk Praet December 8, 2011 3:01 PM

Kinda steep pricing. They should make a deal with Thinkgeek where it would be a guaranteed success.

I am however missing the mechanism that will destroy the contents if the wrong combination is used. Not sure if vinegar would do the trick.

Anton December 8, 2011 3:03 PM

Reminds of the lockable canister in Dan Brown’s ‘Da Vinci Code’ which dissolves the piece of paper it contains with acid if it is broken by force.

[cr|h]acker December 8, 2011 3:55 PM

“I can’t imagine the combination lock would survive more than about an hour against a determined hack saw.”

Good guys use hack saws.

Back guys use crack saws.

bcs December 8, 2011 5:27 PM

I think that would take about 20 seconds to open with the right saw. And if you can figure out what combination it was set to you can even put a new one back together with the same combination.

Mike Rose December 8, 2011 6:17 PM

Can anyone explain to me how hardware encryption on USB drives provides any additional security over just using software encryption?

Security theatre at its finest.

trapspam December 8, 2011 7:36 PM

Any type of ring lock is going to have play in the rotation and some slack in the physical play. Moderately to crack the combination with physical leverage at time of rotation of each ring. Remember bike and chain locks?

MeMyselfAndSomeOtherPeople December 8, 2011 9:34 PM

If only the physical ‘unlocking’ of the rotational part did something to actually activate the AES part. Such that without actually doing the right physical combination the ‘hardware’ AES key is destroyed kinda thing. You would still need the AES key to be input correctly – but if you didn’t do the physical lock right you would be screwed.

hiddnhdd December 9, 2011 2:45 AM

I’d rather protect all my data with something far more sexy and exciting – one universal adapter for FIPS-certified hardware full-disk encryption of all your USB drives, how about that?

Olaf December 9, 2011 3:31 AM

A nice gimmick for geeks but only the hardware data encryption is really of any relevance. The rest is pretty packaging.

vwm December 9, 2011 3:33 AM

To be more precise: It prevents people from placing trojan horses on your device.

(I just read Evil Maid again, it’s kind of different, as the Maid attacks a PC with her own drive.)

D0R December 9, 2011 7:43 AM

Olaf,

I was just going to say the same. I hope nobody here takes the cryptex protection seriously — it’s just cool stuff for geeks to show around (first), and a deterrent to keep people from playing with your USB drive (second).

Chris Hennes December 9, 2011 9:38 AM

Since the attack most of us are most likely to face is one where we leave our USB drive on the subway and someone randomly picks it up and decides to snoop around, I wonder if the physical lock doesn’t actually make the device less secure, insofar as it might motivate an attacker to spend more time trying to figure out what was on the device. Of course, if the encryption is done properly it doesn’t matter, but if it’s not, making a device look like it contains valuable data isn’t such a great idea.

Me December 9, 2011 9:54 AM

Or I could spend $10 on a USB drive and install TrueCrypt. As an added bonus, I wouldn’t have to get past the stupid combo-lock every time I needed to use it.

Paul Renault December 9, 2011 10:26 AM

Cool: The $5 wrench that will be used to perform the ‘cryptanalysis’ and ‘recover’ the password can also be used to smash the locking mechanism!

eve_wears_a_badge December 9, 2011 10:36 AM

@Mike Rose

Can anyone explain to me how hardware encryption on USB drives provides any additional security over just using software encryption?

In theory hardware encryption should get you four things:

  1. protection against some side channels since the encryption is happening outside the cpu scope of the computer (hopefully using a secure instruction set).

  2. Someone can’t get the ciphertext without supplying a correct password (the device only provides plaintext when given the correct password). If implemented correctly it should be impossibile to copy the ciphertext without using an electron microscope.

  3. Device can delete data after too many bad attempts (see trustzone).

  4. You don’t have to worry about insecure implementations of a cipher if the hardware cipher is confirmed good (for example if the military wants everyone to use the same algorithm with a random IV, it is easiest to implement once in hardware and then role that hardware out, software is too customizable).

phoenix December 9, 2011 10:49 AM

8 GB for the price of US$130, or 16 GB for US$160

Maybe five years ago those would have been reasonable prices.

me December 9, 2011 1:42 PM

Except that it screams,”I might be hiding something important!!”, that’s pretty neat. I’d def try one because it kind of begs to be 🙂

If it outlives its usefulness, what else can it be used for? A projectile maybe? lol

big tools December 9, 2011 4:05 PM

re: http://www.dialog05.com/objects/03.html

I’m willing to bet that I can modify the female end of a USB extension cable to fit under the “hoop”, and connect to the male connector on this device, and pull off the data.

Then I could use my super-mega-logic movie set computer to break the encryption on the data!

(All within 60 minutes!!)

haxxmaxx December 9, 2011 5:33 PM

i’m sure any locksmith can get into these easily. they already bypass every biometric and other push button password device this won’t be any different.

the biggest flaw here besides their annoying web 2.0 site devoid of real information is the screenshot that says ‘Forgot password’ and them hinting that it can be reset by the manufacturer. if this is true this is no more secure than an unencrypted floppy disk.

Tony December 10, 2011 12:07 PM

If I’m looking for a simple USB drive to deter someone casually looking at my data I buy a SanDisk Cruzer for $10.00 or I can install TrueCrypt on a $7.00 USB flash drive instead.

If an overpriced 256-bit aluminum case flash drive is what I need I will stick with my IronKey. The positive thing about this Crypteks flash drive is that it allows me to rationalize my IronKey is in fact reasonably priced.

Nick P December 10, 2011 1:21 PM

Thermite: the solution to many of life’s physical security problems.

Just kidding. A plasma cutter would do just fine. You can also get hand-held devices that are similar which burn for about 60 seconds. They use hydrogen and oxygen I believe. Here’s a vid that demonstrates the principle of why locks and bars don’t stop determined attackers.

http://www.youtube.com/watch?v=jSAtPWTdk_c

Nick P December 10, 2011 1:24 PM

Of course, the hacksaw method others are mentioning would be safer for the electronics. It’s just less fun. People have said I tend to go a little wild coming up with uses for thermite or plasma.

Gabriel December 10, 2011 8:19 PM

My first thought is the best substitute for vinegar would be a small thermite charge placed directly on top of the NAND chip. That would slag the IC in a fraction of a second. Of course you could never take that drive on an airplane.

Gabriel December 10, 2011 8:30 PM

@Justin, I would have to imagine that some Protocol if not signalling compatibility with USB 2.0 (and eventually 3.0) will be around with us for a long time. And future interfaces will be more than fast enough to support USB adaptors. One thing different about USB high speed is that under that standard, there was an explosion of external storage devices never before seen. And it is one area where almost everyone quite quickly adopted the standard, the Mass Storage Class. This will help us, since reverse engineering will not be necessary. The problem we will face is data permanence on flash storage, as well as the abysmal wear levelling on cheap flash drives that will turn it into a ROM well before 500 years pass.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.