I have not (yet?) evaluated this device. I do however have a couple of initial comments.
Only the (TI) security processor itself had a FIPS 140-2 Level 3 crypto engine. However this device as a whole has no certifications I am aware of, FIPS, CESG or anywhere else (let's leave aside for a moment the flaws of the certification processes). Given its claims, the threat model and what it tries to do, that is actually surprising. It should be aiming for 140-2 Level 4, with claims like that. There are not a lot of 140-2 Level 4 devices around at all…
They say "flipped". Do they mean "zeroized"?
There are a few pitfalls with disk encryption. They mention AES-256-CBC. That is not a wide-block mode. So how are the IVs defined? Do they use an encrypted salt-sector IV? A plain one? Is any diffuser used? Is there any integrity protection?
I do not see that this provides a meaningful level of security which is even comparable to, say, (the late) TrueCrypt.
I'm far from being a hardware expert, but I thought it was curious that they used CBC rather than something like XTS. Is there a reason that CBC is more appropriate when used at the hardware (as opposed to filesystem) level, or is this simply just a rather suspect choice?
Probably it was already in the microcontroller they're using. XTS was only FIPS-approved in 2010, iirc. Plenty of other things use CBC, and XTS also has plenty of pitfalls for the unwary who think it works magic (particularly when it comes to the adaptive ciphertext observation/modification class of attacks, in the absence of integrity protection).
Speaking of magic, I've just realised one big potential problem that's been bugging me about this, which finally leaped out at me.
Destruct is controlled via SMS? That is to say, unless they've been unbelievably careful about shielding and optoelectronic coupling (and from the photos, they haven't) there's almost certainly a GSM transceiver, inside the security boundary, near the data paths.
Oops.
Those familiar with EMSEC will know why this could present a Big Problem™. My first port of call, attacking one of these, rather than stealing it, would probably be to sit in the car park with a femtocell and a directional antenna, and make sure the device gets really loud GSM reception. And see what crosstalk gets modulated back. :)
(If you don't think this is a realistic attack for you, why are you in the market for Mission Impossible gadgets anyway? Use TrueCrypt or dm-crypt or DiskCryptor or something. At least you can analyse how they work more easily.)
Similarly, if it's made by, or spiked by, a malicious actor, it's got scope to go kleptographic on your ass and covertly transmit your data. Need to be careful about that.
1. Use a GSM yammer to prevent self-destruction by SMS.
2. Steal the laptop and get out of the range of the token quickly to prevent self-destruction via the token. I could not find how drive and token communicate but you can probably jam it, too, for example Bluetooth.
3. Keep the battery charged to prevent self-destruction by low battery level and set up a femto cell - without connection to the real GSM net, of course - to prevent self-destruction by GSM starvation and SMS.
Now you should at least have all the time you need.
Well, that at least sets a minimum financial barrier. The main problem with that plan is that you'd have to know that your target has this kind of protection beforehand.
They also sell devices called Data Security Protocol Switches (DSPS) which completely prevent your method from working.
"A Signal Proximity (SP) option means that any registered AutothysisDSP computer hard drive that leaves the vicinity of the DSPS signal will automatically self-destruct. This protects against theft and someone walking out the room with a computer. Likewise if a jamming of the DSPS signal is tried in an attempt to thwart the security protocol the registered DSPS hard drives will self-destroy."
Ok, now I wonder: couldn't you harass people using this technology by jamming the DSPS signal until they give up on it and choose something else? I bet that these hard drives are costly enough so that it becomes a problem fast.
The people who use these devices fall under two broad categories: those who operate within the law and those who operate outside of it. In the former case, any jamming can be solved by a call to the FCC to the effect of: "Someone has been operating a jammer near our office. We think it might be a van parked nearby with the license plate 123456." In the latter case, any jamming could mean that the authorities have caught on to them and that they should start destroying all physical evidence. The drive would serve as a canary, so to speak.
> GSM Starvation Period – You can specify a period of time in hours that if the Drive cannot access a GSM service within this time period then the Drive will self-destruct. This protects against the removal of the GSM service in an attempt to circumvent the security features of the Drive.
you forgot one, and it makes jamming more difficult.
Not really- I believe the phone home feature requires a signed key. Its not just listening for a "destruct" but also a time-based, signed "nothing to report sir, continue"
In that case self-destructing chips seems total overkill. Everything beyond simple full disc encryption seems - at least to me - only to make sense if you expect a sophisticated targeted attack.
If you are Mike the Megavillain, then the protection this sort of set-up buys you is from Fred the FBI officer who raids your volcano lair for some other purpose, and bags your laptop as part of a general sweep for evidence without really knowing much about technology. By the time Charlie the CSI gets to it, there's nothing left to recover to reveal your even-more-nefarious plots.
Yes you are right with regards to encryption. However, law enforcement agencies nowadays make sure to freeze devices like telephones in order to prevent them from locking/logging out. In case of (desktop) computers that are turned on, they make sure to splice the cables and hook them onto batteries in order to preserve their on state. I assume they are also aware of things like this self-destructing drive, but I am not sure what their attack vectors are. Most likely they just beat you until you tell them the code.
In case of traveling with sensitive data however this system is pretty good. Normally you'd be forced to give up the encryption passphrase, but when the data is destroyed there is nothing to give up.
This is all very neat, but it appears these folks haven't heard of X-ray microscopy - I don't see why, with a sufficiently high resolution scan, you couldn't see the physical state of the NAND switches on the chip, without opening the packaging, or doing anything else to trigger it.
16nm gates, 10nm resolution achieved - this is probably "good enough", although would require some work as the resolution is barely better than the NAND cell size.
Although you could remedy this by wrapping the thing in lead, within the case - which maybe they have. Be interesting to see the RoHS statement.
Does this offer more security than hardware encryption e.g. in latest Intel and Samsung drives? These drives can transparently encrypt all the content with 256-bit AES; the password is ATA password.
They lost me at "Firstly the encryption key is flipped". What does this mean?
Encrypted drives typically store the literal en/decryption key (derived from your password or credentials) and whatever salt is necessary on a chip. Nuking that information effectively makes your data unrecoverable, because it's no longer distinguishable from noise.
I assume "flipped" is a translation error for "cleared" or "randomized", especially given typos like "instantaineously".
I always wonder why this kind of drive-internal encryption comes up in serious discussions. To me it makes no sense whatsoever: I have no way of checking if the drive actually encrypts the data, I don't know what happens to my password, where is it stored, who else gets access to it (or my data), etc.
How can anyone consider this "transparent" encryption to be secure?
I can't really see the usage scenario. If you want to transmit data securely between A and B, use public key cryptography and the internet [1]. If you want to protect data at rest, use full disk encryption. If you want protect the data on a running PC against theft, then you also have to consider all the data in the RAM (caches etc.). And if you, somehow, can prevent the attackers from getting that, then you can again use full disk encryption.
[1] If you are really paranoid and don't want to connect the devices to the internet, or if you don't have an internet connection at the target location, send a messenger with a random symmetric key first. If he/she arrives safely, send the hard drive with full disc encryption using the symmetric key next. Via any means. You can even FedEx it.
Your Fedex scenario wouldn't work if both the disk or key were compromised mid-transit. You might not know that someone sneaked a glance at the key or if they managed to clone the drive, but if they're sniffing all your mail then you've just given them the keys and the data.
That's why I was writing about a "messenger" specifically. I was thinking about someone you can trust, if need be, yourself. If this messenger assures you the key wasn't spied upon, you can use the key. If you can't even get a courier with a sealed envelope to the location, then you probably won't get any encrypted or otherwise protected data in there, anyway.
This level of security is ridiculous for almost everyone, of course. But we are talking about a self destructing SSD, which you want to send via courier to initiate the destruct, as an alternative. So I think this is a fair comparison.
Some jurisdictions force people to decrypt their drives under pain of contempt of court. Some jurisdictions use rubber-hose cryptanalysis. Full disk encryption protects against neither. This protects against both.
How does this protect me from them not touching my computer at all, walking me in to a different room, tying me to a chair, and... uh... "asking politely while showing me a warrant" for me to decrypt the device and disable any security features?
Of course, if the drive uses internal full disk encryption, all you have to do to fully destroy the data (or at least make it inaccessible for a long, long time) is get rid of 16 bytes of AES key. I doubt there is no way to securely implement this without dramatic explosions...
I've enjoyed the idea of self-destructing data for awhile now, but it always leads to the possibility of DoS attacks against my own data.
This smartphone app and token, how do they communicate with the drive? Does it use cryptographic signatures to make sure that it's actually my phone talking to the device and not someone else, or just a passcode?
Does the drive send out an alert if it receives more than X SMS messages, where X is configurable? What's to stop someone from sending random texts to it until it self destructs? Simply the that they don't know the phone number?
but it always leads to the possibility of DoS attacks against my own data.
It depends on the nature of the data you want to store: there is some data which you would be concerned with letting others get access to but whose existence is more important, and other data where you absolutely must not let others get access to, even if it means that no one (including you) can. This drive is designed for the latter case.
Does anyone have any insights on how the actual physical destruction takes place? I would assume it is a chemical triggered by a shorted fuse?
A quick glance at the laws in California make it a felony to simply have in your possession "any sealed device containing dry ice or other chemically reactive material that is assembled for the purpose of causing an explosion." The definitions for other types of destructive devices are specific to scale, but this part is not.
Perhaps not an explosion within the meaning of applicable California statutes.
Looking at the pix that show chip fragmentation, I don't see evidence of reactive chemistry. No melted edges, no deposition of combustion products, no missing material that would suggest propulsive transport incident to a micro explosion caused by detonation of a tiny blob of, for example, lead styphnate or some other primer-like compound.
Exploding wires are an old technology, and don't involve "...chemically reactive material...". Think old-fashioned fuses, but with faster dynamics.
Maybe they have an on-board supercap that they dump into a buried trace, producing a brief high temperature copper plasma and a shock wave that breaks the chip?
Interesting technology, would like to know how they do the physical destruction.
Very nearly. Overcurrent spike to Vcc. Simple and obvious. (How'd they get a patent? GCHQ already certified drives that do this, from Stonewood? They use the Eclypt 600 series for their own TOP SECRET data.)
I'd like to know if the self-destruct mechanism still functions at very low temperatures. Given that one known attack on data in RAM is to flash freeze it (Cold Boot Attack) it is natural to think about lowering the device temperature to the point where chemical reactions wouldn't and mechanical devices would jam.
The obvious thing to get around the "fragmentation" would
be to leave the chip on the PCB and cut the traces. Then connect your own wires or an upside-down socket from above. Anything I'm missing?
If my data is valuable, I have two fears: (1) theft, (2) loss. If my drive is built to self-destruct, it decreases fear #1 but increase fear #2. What do I do then? Back up my data elsewhere? But that defeats the purpose of the high security drive. Do I get more than one high security drive? That still puts a lot of trust in the design -- if there were a systemic flaw that caused them all to fail or self-destruct at once I'd be out my data.
Presumably the use case would be you want to transfer secret information from a secure location via an insecure channel to another secure location (e.g. in a diplomatic bag perhaps?).
This is for people who care more about knowing that the data was transferred securely than whether it goes through at all. There would likely be a master (backed up) copy on an internal air-gapped machine.
Or when data is temporarily removed / copied from the highest security locations.
E.g. I was part of maintenance on a defence system once that in itself wasn't very important, but it was kept in an air-gapped concrete bunker with a faraday cage deep inside the office building. Offices outside were used for top secret data during processing, but when people were done working on something, storage would happen in the "bunker".
I'd imagine drives like these would be popular for the offices.
If you don't care about the safety of anyone involved and don't wish to go into a government building with your laptop, I'm sure thermite would be a lot more effective for its weight than a civilian acquirable explosive.
A thin layer of thermite, a magnesium starter, and a ceramic holster to keep the thermite firmly against the drive during the burn should work. Two thousand degrees of burning iron a few millimeters away from the nand should thoroughly annihilate it.
Chemical scans would probably be pretty hard-pressed to detect thermite, which is after all just aluminium and iron oxide powder. Even the magnesium starter is non-sniffable.
Only the (TI) security processor itself had a FIPS 140-2 Level 3 crypto engine. However this device as a whole has no certifications I am aware of, FIPS, CESG or anywhere else (let's leave aside for a moment the flaws of the certification processes). Given its claims, the threat model and what it tries to do, that is actually surprising. It should be aiming for 140-2 Level 4, with claims like that. There are not a lot of 140-2 Level 4 devices around at all…
They say "flipped". Do they mean "zeroized"?
There are a few pitfalls with disk encryption. They mention AES-256-CBC. That is not a wide-block mode. So how are the IVs defined? Do they use an encrypted salt-sector IV? A plain one? Is any diffuser used? Is there any integrity protection?
I do not see that this provides a meaningful level of security which is even comparable to, say, (the late) TrueCrypt.