this post was submitted on 19 Feb 2024
227 points (97.5% liked)
Privacy
32442 readers
773 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
In what aspects? I don't know much about these specific devices
Cryptography and tamper resistance implementation. E.g. search "ironkey fips certification". Ironkey is a Kingston brand now though, and Kingston has traditionally been crap, so be careful. Anyway if it's for run of the mill personal files where you just want some extra protection, the device is probably ok if you don't mind the semi-ridiculous cost. This is interesting though: https://www.wired.com/story/unciphered-ironkey-password-cracking-bitcoin/
Also a teardown report: https://hardwear.io/netherlands-2021/presentation/teardown-and-feasibility-study-of-IronKey.pdf
There are more serious technical approaches to data protection, but fairly quickly the weak spot becomes the humans in the loop, which are harder to handle with pure technology.
I was going to suggest an attack similar to what I'd assume the guys in your link achieved—the actual data on the flash chip can be dumped easily, so if you can figure out the encryption algorithm used, you don't need a whole lot of computational power to brute force a 15 digit numeric key (a couple of high end GPUs would probably get you there in an hour or so) and decrypt the dumped data.
I'd stop short of saying "easily" since you have to get the epoxy potting off of the chip. But you are right that there doesn't seem to be any active tamper reactance. The numeric key is apparently 8 digits. Since it's a 10 digit keypad, at least 2 of the digits are unused, and you might be able to recognize those from the comparative lack of fingerprints and wear on those specific keys. So that narrows down the search range some more.