Huge USB drive capacities have encouraged users to carry lots data while on the go, and even run software, email clients, or entire Operating Systems from these tiny little devices which have little or no intrinsic security structure. Generally speaking, whomever holds the USB drive has full and unfettered access to all information it contains. Plug it in, open up a folder and there it is.
Recovering lost and accidentally erased data is one thing, but what happens if you loose a 64GB USB drive packed full of confidential details? Encryption is a good answer. It's a security system to make data unreadable to everyone but the rightful owner, so in the event a USB drive is lost at least the data won't be compromised too.
That's the sales pitch behind the SuperTalent Luxio, a 64GB USB drive which boasts AES-256 hardware encryption. It sounds secure, we able to crack the security on the Luxio USB drive W-I-D-E open. In this review we'll explain how you can gain full and unfettered access to the "encrypted" files in about 10 seconds without any special tools, or even a correct password.
Supertalent's 64GB Luxio USB drive maintains quick data access rates of about 30MB/s, or 200X, and according to the manufacturer relies on a hardware-based 256-bit Advanced Encryption Standard (AES) algorithm. The hardware encryption works in conjunction with an application called SecureLock to encrypt/decrypt files stored on a specified partition of the USB flash drive, while remaining essentially transparent to the user.
Recovering lost and accidentally erased data is one thing, but what happens if you loose a 64GB USB drive packed full of confidential details? Encryption is a good answer. It's a security system to make data unreadable to everyone but the rightful owner, so in the event a USB drive is lost at least the data won't be compromised too.
That's the sales pitch behind the SuperTalent Luxio, a 64GB USB drive which boasts AES-256 hardware encryption. It sounds secure, we able to crack the security on the Luxio USB drive W-I-D-E open. In this review we'll explain how you can gain full and unfettered access to the "encrypted" files in about 10 seconds without any special tools, or even a correct password.
Supertalent's 64GB Luxio USB drive maintains quick data access rates of about 30MB/s, or 200X, and according to the manufacturer relies on a hardware-based 256-bit Advanced Encryption Standard (AES) algorithm. The hardware encryption works in conjunction with an application called SecureLock to encrypt/decrypt files stored on a specified partition of the USB flash drive, while remaining essentially transparent to the user.
The Supertalent Luxio comes pre-loaded with the 2.5MB SecureLock application. SecureLock allows you to create public and private partitions of any size totalling the capacity of the USB drive. So for example, this 64GB Luxio could be set up with a 50GB encrypted partition and a 14GB public partition. The encrypted partition is password protected and unreadable until the owner runs the SecureLock program and logs in. The public partition is always accessible.
In the event of a brute force password hack, the SecureLock software is supposed to automatically format the encrypted partition after 5 failed login attempts. Encrypted data is thus kept inaccessible to whomever attempts to gain unauthorized access, and unfortunately to forgetful owners as well.
Sounds good so far except PCSTATS quickly discovered a way around these security measures... we'll go over all of that momentarily.
The 64GB SuperTalent Luxio USB flash drive retails for about $140USD ($160CDN) and is covered by a limited life-time warranty from the manufacturer. The SecureLock application is stored on the device along with a copy of the PDF user manual. The drive has a loop for a lanyard though none is supplied, instead Supertalent bundle a small leather carry case to protect the gleaming fake wood grained plastic case from scratches.
The Luxio measures 77 x 9 x 21mm in size and has a red LED at one end to indicate data transfer activity. The drive is USB1.1 and USB2.0 compatible, peak transfer rates are 200X, or just under 30MB/s.
The drive and encryption software are compatible with all recent Windows 2000/XP/Vista operating systems and can be used for Vista's Readyboost.
Sounds good so far except PCSTATS quickly discovered a way around these security measures... we'll go over all of that momentarily.
The 64GB SuperTalent Luxio USB flash drive retails for about $140USD ($160CDN) and is covered by a limited life-time warranty from the manufacturer. The SecureLock application is stored on the device along with a copy of the PDF user manual. The drive has a loop for a lanyard though none is supplied, instead Supertalent bundle a small leather carry case to protect the gleaming fake wood grained plastic case from scratches.
The Luxio measures 77 x 9 x 21mm in size and has a red LED at one end to indicate data transfer activity. The drive is USB1.1 and USB2.0 compatible, peak transfer rates are 200X, or just under 30MB/s.
The drive and encryption software are compatible with all recent Windows 2000/XP/Vista operating systems and can be used for Vista's Readyboost.
USB Drive AES-256 Encryption
The encryption tools supplied with SuperTalent's Luxio 64GB USB drive are entirely optional, you don't have to use them if you don't need to. For anyone traveling with upwards of 64GB of data on a USB drive however, encryption should be right up there with travel medial insurance. Don't leave home without it!
Before we can secure data on the Supertalent Luxio, we'll need to define a few parameters first. This is accomplished in the same manner as the Kingston DataTraveler Elite that PCSTATS previously reviewed - a 128-bit AES encrypted USB stick, now superceded by the AES-256 DataTraveler Vault series.
With the Luxio USB drive plugged into the PC, launch the SecureLock application and assign a password, password hint and set the size of the public and private partitions.
The software can partition the Luxio drive in two partitions only, with as much of the 64GB space devoted to the "encrypted" private partition as the user wishes (minimum 10MB partition size). It will then format the entire USB drive for use. The drive should be empty before adjusting partition sizes or setting up encryption as the partitioning process removes all data except for the SecureLock application and PDF user manual.
With the encrypted data partition configured, each time the Supertalent Luxio USB drive is connected to a PC the public data storage space is instantly accessible. The data stored in the encrypted private partition remains inaccessible until the SecureLock application is launched and the correct password entered (once a password is set). The user can "log off" the secure partition by launching the program and clicking the lock icon, or simply disconnect the Luxio USB drive from the PC. Each time the USB drive is unplugged from the computer the encrypted partition is automatically locked.
The password protection can also be disabled entirely without re-partitioning the entire USB drive should you decide it's no longer required.
The password protection can also be disabled entirely without re-partitioning the entire USB drive should you decide it's no longer required.
At least that's the way SecureLock is supposed to work...
In the course of testing the Supertalent Luxio 64GB drive PCSTATS discovered no less than four critical programming oversights in the SecureLock software that can allow someone to lock you out of your data or circumvent your password entirely to gain full access to your private data.
Hacking SuperTalent's AES-256 Encrypted Drive is Easy Here's what PCSTATS discovered... and I might note that no other hardware "review" website to test the SuperTalent Luxio picked up on any of these obvious issues as of this articles' publication. Just another reason why you should always Get the 'STATS and Stay Informed!
Bug 1) How To Loose Ownership of the Encryption Password:
Here's how PCSTATS did it. Pop the SuperTalent Luxio drive into a USB slot, launch the SecureLock software and set up the private partition and initial password to (1). Log out by removing the Luxio from the USB slot.
- Re-insert the Luxio and unlock the drive by typing in the correct password (1) in the SecureLock application.
With the Luxio drive unlocked it's now possible go to the "Change Password" form and set a new password to (2) without entering anything in the first "Old Password" field (enter 2 in all the other fields).
- Unplug the Luxio drive and then re-insert it.
Launch SecureLock and attempt to unlock the drive with the new (and unauthorized) password of (2) - the Luxio unlocks!
In other words, if you walk away from your PC for a moment and leave the Supertalent Luxio plugged in and unlocked, anyone can open up the SecureLock application and change the password of your encrypted USB drive to something entirely new without proving they are authorized to do so.
Even Windows challenges user account password changes by demanding the original password! Yikes!
Bug 2) Wrong Password / Right Password = Formatted Partition Bug:
Here's what PCSTATS found. Launch the SecureLock software and set up a private partition on the Supertalent Luxio with password set to (1).
- Login once to confirm the password works, unplug Luxio USB drive and re-insert it, or simply log off.
- Attempt to unlock the drive through SecureLock in the normal way, but enter an incorrect password three times in a row.
- Enter the correct password on the fourth attempt and watch in horror as the Luxio continues to decline the password even though it's now correct!
- If you enter the correct password on the fifth and sixth attempts it will still reject it. On the sixth attempt, regardless if the password is correct, the USB drive will automatically format itself and erase all your data. (Except when Bug 4 happens.)
The only way to escape from this programming Catch-22 is to unplug the USB drive before the format warning, plug it back in and login anew with the correct password. This leads into third and fourth major bug discoveries below.
Bug 3) Unlimited Log In Attempts for Brute Force Password Hacking:
The Luxio USB drive is supposed to reset itself and format all data on the private partition after five failed log in attempts. If you can believe it, anyone can circumvent the five failed login attempts. Here's how did it. Simply unplug the drive, plug it back in and open up the login window again. Each time the login window is closed the 'failed login attempts' counter seems to reset to 0, so an individual could easily apply brute force password cracking to breach your password.
Not that everyone needs to go to such measures, if the private partition on the Luxio is set to greater than 32GB all you need to do is login incorrectly a half-dozen times... Yup, we're not kidding.
Bug 4) Circumvent The Password - Gain Full Access to "Encrypted" Data in 10 seconds:
According to the SuperTalent Luxio product FAQ - "After five consecutive incorrect password attempts the Luxio will automatically reformat itself and all data on the Luxio will be lost. This feature helps protect your data should your Luxio be lost or stolen." Makes sense, otherwise any individual could apply a brute force password hacking tool to crack your password, which is probably something simple like "123456" anyhow.
Well unfortunately for Luxio owners this doesn't always happen. In fact, all the SuperTalent Luxio encryption measures can be circumvented very easily. Here's how did it with the 64GB Luxio drive we tested in our labs. Purposefully make six incorrect login attempts in a row, provided the private partition is between 33-64GB in size. After the sixth you get full file access. If the private partition is 32GB or less , the drive will automatically format the partition after the last failed login attempt as it is supposed to, erasing all the data it holds.
I'd hazard a guess that the SecureLock application was programmed when 32GB was the maximum USB drive size, so for sizes greater than this its format command fails to engage. A mind boggling oversight isn't it?
These are the steps PCSTATS took.
- Launch the SecureLock software and create a private partition between 33-64GB in size and set the password to (1).
- Login once to confirm the password works, and log off.
- Attempt to unlock the drive through SecureLock by entering an incorrect password six times in a row.
- By the sixth attempt the SecureLock software will tell you that it is Formatting the private partition and erasing all the data it contained - except that it doesn't actually erase the partition.
- Instead SecureLock disables the password protection on what should be a freshly formatted partition!
The end result is that it only takes six incorrect password attempts to circumvent AES-256 encryption and allow anyone to access to the encrypted files (for partitions of 33GB-to-64GB size). This is such a fundamental programming bug that it makes us seriously question just what "encryption" is actually applied on the SuperTalent Luxio.
USB Speed Tests
Up next PCSTATS will benchmark this USB flash drive with and without its "hardware encryption" engaged to see what kind of data transfer speeds we can expect from the SuperTalent Luxio.
0 Comments Received
Leave A Reply