No announcement yet.

Tornado Drive (Yikes!)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Tornado Drive (Yikes!)

    Tech Republic's Tom Olzak reviewed the Tornado Plus encrypted USB drive, and actually investigated the encryption and security, rather than accepting the marketing materials at face value. He found several flaws, and they're BIG flaws at that. It's nice to see a journalist who takes this stuff seriously, instead of just drinking the kool-aid. Bravo!

    The Tornado Plus encrypted USB drive: Good idea, bad design

    Usually, I restrict my product reviews to solutions that I like. Solutions that I’m excited about. However, this week I’m going to move to the other end of the like-dislike continuum and discuss a product that I believe is not only ineffective, but also has the potential to lull consumers and businesses into a false sense of security because of the way it’s being marketed — touted by not only the vendor but also by people who should know better.

    The product is the Tornado Plus encrypted USB drive from Aluratek. Before I begin the story surrounding why I think this is a bad idea — data leakage waiting to happen — let’s take a look at what I think is important in a drive encryption solution.

    My (amazingly simple) drive encryption requirements
    The first, and seemingly obvious requirement, is the use of a standard, vetted, encryption algorithm — one that can’t be easily cracked. Examples include AES and even 3DES. Second, keys must be protected. The key used to decrypt my drive should be protected from casual capture and hardened against cracking.

    Finally, a less obvious requirement — call me crazy — is ensuring the vendor from whom I purchase the product actually understands encryption, drive security fundamentals, and their own technology.

    There can be other concerns based on the kind of data stored, how its used, user types, etc. But these are the most basic requirements upon which everything else is built. If they are weak, everything else is a proverbial house of cards. This, I’m afraid, is the problem with the Tornado Plus drive.

    What is the Tornado Plus?
    The Tornado Plus concept is fantastic. When I read about it in one of my RSS feeds, I immediately went to Aluratek’s site to get more information. The drive (shown in Figure 1) is USB attachable and hot pluggable/swappable. There’s no need to worry about asking Windows for permission to disconnect. But the most innovative feature is the way users can quickly unlock an encrypted drive.

    With the Tornado Plus comes an RFID key fob. The fob’s RFID chip contains the key used to access data on the drive. So instead of having to enter the key or log in every time, the user can simply bring the fob close to the drive and, voila, access.

    Still excited, I search the site for information about how the RFID chip, the transmission of the key, and the encryption of the data were effected. I found nothing. So I decided to call Aluratek. This was where the fun, and my disillusionment, began.

    The problem with the Tornado
    My first discussion was with a sales guy. I asked about the encryption method. He didn’t know. I asked about how the key was protected. Again, no idea. I began to suspect that this was not the person I needed to speak with, and I asked for a “technical” person. After a short wait, another sales guy got on the phone. He knew a little more. For example, the encryption method is to XOR the key with the data. Those of you in the security profession know my reaction to this news. For those of you still coming up to speed, XORing a key with data to encrypt sensitive information is bad. Very bad.

    Although disappointed, I had enough interest left to ask about key management. The new sales guy had no idea. I was transferred to an “engineer.” I should have known after having to explain to the engineer (we’ll call him Anthony) why I thought key protection is important that I was still not speaking with someone with a good grasp of disk encryption. However, he didn’t believe the key was encrypted on the RFID chip nor that the transmission of the key to the drive was protected. In other words, anyone with the key fob could access the encryption key. Also, the right equipment in the right place could intercept the key as it’s transmitted to the drive.

    Not to be deterred, I asked if he could check on these issues. This design seemed wrong somehow. Maybe the sales guys and Anthony just didn’t understand the technology. Anthony said he would call me back.

    After two weeks of phone tag, I’m still no closer to getting confirmation of what I was told than I was during my initial call. However, none of the voice mails Anthony left indicate there is much more to tell.

    Why it’s dangerous
    Those of us who know better would never buy this drive, unless it was to store vacation pictures or information that was only slightly confidential — and the drive never left my home or office. Others who see this as an easy-to-use approach to protecting data — after all, lots of guys on the Internet are saying it’s a good idea — and don’t know what questions to ask might just buy this solution. Encrypting their information on this drive does not provide sufficient protection for sensitive information that might be stolen or lost along with the device. But ease of use and low cost will attract many consumers and SMBs, lulling them into a false sense of security. But its not just consumers who have been taken in.

    There are many stories on the Web about the release of the new version of this drive. One of them prompted me to investigate. However, very few journalists appear to have actually asked how the Tornado worked. Instead they quickly published glowing reports of this product. Based on what I found during a 10-minute phone conversation, some bloggers and other Internet pundits might want to check out new approaches to security management before sitting down at the keyboard.

    The final word
    The Tornado Plus fulfills none of my requirements. It uses weak, easily cracked, encryption. The key is not adequately protected, and the vendor’s sales and support teams seem to know little about how the technology actually works. I strongly recommend against implementing the Tornado Plus drive to protect sensitive information. It’s a great idea come to life in a bad design.
    "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

  • #2
    Re: Tornado Drive (Yikes!)

    Terrific reporting... and a big tip of the hat to Thorn for bringing the article to our attention.

    It really is amazing how today, what with modern technology, it takes mere minutes to verify the key background details of a press release or some institution's claims. (Vetting a news item's salient points through Google, while not the most journalistic method, can often expose plenty of tarnish on the back side of a shiny object)

    Often the most cursory check, if performed with professional inquiry, will reveal key facts. However, the same reporters who today have this power at their fingertips are often so dazzled by modern technology that they accept every new development as the "next big thing" and praise it as wonderful.

    Well done, Mr. Olzak.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor


    • #3
      Re: Tornado Drive (Yikes!)

      I can't say how impressed I am with this article. Someone that is doing their homework. I was starting to wonder if we were the only group to challenge the masses.

      If there was a honorary Defcon award, Tom Olzak would be getting my vote.


      • #4
        Re: Tornado Drive (Yikes!)

        But I like the kool-aid. :-)


        Maybe they thought you were trying to social engineer them.

        Anyway this is more like what you are looking for:
        Last edited by xor; September 9, 2008, 20:17.
        Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.