Not all encrypted drives are actually safe repositories for sensitive information -- even if a bunch of Internet articles point consumers and businesses in their direction. Here is just one example.
Usually, I restrict my product reviews to solutions that I like. Solutions that I'm excited about. However, this week I'm going to move to the other end of the like-dislike continuum and discuss a product that I believe is not only ineffective, but also has the potential to lull consumers and businesses into a false sense of security because of the way it's being marketed -- touted by not only the vendor but also by people who should know better.
The product is the Tornado Plus encrypted USB drive from Aluratek. Before I begin the story surrounding why I think this is a bad idea -- data leakage waiting to happen -- let's take a look at what I think is important in a drive encryption solution.
My (amazingly simple) drive encryption requirements
The first, and seemingly obvious requirement, is the use of a standard, vetted, encryption algorithm -- one that can't be easily cracked. Examples include AES and even 3DES. Second, keys must be protected. The key used to decrypt my drive should be protected from casual capture and hardened against cracking.
Finally, a less obvious requirement -- call me crazy -- is ensuring the vendor from whom I purchase the product actually understands encryption, drive security fundamentals, and their own technology.
There can be other concerns based on the kind of data stored, how its used, user types, etc. But these are the most basic requirements upon which everything else is built. If they are weak, everything else is a proverbial house of cards. This, I'm afraid, is the problem with the Tornado Plus drive.
What is the Tornado Plus?
The Tornado Plus concept is fantastic. When I read about it in one of my RSS feeds, I immediately went to Aluratek's site to get more information. The drive (shown in Figure 1) is USB attachable and hot pluggable/swappable. There's no need to worry about asking Windows for permission to disconnect. But the most innovative feature is the way users can quickly unlock an encrypted drive.
Figure 1: The Tornado Plus drive with key fob
With the Tornado Plus comes an RFID key fob. The fob's RFID chip contains the key used to access data on the drive. So instead of having to enter the key or log in every time, the user can simply bring the fob close to the drive and, voila, access.
Still excited, I search the site for information about how the RFID chip, the transmission of the key, and the encryption of the data were effected. I found nothing. So I decided to call Aluratek. This was where the fun, and my disillusionment, began.
The problem with the Tornado
My first discussion was with a sales guy. I asked about the encryption method. He didn't know. I asked about how the key was protected. Again, no idea. I began to suspect that this was not the person I needed to speak with, and I asked for a "technical" person. After a short wait, another sales guy got on the phone. He knew a little more. For example, the encryption method is to XOR the key with the data. Those of you in the security profession know my reaction to this news. For those of you still coming up to speed, XORing a key with data to encrypt sensitive information is bad. Very bad.
Although disappointed, I had enough interest left to ask about key management. The new sales guy had no idea. I was transferred to an "engineer." I should have known after having to explain to the engineer (we'll call him Anthony) why I thought key protection is important that I was still not speaking with someone with a good grasp of disk encryption. However, he didn't believe the key was encrypted on the RFID chip nor that the transmission of the key to the drive was protected. In other words, anyone with the key fob could access the encryption key. Also, the right equipment in the right place could intercept the key as it's transmitted to the drive.
Not to be deterred, I asked if he could check on these issues. This design seemed wrong somehow. Maybe the sales guys and Anthony just didn't understand the technology. Anthony said he would call me back.
After two weeks of phone tag, I'm still no closer to getting confirmation of what I was told than I was during my initial call. However, none of the voice mails Anthony left indicate there is much more to tell.
Why it's dangerous
Those of us who know better would never buy this drive, unless it was to store vacation pictures or information that was only slightly confidential -- and the drive never left my home or office. Others who see this as an easy-to-use approach to protecting data -- after all, lots of guys on the Internet are saying it's a good idea -- and don't know what questions to ask might just buy this solution. Encrypting their information on this drive does not provide sufficient protection for sensitive information that might be stolen or lost along with the device. But ease of use and low cost will attract many consumers and SMBs, lulling them into a false sense of security. But its not just consumers who have been taken in.
There are many stories on the Web about the release of the new version of this drive. One of them prompted me to investigate. However, very few journalists appear to have actually asked how the Tornado worked. Instead they quickly published glowing reports of this product. Based on what I found during a 10-minute phone conversation, some bloggers and other Internet pundits might want to check out new approaches to security management before sitting down at the keyboard.
The final word
The Tornado Plus fulfills none of my requirements. It uses weak, easily cracked, encryption. The key is not adequately protected, and the vendor's sales and support teams seem to know little about how the technology actually works. I strongly recommend against implementing the Tornado Plus drive to protect sensitive information. It's a great idea come to life in a bad design.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.