This is the journal of my findings while breaking down an Aegis Padlock encrypting hard drive. This is in chronological order (oldest to newest).
I have an Apricorn Aegis Padlock encrypting hard drive, which I bought back in summer 2010. A hardware encrypting hard drive is attractive to me because I don't need any special drivers, and because this at least potentially would increase performance, since there would not be the latency of the CPU performing crypto (and the CPU could be servicing my personal needs instead). Also, potentially, security can be enhanced by hardware key management. I keep saying 'potentially' because the devil is in the details (but the first claim should be pretty cut-and-dry).
A couple days ago, I noticed a periodic clicking sound and discovered it was coming from the padlock. Yikes! I checked SMART, and it was indeed failing. I managed to get everything off it. Yay! So, warranty time.
I found some ambiguous information about the warranty period, but it seems to be a 3-year one, so I still have 9 months. Should be good-to-go. But, wouldn't it be more fun to take the risk and open it up? If I get a warranty replacement, then I'll never know. Plus, the warranty service may be a hassle. Seagate and Western Digital, at least, have awesome service, and I may be spoiled to expect that level from anyone else. The absence of any unit serial number on the device somehow made me suspicious that the process would be tedious, although I do have my receipt (from a now defunct online retailer).
Some risks are:
maybe the internal hard drive is special in some way, and cannot be swapped out with a common one
tamper-resistant? maybe the thing is potted in epoxy and cannot be pulled apart
tamper-responding? maybe the crypto electronics will self-destruct upon detection of tampering
I did some cursory research on the web, and I didn't see that anyone else had ever pulled one of these apart (or at least hadn't documented documented having done such, and their findings). Since these things aren't exorbitantly expensive, I decided to take the risk and break it down. And for posterity, I decided to journal the activity.
For reference, here is the unit before breakdown:
It's a portable USB hard drive with a PIN pad on the front. This is the 640GB AES256 version, which was the largest/strongest available at the time of purchase. It has an integrated, short USB cable, which frankly has always given me the heebie-jeebies about breakage (I think I'd rather have a jack for a separate cable), but it has not failed yet.
OK, time to break it down. It's a plastic case, so it probably snaps or screws together. Feeling around the label on the back didn't suggest any hidden screw holes underneath, so I peeled off the feet (and stuck them back on next to where they were originally).
So, under the top two feet are screw holes. The bottom two have nothing under them, so you could leave them where the were. The screw turns out to be a #9 Torx. Since there are no screws at the bottom, we have to figure out how it's fastened. After removing the screws, I pulled up on the case and peeked a little.
This is more scary than pictures suggest, because I didn't know if it would self-destruct. But nothing obvious was tripped. The bottom held on firmly. My suspicion was that it couldn't be too complicated for an inexpensive mass market device, and I believed that it was some common snap-in-place tab arrangement. It didn't come away easily regardless of how I (gently) applied torque and pressure from the free top end, so I applied direct pressure to the bottom end of the front shell half.
Applying pressure to the bottom end of the front half of the shell while holding the top end open (but not too much, just enough to allow the front half of the shell to move topwards easily) and keeping the bottom shell half stationary caused the shell halves to part. [In this picture I have a tool holding the shells apart, because I used my left hand to actuate the camera. In real life, I used my thumb and index finger to hold the top end open, with the other three digits applying bottomwards (rightwards) pressure to the back shell half.] If a picture is worth a thousand words, then an animated gif must be worth three to five thousand. But I don't have one, so cope! It's a simple maneuver.
The front half has three open tabs (each effectively a square loop), and the bottom has three mating 'ramp tabs' that, if the two shell halves were pressed together, would cause the ramp to push the tab out and then spring back into the hole in the loop. The fitting of the parts is quite tight.
The first real glimpse inside the unit:
So, the unit consists of a 2.5" SATA hard disk, a USB adapter board (which surely does the crypto as well), an a keypad. The controller board is fastened to the hard drive with four screws that mate with the standard screw holes on the drive. The drive is surrounded with a rubber shock mount, and the entire assembly is placed in the back shell with no further fastening. The USB cable has a strain relief that fits into a location at the top of the back shell.
The keypad is a single elastomeric sheet, made with at least two different materials (the keys are hard, while the sheet and actuator nipples are soft). The sheet is not actually fastened in any way, it is just held in position by the holes in the front shell half.
The whole thing simply lifts out of the rear shell half:
The electrical part of the keypad is an array of 'snap disks' held in place by a adhesive sheet.
Flipping the assembly over reveals nothing special. The hard drive mates with a SATA connector on that side of the board. It seems to be a garden-variety laptop hard drive:
As a sanity check, I connected it to the computer while out of the case, to verify that it is still functional (i.e. I hadn't tripped any self-destruct mechanisms, though I hadn't seen any).
Lo! and Behold! still operational (green light at bottom).
Yesterday, before I committed to opening it, I went ahead and ordered a 2.5" drive. I really wanted a 1TB replacement, but at the last minute I thought better and got a 750GB. The reason was that I noticed at the last minute that the 1TB is a 12.5 mm drive, as opposed to the more common 9.5mm, and I didn't know if it would fit in the case. I figured that since those drives are so cheap, even it this was a failure I could use it for something else. I did get a Western Digital 'black' drive, so hopefully that was not a mistake (power requirements too much?).
In a fit of over-eagerness to test in advance of receiving my new drive, I remembered a had a 'tiny' 120GB drive collecting dust. I pulled off the Toshiba -- the tension in the SATA connector was so firm that I looked for a hidden fastener, but no, it was just friction. That's a good thing, though. Anyway, it did come off, and I shoved on my revirginated Fujitsu drive. I don't think revirgination is needed, I just wanted to do it. Somehow it made me feel better.
I plugged in resulting unit, entered my old PIN, and Lo! and Behold! It came up as expected. I was able to partition and format the drive as expected, and store a little data, and read it back/
It makes me wonder if it wouldn't make more sense for Apricorn to sell the empty enclosure, and you can add your own drive. This way, the hard drive manufacturer would bear the burden of warranty returns, since the controller and case probably has a much smaller likelihood of failure. But they probably know their business better than I do, so c'est la vie.
Edit: I did notice a manufacturer 'Satechi' that makes an enclosure-only product, so someone has has a similar product design thought.
Now that I have an open patient, I am so curious!
I took the Fujitsu back out, and stuck it in a standard enclosure/adapter. I do see that the data is encrypted (or at least obfuscated in some way). One interesting thing is that the apparent size of the drive is appreciably reduced. Here are the reported geometry numbers for the Fujitsu:
Here 'raw' means 'drive in a non-encrypting enclosure' and 'pad' means 'in the Padlock encrypting enclosure'.
Wow! That's 734035456 bytes, or about a CD's worth! I popped the original Toshiba in and out and checked it's numbers:
The constant diff of 89 cylinders is interesting, I think. Some sort of 'management' area for the crypto? Seems like a lot for that.
I tried a new experiment; I zeroed out the Fujitsu 'raw', and then mounted it in the padlock and zeroed it out again. The theory is that any sectors touched should have crypto noise in them, and any untouched sectors would still be zeros from the first wipe operation.
I did find that sectors 0 - 233,007,982 were (presumably) the encrypted hard drive space. The rest looked like zeros from my casual whizzing through it. I did spot sector 234,441,554 was sparsely non-zero, and sector 234,441,587 was filled with (presumably) encrypted data.
The first most interesting thing I found at this point, was the fact that the entire section 0 - 233,007,982 contained the same data. The same data. The same. I.e. apparently no per-sector initialization vector (IV), or they would all be different.
The second most interesting thing I found was that within the sector was the repeating pattern:
2f ba da d0 77 dd 62 e6 c5 43 35 ed 77 e5 e5 ca
Row by row these same digits flow.
So, this tells me that there is no cipher-chaining of encryption within the sector. Since this is purported to be AES256, which has a 16-byte block size, which is also the repeating pattern length, I am guessing it is in ECB mode (it could be some others, but not chained, regardless).
I'm a little bit concerned.
I will not be storing my super-secret stuff on this, and will consider it more of a 'PIN controlled hard drive with data obfuscation'.
I also have a Padlock Pro (which has eSATA, which I have never gotten to work reliably, alas, so the drive is effectively USB for me). Both the Padlock and the Padlock Pro are marketed as having 'AES' encryption, with no further qualification.
I may open up the Padlock Pro and do the same kind of tests on it.
Further, I notice that recently Apricorn came out with a Padlock 3.0. The highlight feature for most is probably the USB 3.0 support -- wish I could use it since I don't have a USB 3.0 controller. The highlight feature for me is that it is claimed to use the 'XTS' mode. For those not familiar, this is a cryptographic mode specifically for hard disks, and does have per-sector IVs, and cipher chaining within the block. Under this scheme, I would consider storing my super-secret stuff. If the crypto is implemented correctly.
Today, I ordered a Padlock 3.0, and all my super-secrets will be transferred off the others when it arrives. It further claims to have epoxy potting of some sort, and maybe even tamper response, but I'm not sure. I'd love to pull it apart and analyze it, but I can't really afford the cost, alas. Well, maybe just a peek...
Since I can't leave well enough alone, I started looking at the hardware on the board. My phone camera I am using cannot get close enough to take a meaningful picture, so the one shown above is as good as it gets at the moment.
There are three chips designated U1, U2, U3 (actually there is also a U4 designation for something in a SOT-23 package. Don't know if it's a 'chip' or a transistor. Possibly a transistor for switching power to the hard drive). U2 and U3 have a dot of paint on them, partially obscuring the package markings. The paint is easily removed with isopropanol, showing:
|U1||Silicon Storage Technology||SST25VF010A||SPI serial flash, 1 Mb||hmm. I wonder!|
|U2||initio||INIT-1607E||controller||clearly the HD and USB controller|
|U3||Microchip||PIC16F883||microcontroller||probably keypad and lights|
U2 is in a 48-pin QFP. That part designation is not listed on their site, the closest match I can find is the 1608. The datasheet is available 'upon request' which means sales people will call me so I didn't bother. Anyway, I am not needing it yet, and if anything I would want the 1607. I don't know why that one is not on the site, but (just a guess) it could mean that is a semi-custom version commisioned by Apricorn, and thus not generally available. But this is just a guess The 'product brief' is available, which just has a block diagram enumerating functionality.
If extrapolation from the 1608 is meaningful, I see there is an embedded 8051 core, so the Apricorniness may lie in the software it runs. What I did not see was any crypto block. Mybe that's only in the 1607, or maybe it's done in software? Seems like it would be a bottleneck if so. It is not clear if the 8051 program memory is mask-programmed or flash. If flash, conceivably the firmware could be updated to correct for the crypto deficiencies I mentioned above. All this is based upon my speculative analysis, of course, so maybe not at all.
U3 is a garden-variety microcontroller with 4k rom and 256 bytes ram. I'm pretty sure this is just for managing the keypad, lights, etc.
U1 is interesting to me. Hmm. What could one want nonvolatile memory for in a design like this. Oh yeah, keys! But, it sure is a lot of memory for some little ol' keys. Maybe it's that big simply due to parts pricing economics, or maybe it's to facilitate some notion of wear-leveling, or if there is much more than meets the eye.
Since the two hard drives encrypted zeros to the same value, this implies that the encryption keys are not disk-specific, and are probably stored in the U1. It could (should?) be that the keys are cryptograms under a device specific master key in the U2. It's not clear that U2 has any on-chip nvram resources to store such a master key, suggesting that at best there would be a fixed (i.e. non-device specific) master key. Or maybe none at all. Interesting also is that the block diagram for U2 indicates a '2kbit' external nvram interface, somewhat suggesting that it probably doesn't have any on-chip. The block diagram calls this out as I2C, but the U1 is a SPI device. Plus its way bigger than 2k. So possibly U2 bit bangs SPI via GPIO? Well, a lot of this is speculation since the part number is the 1607E, not the 1608. The datasheet would be handy to do a sanity check of the pinout against the mounted components, but I don't really want to stimulate the sales calls, and they still may not give it to me anyway.
What would be fun would be to strap on a logic analyzer to U1. Too bad I don't have one. I could then see at least what locations are accessed under what circumstances, possibly analyzing the data (like, same value each time, accessed a lot, or just when PIN entered? when new PIN created? device reset?) If that analysis yielded something that looked key-like based upon usage, then I could do some trial encryption, since that looks simple, and maybe crack keys. Maybe. Still, very speculative at this point, and I don't have the needed test equipment, alas... Maybe I can cruft some sort of SPI monitor together with some spare parts laying around.
I backed up my Padlock Pro, and opened that unit. It opens just like the regular padlock; i.e. two #9 Torx at the top, plastic tab-and-key at the bottom, same disassembly procedure. The board is different:
But not that different. U2 is marked as a INIC-1610LE. The 1610 is listed on the Initio web site. Looking at the product brief, I find it also interesting that the chip indicates an SPI serial flash interface, instead of the I2C I mentioned in the 1608, so maybe the 1608 sheet is wrong/incomplete, etc, and anyway what I really needed was the (unavailable) 1607 sheet. For fun I did click 'Requesting a Datasheet', but the link was broken. Hmm! I don't know what the LE suffix indicates -- it could just be some sort of packaging option. The brief did mention flashable firmware. Now I do wish I had a copy of the data sheet! OK, I sent an email, we'll see! But one thing: since the 1610 is a stock part, maybe I couldn't find the 1607 because it is an obsolete part, rather than because it is a custom part.
Later I'll zero out the drive and do some testing. It takes over 20hr to do this. I never thought I would say such a thing, but right now, I would really like the smallest hard drive I can possibly find...
The Padlock Pro crypto implementation is appreciably different than the Padlock. A couple things observed:
There doesn't appear to be any space consumed by the Padlock Pro device; i.e. the 89 'reserved' cylinders seen in the Padlock are not the case here. I notice this both by geometry reported by mounting the drive in the padlock and mounting the drive in a conventional adapter, and also by zeroing the drive in encrypted mode and reviewing it in unencryped mode.
The drive seems 'paired' with the Padlock Pro adapter somehow, and will not automatically initialize a virgin drive when you stick it in (unlike the Padlock). This has an important consequence for anyone wanting to change out the hard drive: you will need to 'reset' the Padlock Pro (i.e. using the three-finger salute of cancel-open-2 to reset all the passwords) before you can use a new drive. So be sure to archive off your old drive, because once you have done this with the new drive, the old one will be unrecoverable. Anyway, since there is no 'reserved' space that could keep this pairing data, I am guessing that the Padlock Pro is using some sort of drive serial number or some ATA feature to get disk identity, and mix that into the crypto somehow. Interesting. I'm not sure how much this enhances security, but should think about it some more. It will necessitate you to re-setup the entire security 'organization' (i.e. set of all admin and user PINs). It also does prevent you from doing a sector copy of the encrypted data to a new replacement drive, though. so if you are replacing, be sure the archive padlock-mounted view of the drive (i.e. decrypted), and then restore that archive through the padlock-mounted new drive once it is installed.
The encryption did change. I notice now that there now are repeating 32-byte blocks. This is 2 AES block, so I'm not sure what's going on here yet. The same (larger) block does repeat throughout the sector, and there is still no per-sector IV, so I believe all the crypto concerns of the Padlock apply to the Pro as well.
I got my Padlock 3.0 in today. I plugged it in and it works the same as all the rest. I see that it came formatted NTFS, and the unused data area looks like non-repeating random data. After few minutes the urge to disassemble overtook me. This one is supposed to have potting and some self-destruct mechanism. Do I dare risk the $220? Well, worse come to worse I will have paid twice as much for a hard drive, because I should still be able to salvage the internal unit if it's anything like the others. Plus, how much potting could they really do? For a mass-market device? So, here we go!
This version is similar to the original Padlock. It has a meatier cable, a textured case, and the psandex bag is pretty much the same in concept. It seems a bit flimsier, and is longer than that of the previous two models with some end overhang, and the logo is stretched (or actually I guess it is correct, and the previous two were squashed). It's also appreciably harder to get on and off the unit due to the case texturing. But enough of those external physicals (the bag on the right is from a prior model):
The back has the same design, with the #9 Torx screws being under the top end's feet:
So, out they came. I had unexpected resistance attempting to remove the top half of the shell. I was concerned that there was a tamper response device that may have been glued to the top during assembly so I tried to take a peek, but to no avail. Eventually I gave up and forced it off. Turns out this was more mundane. They added two 'ramp-and-loop' coupling points to the side of the case. You can help disengage them by depressing the side of the front case half to get the loop off the ramp key. I suggest doing this on the left side first, since it's easier. One that is free, you can do the right side (where the slot for the cable is. Once these two are free, you can use the same pressure-on-the-bottom-end-of-the-front-case-half technique to finish disengaging the top. This reveals a sight that should be familiar by now:
As you can see this PCB is black, which makes it harder to see the chips. You can probably imagine which is which. Also, you can see that there has been material, presumably epoxy, dabbed on top of the chips. Here's a view with some glare to make them more visible.
Well... Hmm... Well, OK that might help. Won't hurt. Truly though, removing epoxy like this isn't at all impossible; for example, you can send ICs to a failure analysis lab and have them decapusulate a package down to the die, leaving the wires intact, such that the chip still works and you can performs live tests on the die. There would be risk in this if you were trying to crack a drive, since you only have one sample. But personally, I would probably use physical means to remove some of the epoxy -- perhaps with the delicate attention of a Dremel -- just enough to access the package leads and attach probe wires. Anyway, I'm not going to do any of that. Probably.
Oh, one other thing. I did note that the manufacturing date printed on the drive is September 2012. Since this is October, this unit must be super-duper fresh....
Next I'd like to inspect the drive contents before-and-after as I have before. This time with a factory virgin unit, if that proves to be of any interest.