Date: Thu, 14 Jan 1999 09:39:05 -0800 From: aberrant To: BUGTRAQ@netspace.org Subject: Shoddy encryption in Iomega One-Step Backup (fwd) I searched the archives and didn't find anything regarding this. The vendor was notified over a week ago and, aside from the standard "Thank you for your concern" response, has not bothered to contact me. While playing with my new Iomega Jaz 2GB drive the other day, I found an interesting (disturbing) "feature" with the One-Step Backup program that is shipped with the drive (and is also available, presumably for Iomega's other products, on their web site). I've confirmed through Iomega tech support that this is the latest version of the One-Step software out there (verion reported by Windows95 as 5.30). In the backup configuration dialog, there's a "security" tab that allows the user to specify a password to limit access to the backup file that is stored on the Jaz disk. Curious as to what encryption they used, I checked the final backup file and was dismayed. The password appears after the description of the backup (another user field), "encrypted" using the following formula: E = P xor 0x1f Where "P" is a byte of the plaintext password, and "E" is the stored "encrypted" password. Decryption is left as an exercise for the reader. :) You can grab this very easily by doing an "od -c" on the backup file. The password is the first nonzero block past the description (and a 001) and usually resides around offset 0470 (octal). This formula works in every case I tried (alphanumerics, special chars, etc.). Incidentally, it appears that the password is used solely for access control; the rest of the backup file appears to be unencrypted (though compressed at the user's option). I know aleph1 instructed us to be kinder and gentler in this list, but this is just pathetic. If you're going to have an advertised "security" feature with any sort of a key, there's a reasonable expectation by the user that the key not be easily recoverable. I'm certainly not a security expert, but I don't see any reason to store the key in a recoverable format in this case. If all you want to do is control access, a one-way hash should suffice (though still subject to brute force, it's better than this). This is just one example of shoddy programming coming out of Iomega (the others are not security-related, but if you're interested, drop me a line and I'll give you the whole history). Iomega, if you're listening, it's time you took the Ovaltine decoder rings away from your programmmers and replaced them with a good text on security. Cheers, Aberrant aberrant@neptho.net