rudis dot net

Found this via slashdot.

The top-notch security researchers over at heise security discovered that encryption seems to be a play on words for a large class of consumer-targeted hard drives that use a common controller chip. While the manufacturers claim AES encryption, the reality is that AES is only used in one small part of the drive operation, with the rest being little more than a simple XOR data obfuscation:

heise Security has since received a statement from Innmax, the manufacturer of the IM7206[2] controller chip used, confirming our findings. The IN7206 merely uses AES encryption when saving the RFID chip's ID in the controller's flash memory. The company explained that actual data encryption is based on an algorithm developed in-house. As they put it, "The IM7206 only offers basic protection and is designed for normal users." In contrast, the more expensive IM8202 controller chip is being designed for "power users, banks, and it enterprises with high security requirements"; it will reportedly offer true 128-bit AES encryption for data – but the chip is still in the development phase.

Fine print is especially important in security products and is one reason it is always a good idea to delve into details when there are assertions of FIPS certification levels, claims of the use of encryption or product security testing seals. heise invested very little effort and found a fairly large, gaping hole. Would your enterprise architecture team – even with the help of your security gurus – have been able to do the same?

Stop trusting your vendors and start verifying anything you plan on putting into production, whether it's for data protection or just operational/functional performance/efficiency.