10 reasons why Corsair Flash Padlock 2 CAN be cracked

# Exploit Title: 10 reasons why Corsair Flash Padlock 2 CAN be cracked
# Date: 2010-11-05
# Author: Tomas Harvie Mudrunka <harviecz@gmail.com>
# Software Link: http://www.corsair.com/products/padlock2/
# Version: 2

                   ___          ___          ___                                 ___     
                  /__/\        /  /\        /  /\         ___       ___         /  /\    
                  \  \:\      /  /::\      /  /::\       /__/\     /  /\       /  /:/_   
                   \__\:\    /  /:/\:\    /  /:/\:\      \  \:\   /  /:/      /  /:/ /\  
               ___ /  /::\  /  /:/~/::\  /  /:/~/:/       \  \:\ /__/::\     /  /:/ /:/_ 
              /__/\  /:/\:\/__/:/ /:/\:\/__/:/ /:/___ ___  \__\:\\__\/\:\__ /__/:/ /:/ /\
              \  \:\/:/__\/\  \:\/:/__\/\  \:\/::::://__/\ |  |:|   \  \:\/\\  \:\/:/ /:/
               \  \::/      \  \::/      \  \::/~~~~ \  \:\|  |:|    \__\::/ \  \::/ /:/ 
                \  \:\       \  \:\       \  \:\      \  \:\__|:|    /__/:/   \  \:\/:/  
                 \  \:\       \  \:\       \  \:\      \__\::::/     \__\/     \  \::/   
                  \__\/        \__\/        \__\/          ~~~~                 \__\/    
 

==== HOWTO Hack Corsair Padlock (1) ====
Well this drive just sucked all they have done was disconnecting the flashdrive until PIN was entered
and as long as there were no encryption all you needed to read or modify the data was interface to memory directly without the PIN-verifying circuit
it was already hacked and it was even more simpler to disable the circuit. all you need is to solder a resistor to PCB of flashdrive as described on following sites:

http://veerboot.tweakblogs.net/blog/561/corsair-padlock-hacking.html
http://www.everythingusb.com/corsair-flash-padlock-2gb-14479.html
http://www.everythingusb.com/corsair_flash_padlock_2gb_13775.html


==== HOWTO Hack Corsair Padlock 2 ====
There are several reasons why Corsair Padlock 2 can be cracked...


Corsair says that Padlock 2 is using AES 256b which means there should be
2^256 = 115792089237316195423570985008687907853269984665640564039457584007913129639936 possible keys.

But key is entered as PIN which 4-10 numbers long combination of 5 numbers (not 10 as they claim!) which actually means only
5^4+5^5+5^6+5^7+5^8+5^9+5^10 = 12206875 possible keys which makes it WAY MORE vulnerable to brute-force attacks.
Especially when we know that there is probably FAT32 or NTFS signature at the beginning of flashdrive.

There is internal protection against brute-force attack which locks the drive for 2 minutes after entering wrong key 5 times,
but if some electronic device want's to be able to wait for two minutes there are probably only two efficient ways to do that:
1.) some clock circuit powered by electricity
	This can be hacked by removing internal battery and making circuit that will disconnect flashdrive from USB power after each 5 keys tried.
	As Corsair's FAQ sais: padlock will work even without internal battery, so no further hacking needed to reset internal clock...
2.) charge capacitor and wait until it gets discharged (this will work even without batteries)
	I guess that this is not the case as i haven't seen any capacitor inside the drive, but this can be seen as way to workaround battery-hack above.
	Well... it is NOT. capacitor can be shorted-up or disconnected same way as the battery can be.

Anyway we don't even need to avoid the clock circuit because we can still dump the data of flashdrive somehow
and crack them in the computer which will be much faster than using flashdrive to crack itself by trying to enter PINs.

there are two ways to do this
1.) Desolder the flash memory and read it using custom interface circuit
2.) Fool the flashdrive to let us read the encrypted memory even when we don't know the PIN
	Fortunatelly there is backdoor for recovering lost PIN and i guess it will let us to do just that...

There is way to unset PIN which will (according to FAQ) "reset the Flash Padlock, but all the data on the drive will be COMPLETELY ERASED".
I guess that they are lying us again, because ereasing whole drive would take a LOT of time, produce LOT of heat... (you can try dd if=/dev/zero of=/dev/your-padlock)
so i am not sure if internal battery is strong enough to take that (according to manual ereasing should work even when not connected to computer).
I guess that all they does is enabling us to access encrypted data (in good hope that their AES implementation is strong enough)
and they recommend us to format the flashdrive after reseting PIN (well this is needed and does not matter if we have flash filled by random AES encrypted data or zeroes),
but i guess we can dump the encrypted data (eg.: dd if=/dev/your-padlock of=padlock-encrypted.img) to our computer and crack it instead of formating the drive :-)

Once we have the dump we can crack it using the hole mentioned above. There are ONLY 12206875 possible keys which IMHO makes AES really easy to be cracked using brute-force
(don't forget that we even probably already know few bytes at the beginning of flash memory).
But before we start cracking we need to know how to get (predict) these 12206875 keys.
I hope they are not using the PIN directly but there is some hash function that will assign one AES key to each PIN combination, so we'll need to do some reverse engineering to get this function
(if we want to crack the data using computer instead of interfacing to padlock's buttons, LEDs and power supply directly).
Maybe we'll be able to dump the firmware somehow or we'll need to slowly grind the chip under the electron microscope to inspect it's internal structures (LOL).

Maybe they also tried to fix the problem with predictable keys by adding some random number which is unique to each flashdrive (i guess they didn't done that)
and which will cause the hash function to generate different keys for same PINs on different drives.
obtaining of such random number would be equally difficult as obtaining the hash function itself so it's irrelevant.
Anyway we can still crack the data inside the padlock without doing this.

Actually i don't have Corsair Padlock 2 (and after investigating on it i am not going to buy it) so i can't try to crack it, but you can send me reports if you succeed to do so.

Conclusion:
- Corsair Padlock 2 CAN be cracked
- Corsair Padlock 2 will be cracked some day
- Nobody will probably want to crack your Padlock 2
- Nobody you know will probably ever want to invest such effort to crack your Padlock 2 (does not apply to NSA and your mother ;-)

Ideas:
- You can make your very own custom encrypted flashdrive using Atmel AT89C5131 (or AT89C5132) while avoiding the security bugs of Corsair Padlock 2
	It does have only 32kB of internal flash memory (enough to store certificates and passwords)
	but it can interface to some larger flash chip or even microSD cards so you can have very good encrypting card reader/writer which is able to store few GB too...

Sources & Further Reading:
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
http://www.corsair.com/products/padlock2/default.aspx
http://www.corsair.com/products/padlock2/PadlockUserManual.pdf
http://www.everythingusb.com/corsair-flash-padlock-2-flash-drive-18671.html
http://www.corsair.com/faq/default.aspx#PL4

Happy hacking :-D