When WIRED reached out to the Commerce Department’s Bureau of Industry and Security, a spokesperson responded that the BIS is restricted by law from commenting to the press on specific companies and that a company’s unlisted subsidiary—like Initio—isn’t technically affected by the Entity List’s legal restrictions. But the spokesperson added that “as a general matter, affiliation with an Entity Listed party should be considered a ‘red flag.’”
Hualan’s Initio chips are used in encrypted storage devices as so-called bridge controllers, sitting between the USB connection in a storage device and memory chips or magnetic drive to encrypt and decrypt data on a USB thumbdrive or external hard drive. Security researchers’ teardowns have shown that storage device manufacturers including Lenovo, Western Digital, Verbatim, and Zalman have all at times used encryption chips sold by Initio.
But three lesser-known hard drive manufacturers, in particular, also integrate the Initio chips and list Western government, military, and intelligence agencies as customers. The Middlesex, UK-based hard drive maker iStorage lists on its website customers including NATO and the UK Ministry of Defence. South Pasadena, California-based SecureDrive lists as customers the US Army and NASA. And US federal procurement records show that Poway, California-based Apricorn has sold its encrypted storage products—which use Initio chips—to NASA, the Navy, the FAA, and the DEA, among many others.
The encryption features enabled by Initio chips in those drives are designed to protect their data against compromise if the drives are physically accessed, lost, or stolen. But the security of that encryption feature essentially depends on trusting the chip’s designer, cryptography experts warn. If there were a secret vulnerability or intentional backdoor in the chips, it would allow anyone who lays hands on any drives that use them—drives are often marketed for use “in the field”—to defeat that feature. And that backdoor could be very, very difficult to detect, cryptographers note, even on the closest inspection.
“In the end, it’s a matter of trust, whether you actually trust this vendor and its components with all your sensitive data,” says Matthias Deeg, a security researcher at German cybersecurity firm Syss, who has analyzed the Initio chips. “These kinds of microcontrollers are a black box to me and every other researcher trying to understand how this device is working.”
Last year, Deeg analyzed the first firmware of a Verbatim secure USB thumbdrive that uses an Initio chip and found multiple security vulnerabilities: One allowed him to quickly bypass a fingerprint reader or PIN on the drives and access any “administrative” password that had been set for the drives, a master password feature designed to allow IT administrators to decrypt users’ devices. Another flaw allowed him to “brute-force” the decryption key for the drives, deriving the key to access their contents in at most 36 hours.
Deeg says that Initio has since fixed those vulnerabilities. But more troubling, he says, was how tough it was to do that analysis of the devices’ firmware. The code had no public documentation, and Hualan didn’t respond to his requests for more information. Deeg says the lack of transparency points to how difficult it would be to find a hardware-based backdoor in the chips, such as a minuscule component hidden in their physical design to allow for surreptitious decryption.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
