Discussion in 'Reviews' started by Darksaber, Mar 6, 2010.
To read this review go to: http://www.techpowerup.com/reviews/Corsair/Padlock_2_8GB/
Very unique product. I use a lock drawer and encryption as well. Generally does pretty well. This looks promising but it is too small, and too expensive.
Edited the review for some last minute "insights"...
That was quite a drop in score! Oh my it even lost the good value tag! Hope that is not because of me. What worries me the most is:
"Two minute timeout can be easily circumvented, allowing for a continous brute force attack"
Also, wow 5 digits, hmm well I can crack that in... No time.
you have to realize, while there are 5 digits to choose from, the PIN length is unaffected with up to 10 numbers, just narrows it down a lot as you know in a PIN of the maximum length not every number is unique and there are repetitions. Fact is that if you advertise a product with number 1-5 only it comes across as insecure and does not convey that peace of mind. Corsair is giving the user the 10 different digits on the casing but in reality is dumbing it down inside - not very cool.
let's do some math here (correct me if i'm wrong please)
the total number of combinations advertised is:
10^4+10^5+10^6+10^7+10^8+10^9+10^10 = 11,111,110,000 = 11 billion
the actual number of combinations with 5 keys instead of 10 is:
5^4+5^5+5^6+5^7+5^8+5^9+5^10 = 12,206,875 = 12 million
so basically a factor of 1000 difference!
in the review we have seen that is is possible to circument the lockout timer, which means you could hook up some kind of bruteforce device (like in the movies) .. using a conservative 10 keys per second without lockout timer:
11 billion * 0.1 seconds per key = 1.1 billion seconds = ~12,700 days
12 million * 0.1 seconds per key = 1.2 million seconds = ~13.8 days
Since you have 10 digits, with 10 (or in this case 5) possibilities per digit, isn't it:
10^10 or 10*10*10*10*10*10*10*10*10*10 (10 000 000 000)
5^10 or 5*5*5*5*5*5*5*5*5*5 (9 765 625)
Still, your factor 1000 difference is about correct, but <10 million unique combinations is even worse
you can have 4 to 10 digits in your pin
Ah yeah, I missed that.
Maybe you should test whether a PIN of 0000000000 is the same as 0000
interesting question .. darksaber will be home later today to test this .. i am also wondering if the device reports "wrong code" after the exact same number of digits as the actual pin ?
this could be used to guess the pin length, potentially reducing the number of possible pins by over 95%
Well, I guess you have to press the "key" button to verify your PIN, but that could still mean that "12345" could pass when your PIN is "1234"...
I was just playing today with the first generation of Corsair Padlock. I have a 1GB flash and I am using for a WIN PE environment. It is quite nice.
Question: how do you change the battery to the new Padlock?
The Padlock 2 acts correctly. it does differenciate in the actual length of the PIN. Just tried it. Thus, 0000 != 000000000.
You don't. If your battery runs out, it can be recharged by plugging it into the PC for about an hour. If it is completely dead, the Padlock 2 falls under warranty.
If the wrong PIN is entered, the red light flashes, no matter if the wrong PIN is of equal length as the correct one or not. Thus there is no way to figure out how long the PIN is, as you have to press "Key", then enter your code, then press "Key" again.
Thanks for clearing those things up Darksaber.
I should also mention, that even though you could design a circuit that cuts off battery power and checks for data accessibility after every PIN entry, you will still have to enter the PIN manually. This means that, while a brute force is still possible, it would take much longer than just a few minutes.
Let me clear up some errors
5 hardware buttons does not mean 5 digits to choose from. Pushing a button twice gets you the second digit assigned to that button, so 10 digits are available. With programming you can assign as many "digits" to one button as you want. They could have used one button (press it 5 times to enter a five, for example) but it would have been a major PITA to enter a pin so they used more buttons to make entering the pin easier. Easiest of all would be to have one button per digit, but they don't have room for that on the small package.
The pin can be 4 to 10 digits long. The total number of combinations available is ALL of the 4 digit pins + ALL of the 5 digit pins plus... ...ALL of the 10 digit pins.
Since digits can be repeated in the pin, any pin digit can be any of the 10 digits. That means there are 10x10x10x10 possible 4 digit pins. (10000 = 10^4 possible combinations). To make this simple, adding each digit to lengthen the pin simply multiplies the number of combos by 10.
So for a 4 digit pin, there are 10000 (=10^4) combos, for 5 digit pin, there are 10^5 combos. So here it is: the total number of possible pins is 10^4 + 10^5 + 10^6 + 10^7 + 10^8 + 10^9 + 10^10. My brain tells me there are 11,111,110,000 possible combinations.
The data is stored in the memory chip encrypted- there would be no point in encryption if the data were stored clear. The old version of this device was hardware hackable apparently by telling the cipher chip that a valid pin had been entered even when it hadn't- an unbelievably silly weakness in the design. Covering the chips with epoxy makes it more difficult to access the PCB, but not terribly difficult. A moderately determined attacker with simple tools will be able to clean off the epoxy. Did they use the same chips with the same weakness or did they change the design? Only time will tell.
A real secure device would include mechanical interlocks designed into the package that will do physical damage to the device if it is opened - releasing acid, explosive charge, incendiary, etc., but you'd probably only find that level of security in very expensive military and intelligence agency devices.
This thing looks like a bargain at $50, even if they merely covered the old PCB with epoxy. It's like locking your bike- you don't need the best available lock- it just has to be a little better than those on the other bikes around yours.
this fact is not mentioned anywhere (corsair website, padlock 2 faq, user manual, quick start guide) so i really doubt it is true
my flash drive only blinking red.what s the problem.not working reset password,not working on the instruction.please help
]my flash drive only blinking red.what s the problem.not working reset password,not working on the instruction.please help
Separate names with a comma.