Sprites mods has a very nice in-depth hardware security review of the Disk Genie hard drive. The first problem seems to be how easily the device is opened. The next failure comes from how it indicates failures to the attacker. Spoiler alert: here are the conclusions.
If you’re just a generic Joe Blow who wants to make sure your private pictures don’t get viewed by your collegues or kids, you’re golden. The fact that the there’s no way a software-only attack can get the pincode means that some hardware-experience is needed to start hacking the device, and that will deter casual onlookers enough to make the device completely safe for curious neighbours or collegues, even if they are smart enough to, for example, install a keylogger on your PC.
If you’re a business-person with actual info to hide, info that could financially benefit other parties… you can still use this, but make sure to pick a strong pincode. More than 11 digits should do, depending on how badly others want the data.
If you’re, say, the president of a nuclear country and want to use this to carry around the launch codes of your nukes, I wouldn’t recommend this device. While the thing is safe for a casual hacker like me, someone with money or the resources to de-cap chips can probably get to the data fairly easy: the PIC which contains the keys to the HD is not a secure device and when decapped under a microscope in a laboratory can probably be made to give up that key fairly easily.
Is that a qualified hint to the Pentagon or just an example?
Personally, I don’t like this review. It seems as if the reviewer doesn’t understand the nature of industrial espionage. If your a “business-person with actual info to hide, info that could financially benefit other parties”, you do NOT want to use this device. The biggest threat here is shoulder-surfing, which most spies are great at. Businessman is shadowed by a few people, enters his pin in a hurry a bit too visibly, and they steal the drive later.
Spies also usually have covert video or listening devices. They would just bug the room or location where the businessman usually accessed the data to see the PIN entry. As for technical attacks, a hardware keylogger in form of tiny PIC SOC shouldn’t be hard for even amateur hardware hackers. EMSEC via passive EMF or power line analysis should also work on a non-TEMPEST device. The only way this thing could be secure against most spies if it’s never in their possession, requires a crypto-ignition-key-like fob to be inserted, and requires a pin. Then, the spies would ignore the hardware and the defender would have to beef up the other aspects of data protection.
For people protecting high value assets, well, it’s better if they aren’t mobile. Mobility just presents so many risks. Hashing and encrypting critical data for transport between secure facilities is OK, but it’s better if it’s not accessed on the go. If it is, then a thin-client netbook with restricted access over a VPN is a good idea. Password-protected BIOS, TPM trusted boot, read-only boot media, hardened OS, no firewire and any unused (eg USB) connectors filled in with something hard to remove. As for tamper-resistant storage, IBM and Safenet both make some very good cryptocards that make things a bit more difficult for thieves. They aren’t cheap, though.