Pocket PC FAQ Forums Forum Index Pocket PC FAQ Forums
The place to discuss Windows Mobile, Pocket PCs, Smartphones, Handheld PCs, Windows CE and More!
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Storage file is not always encrypted??

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Pocket PC FAQ Forums Forum Index -> AirScanner Mobile Encrypter
View previous topic :: View next topic  
Author Message
jgoggan
Pocketeer


Joined: 07 Mar 2006
Posts: 10

PostPosted: Thu Nov 02, 2006 1:20 pm    Post subject: Storage file is not always encrypted?? Reply with quote

I just came across something that concerns me greatly about this product. Just for fun today, I copied off the .vol file that is supposed to be the encrypted version of the data and opened it with a hex editor. All of my data was clearly in the file and NOT encrypted! How could this be happening??

So, just for testing, I did this:

1. Went into the app and created a new mount called "TEST" on my SD card. It mounted it.

2. Copied two JPEG images and a text file into the TEST directory on the SD card.

3. Dismounted the TEST volume.

4. Copied the TEST.vol file to my PC and opened it with a hex editor. It was all encrypted garbage -- just like I would expect.

5. Mounted TEST again.

6. Copied another JPEG into the TEST directory.

7. Dismounted TEST again.

8. Copied the TEST.vol file again to my PC and opened it with a hex editor. THIS TIME IT WAS COMPLETELY READABLE!

In other words, when I created the volume the first time, it was encrypted as expected. But after I later remounted it and added more data to it, the file was left UNENCRYPTED even though it was supposed to be!

This is very repeatable for me. I just grabbed 4 old .vol files from an old SD card that I had been using and ALL of them were UNENCRYPTED, PLAINTEXT!

What the heck is going on here?? This seems to be a SERIOUS flaw!

- John...

P.S. Note that it didn't seem to matter if I used the "global" password or assigned individual passwords to my volumes. I tested both ways and both became unencrypted .vol files after I had remounted and dismounted them a couple of times.
Back to top
View user's profile Send private message
air1
Pocketeer


Joined: 26 Feb 2003
Posts: 62

PostPosted: Thu Nov 02, 2006 4:11 pm    Post subject: Reply with quote

Thanks John,

I appreciate your bringing it up. There was a security bug, but it was fixed (see the recent press release).

Can you tell me what version of the encrypter you are using? We need to check this ASAP. Thanks for your help.

Also, did you verify that you dismounted (encrypt) the .vol at the end of your test? I'm sure you did, but I want to check.
Back to top
View user's profile Send private message
jgoggan
Pocketeer


Joined: 07 Mar 2006
Posts: 10

PostPosted: Thu Nov 02, 2006 5:07 pm    Post subject: Reply with quote

air1 wrote:
Thanks John,

I appreciate your bringing it up. There was a security bug, but it was fixed (see the recent press release).


Ah -- I see that there is a v2.9. I actually checked the download section before posting to make sure I was on the latest version, but couldn't find any version information there. Now that I see the press release, I see that I am behind apparently. Am I missing a place besides the press releases that indicates the current version and where to get it to upgrade? As a suggestion, I think the current version should be prominently listed on the product page(s)...

Quote:
Can you tell me what version of the encrypter you are using? We need to check this ASAP. Thanks for your help.


I am running v2.7. I'll try to upgrade to the new v2.9 tomorrow. Thanks.

Quote:
Also, did you verify that you dismounted (encrypt) the .vol at the end of your test? I'm sure you did, but I want to check.


Yes, I made sure it was dismounted first in all of my testing.

- John...

P.S. Your press release says that it is v2.9, but then says to "completely remove any previous version before installing version 3. I assume this is a typo, yes?
Back to top
View user's profile Send private message
air1
Pocketeer


Joined: 26 Feb 2003
Posts: 62

PostPosted: Thu Nov 02, 2006 6:24 pm    Post subject: Reply with quote

Thanks for the correction, yes, v2.9 is the correct version.

The bug in 2.7 was due to a dismounting issue on some storage card formats. It has been fixed in 2.9.

v.2.9 has been tested on approx 100,000 devices, and no problems yet. But we remain vigilant.

In the future, you are always welcome to contact us privately if you find a security bug. Sometimes it helps to have a couple days to fix things before a public vulnerability release.

Thanks John for helping us.
Back to top
View user's profile Send private message
jgoggan
Pocketeer


Joined: 07 Mar 2006
Posts: 10

PostPosted: Fri Nov 03, 2006 11:31 am    Post subject: Reply with quote

Thanks -- and, next time, I'll indeed just email directly if it is a security concern.

However, I seem to have another problem. I can't import my old .vol file now that I have upgraded to v2.9. When I try to import, it says that it is not a valid Encryptor volume.

Not a huge deal because I have a backup -- but I can see some people really freaking out if they upgraded and then couldn't import their v2.7 .vol files.

Note that it seems to recognize the password. If I purposely put in an invalid password, it says: "The password entered is invalid or blah.vol is not a valid Encryptor volume" -- but if I put in the right password, it just says "blah.vol is not a valid Encryptor volume." So, it knows that the password is right -- but still doesn't think it is a valid .vol file to import.

- John...
Back to top
View user's profile Send private message
jgoggan
Pocketeer


Joined: 07 Mar 2006
Posts: 10

PostPosted: Fri Nov 03, 2006 11:33 am    Post subject: Reply with quote

Oh - I see now. After more testing, it is the ones that aren't really encrypted (that I was complaining about above) that won't import. This makes some sense now since they are indeed "funny." But, since this was a known bug, I would think that the importer would need to be written to handle it. Basically, it appears that it can't import the non-encrypted .vol files (which are supposed to be encrypted, but weren't because of the bug you mentioned previously).

Just to pass that along...

- John...
Back to top
View user's profile Send private message
air1
Pocketeer


Joined: 26 Feb 2003
Posts: 62

PostPosted: Fri Nov 03, 2006 11:44 am    Post subject: Reply with quote

Thanks,

You are right about that with previous volumes. The new version (2.9) should now have forward-compatibility with future versions.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Pocket PC FAQ Forums Forum Index -> AirScanner Mobile Encrypter All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Copyright 2001-2010, Chris De Herrera, All Rights Reserved

Powered by phpBB © 2001, 2005 phpBB Group