Vulnerability

    One-Step Backup

Affected

    Systems using Iomega One-Step Backup 5.30 and prior

Description

    Aberrant found following.   While playing with  my new Iomega  Jaz
    2GB drive, he found an interesting (disturbing) "feature" with the
    One-Step Backup  program that  is shipped  with the  drive (and is
    also available, presumably for  Iomega's other products, on  their
    web site).

    In the backup configuration dialog, there's a "security" tab  that
    allows  the  user  to  specify  a  password to limit access to the
    backup file that is  stored on the Jaz  disk.  Curious as  to what
    encryption they used, mnemonix  checked the final backup  file and
    was dismayed.  The password  appears after the description of  the
    backup  (another  user  field),  "encrypted"  using  the following
    formula:

        E = P xor 0x1f

    Where "P"  is a  byte of  the plaintext  password, and  "E" is the
    stored "encrypted"  password.   You can  grab this  very easily by
    doing an "od -c"  on the backup file.   The password is the  first
    nonzero block past the description (and a 001) and usually resides
    around offset  0470 (octal).   This formula  works in  every  case
    tried  (alphanumerics,  special  chars,  etc.).   Incidentally, it
    appears that the password is  used solely for access control;  the
    rest  of  the  backup  file  appears  to  be  unencrypted  (though
    compressed at the user's option).

Solution

    No solutions at the time.