Because the chip’s read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered’s visual model gave it a head start toward deciphering much of the logic of the IronKey’s cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. “It felt very much like a treasure hunt,” says Federoff. “You’re following a map that’s faded and coffee-stained, and you know there’s a pot of gold at the end of a rainbow, but you have no idea where that rainbow’s leading.”
That cracking process culminated in July, when Unciphered’s team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time. “What just happened?” Federoff asked the room. “We just summited Everest,” said Unciphered’s CEO, Eric Michaud.
Unciphered still won’t reveal its full research process, or any details of the technique it ultimately found for cracking the IronKey and defeating its “counter” that limits password guesses. The company argues that the vulnerabilities they discovered are still potentially too dangerous to be made public, given that the model of IronKeys it cracked are too old to be patched with a software update, and some may still store classified information. “If this were to leak somehow, there would be much bigger national security implications than a cryptocurrency wallet,” Federoff says.
The team notes that the final method they developed doesn’t require any of the invasive or destructive tactics that they used in their initial research. They’ve now unlocked 2011-era IronKeys—without destroying them—more than a thousand times, they say, and unlocked three IronKeys in demonstrations for WIRED.
Cryptic Contracts
None of that, however, has gotten them any closer to persuading Stefan Thomas to let them crack his IronKey. Unciphered’s hackers say they learned from the intermediary who contacted Thomas on their behalf that Thomas has already been in touch with two other potential players in the crypto- and hardware-hacking world to help unlock his USB stick: the cybersecurity forensics and investigations firm Naxo, and the independent security researcher Chris Tarnovsky.
Naxo declined WIRED’s request to comment. But Chris Tarnovsky, a renowned chip reverse engineer, confirmed to WIRED that he had a “meet-and-greet” call with Thomas in May of last year. Tarnovsky says that, in the meeting, Thomas had told him that if he could successfully unlock the IronKey, he would be “generous,” but didn’t specify a fee or commission. Since then, Tarnovsky says that he has done very little work on the project, and that he has essentially been waiting for Thomas to start paying him on a monthly basis for initial research. “I want Stefan to cough up some money up front,” says Tarnovsky. “It’s a lot of work, and I need to worry about my mortgage and my bills.”