Security teardown: MEEM backup for Android
MEEM is a Kickstarter campaign success story; a power cable that is also an automatic Android backup device as it has a built-in USB drive. But what’s the security like?
IT Security Thing has got hold of an Android MEEM in order to perform a security teardown, so let’s find out.
I couldn’t test the MEEM on the ITST stock Nexus 6P handset as there’s no USB-C cable option currently available. Instead, I used a third generation Moto G which still meets the MEEM ‘Droid 4.1.2 minimum requirement.
Before I start this particular teardown, there are three truths to consider:
Android smartphones have become ubiquitous. Being so much cheaper than an iPhone makes them more accessible to larger numbers of users. These users see them as a utility, not a gadget. People like my 85 year old mum who just expects things to work, for example.
There are already plenty of ways to backup data from an Android device. Some are easy enough that the user may even be unaware a backup is taking place. Others, however, require a level of nerdery beyond my old mum.
Cost remains a factor; a very important factor in fact. Photos taken using a smartphone are precious, but few people value them highly enough to pay a yearly backup subscription fee.
Which brings me nicely to the MEEM cable, ticking the usability box if not the cost one. So let’s get that price point out of the way then.
£39.99 for the Android version, essentially a 16GB USB drive incorporated into a charging cable, is too much. Too much for the people who need it most, and that’s the non-nerd user like my mum.
Thank goodness she’s not an iPhone user or she would be looking at £59.99 for the 32GB model they get. These prices need to tumble by half before I would consider them truly value for money.
Let’s assume you are an IT security industry insider who appreciates the value of data protection. The MEEM probably isn’t for you. After all, you will already have your layered data backup strategy neatly in place. However, it may well be for someone you know. In my case, someone like my mum.
The MEEM appears perfect for me to buy her as a gift, and for her to use without even realising it. She might easily forget to back something up manually. She might forget to renew a cloud-based subscription. She might tick the wrong checkbox when it pops up. She bloody well wouldn’t forget to charge her phone, simple as.
So I like the idea of the MEEM in that regard, and setting it up was a simple as plugging it in and downloading the associated app. How securely is that data backed up though? Which brings me to the point of this teardown: security.
OK, first of all there is the obvious secure score in that MEEM does away with the concern over third party access to your data backup. A USB flash drive forms part of the charging cable, and that’s kept in your possession. That’s a plus then.
Of course, backing up data to a USB thumb drive is not exactly new or innovative. Doing it the MEEM way is not exactly cheap either, as I may have already pointed out the odd time or three. That’s a minus to balance things out.
Another plus, though, is that MEEM does the incremental backup thing. This makes for quick backups once the initial data set has been created. Our testing revealed that the USB drive MEEM uses was taking about six to seven minutes to throw a GB of data onto it initially, with ongoing backups then taking less than a minute each time.
Calendar, contacts, messages, music, photos and video are all selected for backup by default. Some of which are stored using Advanced Encryption Standard (AES) with a 256-bit symmetric encryption algorithm. Contacts, calendars and SMS get the encryption treatment which is good. What is not so good is that no other category of data does.
IT Security Thing spoke with MEEM CEO, Kelly Sumner, who some of you may remember from his days as Take Two CEO when it launched Grand Theft Auto. We asked Kelly if the limited categories for encryption was purely a backup time/resource issue?
“Yes it is” Kelly told ITST, continuing, “we have, however, identified the route to encrypting all data using hardware without affecting the speed of backup/restore and this is on the milestone development timeline.”
MEEM encryption is currently software based though, which is a shame. Trying to access data by plugging in another handset just kicks off an authentication prompt for a four-digit security PIN.
Over to Kelly again. “In the future, encryption will be done in hardware. The product releasing now has a limit of 10 attempts at the PIN. Each unsuccessful PIN entry is remembered by MEEM cable, even if it is disconnected between PIN entries. So all attacks will be prevented after the 10th wrong attempt. The cable will permanently stop responding to phones after 10th wrong PIN attempt and will only charge the phone afterwards.”
OK, but what if an attacker got hold of the MEEM cable? Generally speaking, physical access to a device is game over if the attacker has enough time and skill to throw at it. “The four digit PIN is primarily used to authenticate a new phone (and indirectly, its user) being connected to MEEM,” Kelly explained, “the 4 digit PIN is never directly used to generate the real key used for data encryption.”
Ultimately then, and to conclude, the MEEM has a lot going for it. Not least that it forces a practical backup regime onto those users that might otherwise simply not bother. That is a good thing, no doubt about it. The cost of this helping hand does not come cheap though. We got the impression that it feels like an interesting (and expensive) work in progress right now.
The comments about hardware encryption in the development timeline by Kelly Sumner are food for thought. On the security front we’d therefore say that MEEM is an iteration or two away from a big thumbs up.
That said, will I be giving this to my mum in order to protect her photos and contacts? You betcha. The interface is a bit swipey if you start digging into it, but works well enough just left alone.
Hardware encryption is better than software, but software is better than none. You get the idea. The MEEM target market will be less forgiving than IT Security Thing, and cost apart there’s little to criticise.