Cléxi "Smart" SSD, Actually, or Wannabe?

So the Founder of IDMelon, a FIDO Device that is very interesting in its own way also founded Cléxi, the self-proclaimed "1st Smart Secure SSD"*. Since I kinda liked what they did with IDmelon, I got myself one, so let's look at it.

Note: I am gonna drop the é for a normal one in further mentions because it's easier to type, also they aren't even consistently using it themselves

* also according to their Kickstarter, on twitter they also mentioned "THE WORLD'S 1st EXTERNAL SMART STORAGE")

The Premise

By "Smart" they specifically refer to these main things:

• Hardware-Encryption as well as unlocking using your Phone (biometric or otherwise normal lockscreen methods)
• Remote Wipe (literally what it says on the tin) as well as Remote Freeze (aka just locking the drive remotely rather than doing a full wipe)
• Find My Clexi (show where a drive has last been unlocked)
• Sharing the encrypted Drive with others

Some of its other mentioned Featured things that dont belong under the Smart umbrella are

• being very light and small SSD-based storage by using a 2242 form factor SSD, which is a lot smaller than a maybe more common 2,5 inch or 2280 form factor SSDs
• Plug and Play, aka not needing any software on the host device the clexi is connected to, which means it works on basically anything be it a TV or some other crazy thing, which is great (it may not be decent as a boot-up drive without trickery tho as usually you need some time to unlock the device after it gets power but not enough until the computer continues booting along or doesnt accept new drives to be looked at for booting into, and some devices pull USB power even on a soft reset)

Is it a good idea to IoT this?

Obviously tho being burned reading about "Smart" Technology and IoT very often there are a ton of worries about things like this

• how long is this gonna be supported?
• what will happen after the support ends?
• am I totally bound to the maker with no way out?
• What if the maker decides to make the thing inherently worse later on?
• What if the maker cannot continue supporting it due to bankruptcy or being bought out?

and so on.

The Campaign

But worries aside it SERIOUSLY didnt help that several things went kinda unmentioned during their campaign until specifically asked about, which really is NOT how things should be, also some other things that even after the campaign are just not great.

• Using Clexi requires an account either at Google, Facebook or Apple, especially the former two are NOT known to be very privacy sensitive, not only in general but also in regards to the minimum data handed by the Authentication (both give universally identifiable data to the provider, although Facebook last time I checked (which was several years ago) at least tried scoping user IDs although any registered user on Facebook could resolve them using the URL bar in their browser)
• Several Actions require an internet connection
  • registering a clexi for the first time
  • Switching your unlock device (they say phone, but a tablet also works)
  • Using a shared clexi (one of the few actions where I can actually understand the point of needing internet, because sharing needs to be revokable)
  • when the session "expires" (no idea about the conditions for that) you need to re-login

• Several things will require a subscription half a year in, it was mentioned in the comments that it is supposed to be 6$ per year, I assume Canadian since they are from Canada locked in for 3 years, although what happens after those 3 years is obviously unclear
  • Sharing
  • Find my Clexi (likely including remote wipe/Freeze)
• contradictory or otherwise bad communication
  • replacing your phone has been originally mentioned as an offiline service, yet needs internet
  • in the same comment it was mentioned that phone Switching is free, yet their Panel clearly mentiones it as a feature (in fact the only one, sure it*s clearly early stage, but they could at least write "sharing" or whatever instead of something which clearly contradicts what they said previously

• using "we never said otherwise" when being confronted about something kinda not awesome (like the forced social login) which while directly true, they indirectly mentioned (slightly above where it lands you) an account wouldnt be needed for a more simple use without the online side. This Comment also mentions phone switching is free and wouldnt need an account, so another one into that.
• promoting the drive using absolutely useless terms like "Military grade encryption", that*s nothing special. in fact if you can view this blog post on a computer, chances are you are using basically the same military grade encryption to read this blog post, AES is nothing special. or just making statements that make no sense e.g. when comparing against cloud where it says that the account could be hacked or the password leaked and on clexi the "access is impossible without your authentication", which as established goes ober the account on the clexi service which is equally hack and leakable, the point they should have mentioned should likely have been access is impossible without physical access to the clexi drive even in case of an account leak.
• totally overblowing the comparisons to other things like "struggle to enter password or scan fingerprint" for the existing secure storage and "fast and easy unlock through your smartphone" for clexi, what are the most common methods to unlock your phone? a PIN/Password and biometrics, so why is it so much easier to scan a fingerprint on your phone than on a Samsung T7 or whatever (I dont have one, just the first SSD I can think of with a fingerprint scanner) or enter a PIN/Password for any other secure storage?
• offering shipping without tracking by default with a price that seems quite high (15€+ a 5€ addon for tracking from china to germany using China Post) compared to similar options that are better in many ways for a different object of similar origin, size and weight (a switch game from Japan shipped via DHL express including the very awesome DDP style of shipping where taxes are paid in advance which makes stuff easier and avoids extra costs)
• wrongly declaring the prices (in USD rather than Canadian Dollars) which maybe by not much but still increased the price we had to pay.
• trying to earn money and backers using tactics I deem at the very least questionable, like offering cashback referrals as well as referring at least partially to questionable projects where either according to comments made by (former) backers of those projects they had past projects that went really badly, or even allegations of stealing a design.
• Reading the KS comments of clexi stuff seems to be a bit off sometimes since according to backers clexi sometime replies with information that contradicts tracking or they just say "all is okay the package is still on its way" while the tracking says either "unknown" or even "return to sender" which obviously seems weird.

There have been enough things that are really not the fault of clexi that went kinda bad like shipping taking half an eternity likely due to corona and stuff, which makes stuff more annoying but as said these are REALLY NOT the fault of clexi or its makers.

The actual Product

Ranting aside about the stuff that doesnt matter TOO much let's get to the actual product

• It is able to be ordered in Capacities of 128GB, 512GB and 1TB
• The 1TB Model Reports as 953 GiB (or according to the Disk management Utility 953,85 GiB) (which seems a bit much compared to any "1TB" Storage device so far (usually it's around 931), but h2testw after a few tries and going back to USB2 didnt show any issues
• It supports USB3 (well if it didnt that would be an issue) using a USB-C Plug (which is a ton better than micro-USB3 (which is just annoying usually
• By default it bring a USB 3 A-C Cable, but you could order a C-C Cable as an addon
• it contains a Kingspec NT-2242 SSD (using M.2 SATA) with "3D TLC" Flash (on the 1 TB Model, but I doubt they use a different model line for the others), Specsheet downloadable on their website
  • According to their Website the Life expectancy is as follows: 87TB written for the 128GB model (679,7x the drive size), 349TBW on the 512GB Model (681,6x), and 698TB for the 1TB Model (juuust in case it isnt obvious, that's 698x), so the life expectancy isnt largely different on any of the models.
• It features a bunch of LEDs that light up around the X to show the status of the drive, like whether it's not registered yet, looking for the phone to unlock, being unlocked and so on.
• It features a "Tap" feature using BLE tricks to be able to only be unlocked when your unlock device is very close (more on that later)

• They actually delivered, maybe it took a while from their schedule but especially during a chip shortage I really need to note that the goal timing was too ambitious and that stuff can happen
• While unfinished, the basics (using the encrypted drive, sharing it (with some restrictions) and switching between devices, already work well, even if it's still quite unfinished in many ways (more about that later)
• It doesnt even announce itself to the computer, avoiding several types of attacks on a locked device
• It uses BLE trickery rather than NFC for their close proximity based scan which can improve the range of device types used quite significantly, like my Tablet the Galaxy Tab S6 Lite supports BLE but not NFC, and at the very least the Iphone 6S Series didnt really have a practical NFC capability outside of Apple Pay, also if they want they could make it so the "tap" isnt needed anymore.
  • also the Tap feature makes sure you cannot just accidentially unlock your clexi in a group of clexis, say an attacker swaps your clexi with their own and tries to get you to unlock it (which already is very hard to perform, as you need a clexi, enough proximity in the first place, and the right timing as the clexi shuts itself off when searching for a device for too long and a button needs to be pressed to search again).
• They have a Mode where the Clexi stops doing the Authentication and allegedly turns into a "normal" drive
• It's a little tricky to find out how to best do it at first, but it actually can be opened quite easily with some thin picks like those from iFixit and for example to swap the SSD (and despite using 100% clips they dont seem to break that quickly, and swapping the SSD has been previously mentioned as supported.
• You can turn off the authentication to have the clexi mostly act as a standard drive (I doubt it's going to remove any crypto tho, as that goes way too fast

• it obviously all seems unfinished, like when I checked
  • the freeze feature didnt work at all
  • sharing didnt have an option to set how long it would be usable, going for a static 1 month, also only 5 unlocks
  • After starting a share it is completely unmanageable, meaning you cannot revoke a share or even look at where you shared to.
  • you cannot even have multiple unlock devices connected to one clexi at a time, which is one part where stuff gets annoying.
    • the inverse, as in managing multiple clexis from one account seems to be a supported scenario tho
    • It can be valid to only have one unlock device as you can see someone was on your clexi by the app not working anymore when offline (although that could also be saved by notifications and nuking old keys could be also done optionally on a clexi later)
• It needs an account at one of Facebook, Google or Apple, plain email sign up is not accepted (which sux especially on sharing)
  • for sharing it would be nice to have the option to not even create a proper account but have the clexi app basically blank except for the share access functions.
• the Tap feature can get really annoying especially when it can be finnicky, like on larger devices finding out where you need to tap or always needing to get extra close to the device in general, which especially is not fun when your USB ports are less than ideally accessible.
• If you disable authentication, re-enabling it wipes the clexi completely, which is in my opinion really not fun.
  • This is especially annoying when you want to boot something off your clexi as sadly many devices (especially laptops) reset USB power when rebooting even with ctrl+alt+del which locks a clexi and you are VERY unlikely to be quick enough unlocking it to be seen by the POST and general boot-up process.
• There seem to be some real heat issues which are really not fun especially on USB3, maybe those affected one of my h2testw runs, not sure.
• not sure if others have that problem but sometimes after a period of inactivity the clexi disappears from windows and wont just come back, maybe a standby issue.
• With Android 12 at least I sometimes have detection problems maybe because the device sees "something" being connected (by nature of pulling USB Power I guess) and does properly want to see the connected device after being unlocked.

A Better Way?

In my opinion a better shape for the clexi encryption model could have been

1. Clexi app having an OPTIONAL account setup
2. when setting up clexi you will get a backup code which will always get you into this clexi setup (including possibly decrypting the drive manually if the clexi PCB breaks down)
   • This could be done for example by using a QR Code and/or a bitlocker-style text tile that contains an identifier which is randomly generated on setup of that clexi, which is used to see which clexi the key is for and obviously the key itself
   • The backup key can be printed out or stored somewhere safe.
   • One could even make multiple keys like for app pairing another as the super emergency key which is the encryption master key or whatever
3. when pairing it kinda depends on the clexi's hardware capabilities regarding Key Storage.
   • ideally we would have space for at least a few "unlock-keys" which tells the chip to unlock the drive via a signature or change one of however many on-disk settings
   • also there should be a way to manage the known unlock keys (which ideally have something like a model number or a time they were added (that would obviously need internet and a timestamp signature tho if it should be secure, so this should be definitely optional)
4. for unlock the phone basically just connects to the clexi and sends a signed unlock request upon which the clexi opens up the drive
5. for emergency decryption (e.g. a broken clexi with intact SSD) an open source tool needs to be available that does not rely on any server access or whatever just slot in the SSD, throw in the encryption key and access the data

The Conclusion

So I have had clexi for 8 Months on the dot (recieved Nov 30) and I cannot say I am crazily impressed so far. There hasnt been a lot in regards of Updates (I'd even say there has been practically nothing in that as far as I know so far) they still seem to be active as they have been on the RSA conference recently, but there hasn't been a lot of publicly visible activity about the product.

Lately I mainly use the clexi as a dump for videos I wanna watch in the train or whatever which can get annoying with the recognition of the device being spotty on android 12 (prior to that it always seemed to work) but the fact it's a small SSD on a cable is just very nice, and being encrypted is a small but nice benefit. obviously when transferring something that you actually wanna keep secret, it's a lot more of a benefit.

What I see in clexi tho is the potential with the way it's engineered and what could be done through software or additional hardware that can connect to the clexi.

For example if we just knock out the tap to unlock thing and just act with the full Bluetooth range whatever that may be (sadly haven't got an answer) one could for example place a Bluetooth bacon in a company and use that to unlock company clexis, with the appropriate software engineering even go as far as adding conditions like checking time or that a certain user is actually logged in somewhere on the network, and maybe even using an application, throw a prompt to the user prior to unlocking the clexi. This could make it a LOT more versatile than always having to rely on smartphones and all that.

My main issues with the clexi are the announced subscription, relying on an online service that needs accounts from potentially data-greedy companies, and in general not having a fallback option, for example if there's an outage or if the clexis go inevitably end of life someday.

Well that's been the review as far as it went I hope people like it and maybe see you next time.