Evan on Engineering Software

In the process of working on reverse-engineering AutoCAD 2007's DWG file format, the Open Design Alliance has discovered what appears to be a serious security flaw. Although I've reported this flaw to Autodesk management twice since I became aware of it (and both times suggested that it would be more appropriate if they disclosed it than if the Open Design Alliance did), I received no response.

Since this flaw creates a potentially serious security vulnerability for customer data, I'm reporting it here.

Starting with the 2004 version, AutoCAD has supported high-security password-protection of DWG files. When a password is added to a DWG file, AutoCAD uses the password as a key to lock the file using the encryption API provided by Microsoft Windows.

The 2007 version of AutoCAD supports the same password protection scheme -- except that, in our testing, it fails to actually lock (encrypt) the file.

AutoCAD 2007 will still not open a password protected DWG file without the password being entered, so a user may mistakenly believe that their data is secure -- yet it is a trivial matter for a knowledgable person to gain full access to the DWG file, without knowing the password.

We are continuing to investigate, and may be able to find a fix for this problem -- however, without Autodesk's cooperation (which we'd welcome), what we can do is greatly limited because of restrictive terms in the AutoCAD EULA.