Following a notice on several sites, most notably Maximum PC, that Kingston is recalling some of its (ostensibly) secured thumbdrives because they are not really secure, there is also a notice in other places about the same problem occurring with Cruzer drives from Sandisk. So much for the theory that these things evolve independently of each other – most of the time one company delivers something, and many others jump on the band wagon. Another thing that is not widely known is that frequently, it is not the well known companies that actually develop these technologies.
A newly discovered flaw in USB vendor Sandisk’s secure USB technology leaves the devices vulnerable to attack and has led to the recall and patching of several secure USB drive products.
A flaw in the password-handling process of Sandisk’s Cruzer Enterprise USBs leaves the devices vulnerable to hackers: Sandisk issued a security alert and update last month for multiple models of the Cruzer Enterprise drives that fixes the bug in the access-control features. The USB vendor emphasized in the alert that the flaw is not in the device hardware or firmware, but in the application that runs on the host system.
Meanwhile, secure USB vendor Kingston Technologies, which security experts say uses Sandisk software in its products, has recalled three of its secure USB drives, warning its customers that data on the encrypted drives could be accessed by seasoned attackers and recommended that the drives be physically returned for updates.
The vulnerability, which was discovered by researchers at German penetration testing firm SySS, would basically let an unauthorized person access data on the drives by exploiting a weakness in the way the software handles passwords. Vulnerabilty finds for secure USB drives have been rare, with the biggest threats to these devices historically being physical loss or theft, or for becoming infected with malware. But secure USB experts say the newly discovered password-handling flaw in the Sandisk and Kingston USB drives is only the tip of the iceberg when it comes to potential bugs that could be found in secure USBs that rely on software.
and later –
David Jevans, CEO at IronKey, which makes ultra-secure USB devices, says what makes this vulnerability so significant is that it affects multiple vendors’ products. Other USB vendors that use Sandisk’s software also would be vulnerable, he says.
“The thing that’s scary about this one is that it [affects] a bunch of products,” he says. “It just proved that these companies are memory vendors making fundamental errors that mean every device has the same password We’re going to see more security [research] companies attacking these things” and finding weaknesses, he says.
The problem lies in how the devices check passwords: they do so in software and all rely on the same underlying password, he says. “They are relying on software on a computer to check if a password is correct — a security company would never do that,” Jevans says. “You’ve got to check passwords in hardware. You can’t rely on software.”
All it takes is for a tool that unlocks these devices, which the German research team SySS did, he says. “Having the same magic word [that] unlocks it” is not secure, he says. Authentication flaws basically defeat the purpose of the encryption in the USB devices, he says.
With USBs getting smarter and more software-laden and are used as virtual machines, for instance, they are in turn becoming more attractive targets. IronKey’s Jevans says the firmware on some of these devices could also be targeted: “An attacker could easily replace the firmware on it to unlock it or score a password or even modify software on the device to add malicious code so that when you plug it in, it infects the network,” he says. “That’s a vulnerability area that’s going to get explored.”
This is a case where things using the same technology, or in some cases derivations of that technology, is not a good thing. It may make things less expensive, but exposes the same flaws.
In these cases, the manufacturer would say that making these devices more (or, actually) secure would add cost.
What I find so disturbing about these articles is how much some companies and persons are relying upon these things. Although I must confess that I believe that many people don’t need the level of security that they purchase or use. Most of us just don’t have things that are that important, in the large scheme of things.
For those that do, perhaps a bit of subterfuge is a better way of handling it. For example, many people have no use for the floppy drive on a machine (yes, I know some don’t include floppies – I never said I was going to supply a panacea) but a well placed floppy with the important information may not need any encryption, as most would think nothing of an unmarked floppy in a box of (apparently) unused floppies in a desk. I have used this in several places. If more security is desired use TruCrypt to encrypt the contents of the floppy.
Making the place of the information slightly difficult to get to, along with the less than obvious placement, is a very good way of making things secure.
For those who use thumbdrives, the use of TruCrypt still seems a better and free way to secure a drive, rather than taking the lazy way out and thinking that the hardware security on the more expensive thumb drives will keep things safe.