NIST-certified USB Flash drives with hardware encryption cracked

Security firm SySS announced in German that it has discovered a massive vulnerability in the hardware encryption for USB thumb drives by Kingston, SanDisk and Verbatim. From the article at The H Security it looks like the problem is that all drives share a single symmetric encryption key at the hardware level. The password interface seems to simply do some gymnastics to get access to that key. It does not really matter what it does because SySS was able to intercept the actual hardware key being sent in the clear to the device.

They then simply wrote a little program to just send that key without bothering with the password or anything else. Because all drives by the same maker use the same key, this program can instantly open any encrypted USB drive by that maker.

From the sound of it, this is a very easy attack for someone to duplicate. If you have one of these drives, I would suggest that you treat them as if they were normal un-encrypted thumb drives.

via The Privacy Blog.

Popularity: 3% [?]

Related posts:

1. New Massachusetts Privacy Laws – Computer Security [Updated October 15, 2009 for compliance with new amendments to the regulations]...
2. Canada: Cavoukian expects health sector to encrypt all health information on mobile devices Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, today directed the province’s...
3. MN: State directs agencies to stop using Lookout Services of Texas St. Paul, Minn. — The state of Minnesota has directed all of...
4. School Districts Stumble on Data Privacy Three school districts are grappling with the loss of private information on...
5. No expectation of privacy in computer connected to unsecured wireless network Taking a few moments to secure a residential wireless network with a...
6. A shot across the bow – FTC Enforcement of US/EU Safe Harbor Program On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlements...