First published: 09th January 2010
Vendors of hardware-encrypted USB memory sticks, including SanDisk, Kingston and Verbatim, have issued security advisories about the security of their devices. Apparently, although the drives are NIST-certified, and the data is encrypted with 256-bit AES, security researchers at SySS discovered the same character string was always sent to the drive after performing various crypto operations. By writing a tool for the active password entry program's RAM which sent the appropriate string to the drive the researchers gained immediate access to all the data on the drive without using the password.
Juergen Schmidt writing at The H criticised the different reactions of the vendors involved, Kingston recalling the devices, the others merely providing a software update. He also asked two very relevant questions, "how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices?" and "Even more importantly, perhaps – what is the value of a certification that fails to detect such holes?"
Another question to consider is whether an unscrupulous vendor could use such a flaw for massive collection of confidential data. A possible scenario would be:
- Design encrypted memory device with a security flaw
- Sell device in large quantities
- Wait for discovery of the security flaw, or "discover" it yourself
- Issue a product recall
- Enjoy reading confidential information on returned devices
After all, how many users of memory sticks know how to securely delete data on them?