Secure Flash Drives Hacked
Posted by Steve Burgess at 1/6/2010 1:24 PM 
Categories: hacking, flash drives, AES
Tags: hacking flash drives AES
Categories: hacking, flash drives, AES
Tags: hacking flash drives AES
You would think that AES 256-bit hardware encryption would be pretty secure, especially if it met NIST standards for sensitive data. But you'd be wrong, especially if you had USB flash drives made by Verbatim, SanDisk, or Kingston.
SySS GmbH, a German company specializing in security issues including penetration testing and IT forensics, announced that it has cracked the hardware-based encryption resident on flash drives from the aforementioned manufacturers. Although the data is encrypted, SySS discovered that it is a simple matter to bypass the need to even enter a password. Under normal circumstances, when a user enters the correct password, the drive's authentication program passes a character string to decrypt the data. Unfortunately, the string is always the same, regardless of the user's password. SySS wrote a program that will always send the enabling string to the drive, making the encryption scheme more or less useless.
As an aside, "AES" stands for Advanced Encryption Standard and was announced by the National Institute of Standards and Technology (NIST) at the end of 2001. In 2003, the US Government announced that AES was strong enough to be used for protecting classified info up to SECRET level as long as the key was either 182 bits or 256 bits.
Kingston has issued a recall of their affected drives (not all of their secure USB drives are susceptible to the announced hack). Verbatim has made a couple of updates available (which run only on Window 2000 SP4, Server 2003, XP SP1, SP2, and Vista) that are intended to address the issue on susceptible drives it has made. SanDisk has also made an update available for its affected devices.
Nonetheless, one might wonder how much classified or otherwise sensitive data is and will continue to be floating around on USB sticks previously thought to be secure that can now be easily accessed through the means like the one written by SySS.
You may read more here
Okay, I need to re-check the security on my flash drive. I was warned of this the other day.
Reply to this
Hello, I apologize for contacting you in this fashion, but time is at a premium ( work, kids, etc ) but I think, for promotional purposes, you might be interested in submitting your site to my new tech directory…The Tech Directory at thetazzone.net
I’m assuming comments are moderated so when I click submit this post won’t automatically appear on site, if it does, I again apologize.
Reply to this
Another good post here today. You are really offering great and challenging concepts in your new blog and I think it will be a great success. Keep up the great work and keep the good ideas coming.
Reply to this
Companies that manufacture these USB flash drives made by Verbatim, SanDisk, and Kingston must make the necessary adjustments to improve the security of its gadgets.
It must help each other to improve the flash drives security.
Reply to this
I recently came across your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Reply to this
Wow... talk about dropping the ball on your product... You would think big companies like SanDisk and Kingston would have thought ahead of time about whether single string decryption might pose a problem.
That even makes sense to me and I'm your average non-techy!
Reply to this
I am really looking forward for a fast response from the manufacturer about the security issues.
Reply to this
thank you for sharing this very informative post.
Reply to this
I don't see any way how the manufacturers can improve the security of their gadgets. Forcing a special filesystem for the USB drives will create more problems than benefits. Encrypting doesn't depend on the flash drive itself, but on the user. So there's nothing the manufacturers can do.
Reply to this
a design flaw has been reported, allowing an attacker to access the secure flash drives made by some of the major brands of flash memory. reported that it is possible to send an unlock the flag of the devices that trigger the release via the computer without the password set by the user.
Reply to this
This isn't good news at all! Best keep your flash drives safe and possibly not buy these brands if storing sensitive information. Thanks for the details.
Reply to this
That's good to know, i had no idea there are reasons to doubt my Kingston USB flash driver's security. So far no one has recalled it though, does that mean that there is nothing wrong with my flash drive?
Reply to this
It would seem like that the hackers are getting pretty clever these days. This is way we should take extra care when it comes to the security of our computers and the gadgets that connect to it.
Reply to this
What about HASP ???? iam quite confused is it a USB drive with AES encryption or is it to stop the software piracy.
Reply to this
Hasn't 256 bit been the norm for some time now. Gone is the 128bit because hackers have "found a way"?
Reply to this
There are so many memory brands available in the market to provide secure flash drive. These drive promises to keep your data safe from hackers and viruses. So try to prefer these types of data storage devices if possible.
Reply to this