Government-Approved Encrypted USB Drives Hacked

German security research group SySS GmbH has uncovered a serious vulnerability in encrypted USB drives from Kingston, SanDisk and Verbatim. SySS members analyzed the PC-based password-checking software associated with these devices and found they could easily force it to unlock the encrypted drives without any need for the user's password.

These drives received the U.S. Government's FIPS 140-2 certification based mainly on the fact that they use tough 256-bit AES encryption, but the encryption itself is not at fault. Rather, the research team discovered that the actual encryption key used is not dependent on the password. The password-verification utility sends the same decryption string on receipt of a valid password, so they simply hacked it to always send that decryption string.

Kingston initiated a recall drive for the affected units. SanDisk and Verbatim now offer an updated version of the PC-based password-handling utility. Comments at security expert Bruce Schneier's blog suggest that updating the software may be insufficient because files already on the drive will still be vulnerable. PCMag suggests that if your encrypted drive is one of those affected, move all files from the drive to your PC, install the update, and then move all files back.

Not all encrypted USB drives are affected. IronKey, billed as "the world's most secure flash drive", uses software embedded in its "CryptoChip" to validate passwords. This is significantly more secure than using PC-based software. And unlike the affected products, every IronKey has its own unique set of encryption and decryption keys, generated at initialization.


[link to www.extremetech.com]