USB AES Crypto System Cracked

The companies SanDisk and Kingston offer encrypted USB Flash Drives which have been certified by NIST according to the FIPS standard in order to be used by the American army forces and government. Members of staff of the SySS GmbH have managed to bypass the entire protection of the USB sticks. Independent from the password in use, respective encrypted data can be reconstructed within seconds. Read our publications: Paper SanDiskPaper Kingston

via www.syss.de

I’ve been a fan of encrypted USB thumb drives for some time. I’ll go out on a limb here and say that I have carried one around with me for a couple of years. In the associated article, SySS a German Security Analyst firm made this announcement in a white paper published in December 2009.

With the ubiquitous presence of USB thumb drives (you can get them at the grocery store checkout stand for crying-out-loud) and the enormous capacity of these drives, people are carrying around massive amounts of data on them. Most of the data floating around are all about Aunt Sally’s 4th of July picnic pictures, but in fact these drives represent a real security risk to the enterprise.

It wasn’t that long ago that the capacity of entire corporate networks amounted to less than the capacities generally available on these ultra-portable devices. Not to mention, how many of you are carrying or transporting your personal information around on these things? Social Security Numbers? Drivers License Numbers? Credit Card Information? How about your Quicken files?

What happens if these drives are lost or stolen?

Several manufacturers recognize these risks and have designed hardware encrypted USB drives. In a nutshell, these drives take the information you put on them, and using sophisticated hardware, encrypt the information using a secure data protection algorithm.

This algorithm, AES (Advanced Encryption Standard), is an advanced encryption standard adopted by Uncle Sam to secure information used by the Federal Government. Properly deployed anybody using USB drives employing this standard can rest assured that their private information is private.

You’d think you’d be safe, and I won’t get in to the technical details, because it is really subtle. But there are some manufacturers of these secure USB drives, that improperly employ the standard, and subsequently make these devices subject to cracking. The attacker doesn’t even have to KNOW YOUR PASSWORD, talk about a false sense of security. The list of manufacturers can be found in the attached link, and in all fairness, they have been notified and a patch is published to resolve the vulnerability.
That said, I’m not big on product endorsements, but IRONKEY bears a mention here. I’ve used IRONKEY secure USB drives for a while, and they were never a vector for the vulnerability mentioned. They employ a rock solid hardware/software combination to secure the data on these devices. You can find these secured USB drives at www.ironkey.com.

So you thought your data was secure?

Hmmmm…

Leave a Reply