Secure USB Drives Not So Secure

Penetration testers uncovered a vulnerability that exploits the way the flash drives handle passwords

Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.

When USB maker SanDisk first received news of the problem last month, the vendor issued a security bulletin that warned customers its Cruzer Enterprise series of USB flash drives contained a vulnerability in the access control mechanism. SanDisk offered a product update online to address the issue and made sure to note the problem only applied to the application running on the host, not the device hardware or firmware.

Now USB vendor Kingston has jumped in with a similar warning, probably because their drives utilize the same code from SanDisk. Kingston's alert informs customers that "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained" on the drives. The company has issued a recall on the devices and urged customers to return them. A warning has also been issued by USB vendor Verbatim.

The drives impacted are equipped with AES 256-bit hardware encryption, which is designed to meet the stringent requirements of enterprise-level security. However, penetration testers with German security firm SySS uncovered a vulnerability that exploits the way the flash drives handle passwords. The exact nature of the flaw is not described on any of the vendor bulletins, but according to an article in security publication The H, "the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism." SySS testers found a flaw that allowed them to write a tool that sent the same character string to unlock the drive, regardless of what password was entered.

The flaw may be contained in other drives as well and more recalls may be on the way, according to Graham Cluley, Senior Technology Consultant with Sophos.

"It's certainly a disturbing vulnerability, and may well lead to other hackers exploring the possibility of accessing what was previously considered 'securely encrypted' data," noted Cluley.

"I don't know if other manufacturers also use SanDisk's code, but even if they don't they might be wise to examine their own products and think long and hard about whether they might be vulnerable to similar exploits. Although it's embarrassing to recall a product, it would be much worse to have a product on the market which is vulnerable to this kind of attack."

Cluley, who also blogged about the issue, called the problem "shameful" and said security managers need to be able to ensure proper encryption is used on USB sticks, which can carry a wealth of sensitive information.

He also urged companies to put in place necessary measures to detect and block unauthorized use of removable storage devices.

Tags: encryption, USB key

BlackBerry Hints at Complete End Point Security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Security for Endpoints

Think your endpoints are secure? Think again. Learn why Trend Micro can help.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.