Some Secure USB Drives Not All They’re “Cracked” Up To Be

12Jan10

Much has been made, as it should, about the security flaw found in some Kingston, SanDisk and Verbatim secure USB flash drives.  These drives each had FIPS 140-2 Level 2 certification, which is a government standard covering the implementation of an encryption algorithm (256-bit AES in this case) and also a device’s tamper resistance.

The flawed drives utilize software for authentication by providing the mechanism for entry of a password via the host computer keyboard and/or mouse.  The string is then passed to the USB encryption controller so that the data can be decrypted. The issue with the flawed drives was not with the encryption or with the physical devices, it was with this software that passes the authentication from the host computer to the USB flash drive.

This begs the question…why use secure USB flash drives that involve software at all for authentication???  Even the drives that were not proven to be susceptable to this particular flaw could potentially be susceptible to a different type of hack.  To say that a new hacking method might not be conceived in the future to attack the other drives that utilize software for authentication would be short sighted.

The Classified Secure Flash Drive (and all products in the Classified Family) utilizes DataLock PIN Protection, which does not communicate with the host computer AT ALL during authentication.  Authentication can only be completed by pressing the buttons on the drive in-hand (or the scroll wheel in the case of SafeMouse). 

With critical data, why take the risk of a potential software hack when this avenue can be eliminated altogether with a PIN pad protected drive?

J. Tate

Advertisement

Filed under: Encrypted USB, Security, Technology, USB Security   |  Leave a Comment
Tags: Classified, Encrypted USB, encryption, flash drive, hack, PIN, Secure USB, USB, USB Security