[ISN] Secure USB Drives Not So Secure

From: InfoSec News <alerts_at_private>
Date: Wed, 6 Jan 2010 03:03:36 -0600 (CST)
http://www.csoonline.com/article/512613/Secure_USB_Drives_Not_So_Secure

By Joan Goodchild
Senior Editor
CSO
January 05, 2010

Several hardware-encrypted USB memory sticks are now part of a worldwide 
recall and require security updates because they contain a flaw which 
could allow hackers to easily gain access to the sensitive information 
contained on the device.

When USB maker SanDisk first received news of the problem last month, 
the vendor issued a security bulletin that warned customers its Cruzer 
Enterprise series of USB flash drives contained a vulnerability in the 
access control mechanism. SanDisk offered a product update online to 
address the issue and made sure to note the problem only applied to the 
application running on the host, not the device hardware or firmware.

Now USB vendor Kingston has jumped in with a similar warning, probably 
because their drives utilize the same code from SanDisk. Kingston's 
alert informs customers that "a skilled person with the proper tools and 
physical access to the drives may be able to gain unauthorized access to 
data contained" on the drives. The company has issued a recall on the 
devices and urged customers to return them. A warning has also been 
issued by USB vendor Verbatim.

The drives impacted are equipped with AES 256-bit hardware encryption, 
which is designed to meet the stringent requirements of enterprise-level 
security. However, penetration testers with German security firm SySS 
uncovered a vulnerability that exploits the way the flash drives handle 
passwords. The exact nature of the flaw is not described on any of the 
vendor bulletins, but according to an article in security publication 
The H, "the main point of attack for accessing the plain text data 
stored on the drive is the password entry mechanism." SySS testers found 
a flaw that allowed them to write a tool that sent the same character 
string to unlock the drive, regardless of what password was entered.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Wed Jan 06 2010 - 01:03:36 PST

This archive was generated by hypermail 2.2.0 : Wed Jan 06 2010 - 01:15:56 PST