Here’s some news that might cause concern for some users of hardware-encrypted USB memory sticks.
Many companies and individuals use thumb drives equipped with hardware-based encryption to secure their sensitive data. This is sensible as there have been far too many instances of USB sticks being lost containing confidential patient records, school children and records relating to US soliders serving in Afghanistan and Iraq.
Even plans for secret troop movements stored on memory sticks have been lost on the floor of a nightclub.
In fact, if you can think of a type of personal sensitive information – chances are that someone, somewhere, has lost it on a USB stick.
So having a thumb drive that automatically encrypts the data contained upon it is a good idea, as it will mean that even if you do lose your USB stick in the back of a taxi or down the side of the sofa that identity thieves won’t be able to do anything with the sensitive information contained upon it.
What’s going to be causing some anxiety amongst IT teams is that SanDisk has issued a security bulletin explaining that versions of its Cruzer Enterprise flash drive contain a vulnerability that could allow unauthorised parties to access encrypted data on your USB stick. SanDisk’s alert was at pains to point out that the the flaw was not in the drive’s hardware or firmware, but in the accompanying code that runs on the user’s computer.
Kingston Technology has also chimed in with its own security advisory (presumably based upon the same vulnerability) regarding the potential for hackers to access encrypted on some of its USB drives too. Kingston’s advisory doesn’t provide much information other than advising affected customers to contact their technical support team for an update, but does explain that a “skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data”.
A similar warning has also been published by Verbatim.
According to a report in The H, the vulnerability was discovered by SySS, a German penetration testing firm, and revolves around a fairly elementary loophole in the way the flash drives handle passwords.
SySS discovered that, regardless of the password being used, the Windows access control program ultimately sent the same sequence of bytes to the drive to “unlock” it. Thus, SySS were able to write a program that sent the “unlock” code regardless of the password entered, and gain immediate access to the flash drive’s entire contents.
Frankly, it’s pretty shameful that these so-called secure drives should be vulnerable to this kind of attack. Clearly if someone inside your organisation, or an attacker with your firm in his gunsights, was interested in reading confidential information held on an encrypted USB stick then this would be a very attractive method of attack (if they could gain physical access to the device, of course).
So far the drives said to be affected by the security flaw are:
- Cruzer Enterprise USB flash drive, CZ22 (1GB, 2GB, 4GB, 8GB)
- Cruzer Enterprise FIPS Edition USB flash drive, CZ32 (1GB, 2GB, 4GB, 8GB)
- Cruzer Enterprise with McAfee USB flash drive, CZ38 (1GB, 2GB, 4GB, 8GB)
- Cruzer Enterprise FIPS Edition with McAfee USB flash drive, CZ46 (1GB, 2GB, 4GB, 8GB)
- Kingston DataTraveler BlackBox (DTBB)
- Kingson DataTraveler Secure – Privacy Edition (DTSP)
- Kingson DataTraveler Elite – Privacy Edition (DTEP)
- Verbatim Corporate Secure USB Flash Drive (1GB, 2GB, 4GB, 8GB)
- Verbatim Corporate Secure FIPS Edition USB Flash Drives (1GB, 2GB, 4GB, 8GB)
No-one is denying that USB memory sticks are useful. But, if they are going to carry sensitive information, then proper secure encryption must be used. And if you haven’t already done so, put in place a policy which can detect and block unauthorised use of removable storage devices.