Monday, February 22, 2010

USB's hardware encryption cracked

Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. NIST validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password.
The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.
"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier.
The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.
Read computer world for complete analysis on the vulnerability