Flash Drives Security Threat
A security hole in flash drives could allow unauthorized access to encrypted data by circumventing the password authorization software on a host computer.
SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in issuing a security warning to customers alerting them to the potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.
All three companies claimed their USB drives had met security criteria set by the Federal Information Processing Standard (FIPS) 140-2. FIPS is a U.S. government standard used to accredit devices with encryption algorithms. The standard was developed by the National Institute of Standards and Technology and includes both hardware and software components. FIPS 140 covers four levels of security.
Storage companies blast FIPS 140-2 certification on their products as part of their marketing materials, stating that their devices are secure enough for use by government agencies. Because of security problems in the past, however, the government has banned the use of removable flash media devices by its employees – making this claim false.
This is nothing new to military members as they know of the frustrations and trouble they will get if they use a flash drive on a government or military network/computer after the U.S. Department of Defense has banned USB drives and other removable media devices after a worm infiltrated Army networks in late 2008.
“All units are not allowed to use any USB mass storage devices, which includes everything from hard drives to cameras to some printers,” an Army lieutenant reported after directive was issued.
The Defense Department’s geeks were spooked then and still spooked now. The event that triggered Strategic Command to issue the ban was the ability for the worm to rapidly spread across networks. Although it was listed as temporarily suspending the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets; with the recent security warning released it does not look like military members can expect to use them anytime soon.
The new security hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.
“It’s really onerous. It’s a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it,” said cryptographer and computer security specialist Bruce Schneier.
Vulnerable Flash Drives
Verbatim warned that the security flaw exists in its Verbatim Corporate Secure and Corporate Secure FIPS Edition series of USB flash drives; SanDisk revealed a threat related to its Cruzer Enterprise series of USB flash drives. Both companies issued online application upgrades to address the issue.
According to SanDisk and Verbatim, the security issue only applies to the application running on the host system; it doesn’t apply to the drive itself or the drive’s firmware. Computer World reported earlier this week that Kingston had recalled its DataTraveler secure USB flash drives so it could update the devices because of the same issue. The Kingston models affected include the DataTraveler BlackBox, DataTraveler Secure-Privacy Edition and DataTraveler Elite-Privacy Edition.
There are several security certifications listed on packages, and each has its own definition as what is “secure”. The security companies tout are often more about marketing than about real security. Buyers and current flash drives users need to be aware of this and exercise caution with their current product.
Now would be a good time to upgrade your flash memory drive. Be careful though! With the security reports out, retailers will be dropping prices to help clear stock and inventory, so don’t go for the cheapest. Spend some time and research it out. Also, companies will offer free flash memory drives as promotional items. To cut cost on marketing they may unknowingly buy an insecure model and slap their name on it, and unintentionally put you at risk.
Security Flaw Found By SySS
German security company SySS GmbH found the flaw when it tested the drives’ security and designed code for each device that modifies the software running in the computer’s memory telling it to always authorize the password no matter who enters it or what it is.
Schneier said NIST will likely have to revamp its certification standards to cover the hardware-based encryption flaw found by SySS.
In a response to a Computerworld inquiry, NIST said it is aware of the vulnerability involving several FIPS 140-2-validated USB drives and is now reviewing information on the flaw. According to NIST, the FIPS 140-2 certification only covers cryptographic modules, which scramble data into an encrypted format that is indecipherable. The data is then decrypted and retrieved only by entering the correct password, key or other means of authentication processed by the module.
“From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability,” a statement read. “Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue.”
According to Fountain Valley, Calif.-based Kingston, the security flaw involves the way the drives process passwords. According to Kingston, “a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on” its DataTraveler encryption-enable USB drives.
A Kingston spokesman said the company would not comment on any specifics surrounding the security flaw, because “anything we say [could give] other hackers fuel and clues” as to how to break into the drive’s security features.
The security flaw appears to be in the password authentication process in the host computer’s memory. When a new USB flash drive from one of the companies is used for the first time, software on the device tells the computer it’s a CD-ROM, allowing it to automatically ask for a password to unlock data on the device after a password is established. While the user’s password is stored on the USB drive, the authentication code runs on the PC or a server’s CPU.
Ultimately, that host system’s authentication password for each company is the same on all of its devices. If a hacker can find the default set of characters, all they need to do is return those. They will then have access to encryped data on the drive. Even IronKey’s FIPS certification is to some extent marketing lingo that is required to sell to government agencies and private companies.
Safe Flash Drives
When Kingston, SanDisk and Verbatim issued their warnings, IronKey, which claims to be the most secure flash drive, was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks, because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system.
“We don’t trust the computer at all,” he said. “The computer could have malware on it or have hackers accessing it. In our security design, we said we have to assume the computer is completely untrustworthy. That’s where we started our threat modeling.”
FIPS doesn’t tell vendors how to build a secure product but assumes that the manufacturer knows what it’s doing. “When I talk to our FIPS analysis guys who helped write the standard, they said they’ve known about this problem for a long time.”
Although we cannot verify that they are actually safer, even if they were customers should still take caution on what information they put on portable flash drives and which type they buy. Most use flash drives to easily transfer basic files, pictures, music, movies, and documents. Regardless, pre-caution is needed because like the initial attack (an attack most may have experienced first hand) flash drives can easily accept and transfer viruses putting your computer and network at risk.
- Unavailable, please contact us for more information.