Hardware USB encryption is broken on three major brands
Data encryption has been an important topic in education, as well as the whole of the public sector, ever since the UK government lost the personal financial details of millions of people on an unencrypted disk that was mislaid by courier company TNT, back in 2007.
As a result, hardware-encrypted USB sticks have seemed like a good idea, even if they are hideously expensive (the SanDisk Cruzer Enterprise 8GB retails for nearly £300 at the time of writing; 10 times more than a non-encrypted version). Trouble is, it turns out they’re utter rubbish. When it comes down to it, all Verbatim, SanDisk, and Kingston hardware-encrypted USB sticks use the same encryption system. That system uses AES-256. Unfortunately, every single stick uses the same encryption key, regardless of the password the user sets, as reported on ZDNet:
“The crack relies on a weakness so astoundingly bone-headed that it’s almost hard to believe. While the data on the drive is indeed encrypted using 256-bit crypto, there’s a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used.”
Good work, morons. Nice to see you’re taking this security lark seriously.
What this essentially means is that if you can disassemble the authentication software (which a security firm did), you could write a program that send the required string to the USB stick to decrypt the data without ever having to know the user’s password. Which the security firm did. If you can read German you can download PDFs of the specific details of the SanDisk and Verbatim cracks.
Kingston have issued a product recall. Verbatim and SanDisk have both issued firmware updates. Competing company IronKey have been quick to point out their (actually cheaper) products use a different system that is not vulnerable to this type of attack.