January 10, 2010, 12:32 PM — If you're like me, you've taken to carrying important data on USB sticks or flash drives. They're handy, you can use them on any PC, and with built-in encryption even if you lost them it was no big deal. Bad news: It's now a big deal.
The German security company SySS GmbH discovered that many, but not all, of today's encrypted USB sticks and flash drives are actually vulnerable to a relatively easy attack. It is not that the encryption itself-usually AES (Advanced Encryption Standard) encryption--that has been broken. It hasn't been. Despite what you may have read from some fear-mongers, AES remains unbroken.
What has happened though is that it appears many vendors didn't think through how they let people use the encryption in the first place. When you use a new encrypted USB drive for the first time, the drive already has a default device password. When the device's software asks for you to enter a password, it places its device password on your computer to authorize your drive and your password. Once on the computer, SySS discovered that you could watch the password authorization process.
That was bad enough. With it, a patient cracker could tease out what the device password was. What was worse was that the company discovered that companies were using the same device password on all their drives. Whoops.
Armed with this information, SySS showed that you could modify the password authentication routine for a given device so that it would always authorize any password you'd care to give it. In short, SySS had created skeleton keys for many common secure USB drives. Or, as David Jevans, CEO of USB manufacturer IronKey Corp. told Computerworld, "So if a hacker is able to find those default set of characters, all they need to do is return those and they will have access to encrypted data on the drive."
Not all USB drives are vulnerable to this attack. IronKey does a better job of managing its device's security by not using a static device password and by verifying a user's password on the device's hardware itself, rather than using the computer for verification.
If, however, you use an encrypted USB key drive or other storage device from Kingston Technology, SanDisk Corp., or Verbatim Corp., chances are if you lose your drive, someone will be able to quite easily break into it.
So, what should you do? Well, the first thing as always with any of these devices is to take care of it. If someone doesn't have it in their hands, they can't do anything with it. Other than that common-sense recommendation, if you own one of those drives, get anything potentially sensitive off it. Now.
Next, you should back up the drive and get ready to upgrade its software. In the case of SanDisk and Verbatim, you can get the update software from the company's website. With Kingston, you'll need to contact technical support first for an update. Once the update is in place, you can restore your data and get back to work.
Even with these updates, the password decryption on these drives is still done on the computer, but now each individual device has its own unique password. This blocks the simple attacks that SySS discovered and makes it orders-of-magnitude harder for a cracker to break into these drives. That said, drives like IronKey's, which don't do any password authorization on the computer, are safer still.
