02 Sep 2010
Support Center
»
Knowledgebase
»
Sandisk, Kingston USB Sticks Hacked SafeStick NOT Vulnerable
Sandisk, Kingston USB Sticks Hacked SafeStick NOT Vulnerable
Solution
A critical security flaw has been exposed in certain "Encrypted" USB flash drives from SanDisk, Kingston and Verbatim. The flaw exposed by the independent penetration testing firm SySS enables a hacker to access data without the required password, rendering the encryption feature useless.
Blockmaster and Softek would like to assure all of our customers that all versions of SafeStick DO NOT contain such a flaw and all SafeStick customers data remains fully protected.
SafeStick has been designed from the ground-up to be the most secure, user friendly and feature rich encrypted storage media available. They are 100% secure.
http://www.safestick.co.uk/prod/as/sandisk_kingston_hacked.asp
What is the issue?
On January 4, 2010, it was reported by SySS to the media that certain hardware-encrypted USB flash drives have been hacked. Of major concern is that some of these devices have received FIPS 140-2 Level 2 security validation. FIPS 140-2 security validation is required by certain Government agencies to use encryption products.
More information on the reports, research and other news articles relating to this issue can be found here.
Some of the reportedly affected devices include:
SanDisk Cruzer Enterprise FIPS Edition with McAfee
SanDisk Cruzer Enterprise FIPS Edition
SanDisk Cruzer Enterprise with McAfee
SanDisk Cruzer Enterprise USB drive
Kingston DataTraveler BlackBox
Kingston DataTraveler Secure – Privacy Edition
Kingston DataTraveler Elite – Privacy Edition
Verbatim Corporate Secure FIPS Edition
Verbatim Corporate Secure USB Flash Drive
*NOTE* SanDisk OEM their software to other vendors - Kingston, Verbatim and others included - we recommend checking with your supplier if you are in any doubt.
What is the flaw, and what does it mean in practice?
All affected devices can be unlocked instantaneously, and at will with the right tools without knowing the user’s password - rendering the encryption totally useless.
The vulnerability is a fundamental architectural design flaw. The affected products use software that runs on the host PC to verify the user’s password, and then sends a signal to the device to unlock itself. SySS was able to write a simple software unlocker tool that patches the software to always send the unlock code to the devices.
The security flaws of these products include:
Using software on the host PC to validate the password.
Using a "backdoor" unlock code. This not only allows attackers to gain access, but it allows the vendors of these products to unlock any of these devices as well.
Allowing "password replay" attacks. Once the unlock code sequence is known, it can be used over and over again.
What makes SafeStick the most secure device, and not vulnerable to such an attack?
There are NO BACKDOOR PASSWORDS OR UNLOCK CODES in a SafeStick.
The user password is verified within the SafeStick hardware device.
The SafeStick brute-force protection is also operated within the hardware controller.
The password entered by the user is hashed in the SafeStick computer host software using MD5.
The unique password string enters the SafeStick BM9930 hardware controller through a totally secure private channel over USB.
The hashed password string is hashed once more (SHA256) in firmware onboard the SafeStick device.
The dually hashed password is used to access the hardware encrypted cryptographic keys created with the random number generator (ANSI X9.31 RNG) onboard SafeStick.
The unique cryptographic keys are used to encrypt all user stored information with AES256-CBC.
The SafeStick hardware is fully epoxy encapsulated - tamper proof.
I thought FIPS 140 Level 2 Certification meant it was totally secure. Why not?
Softek & Blockmaster have been asked many times why SafeStick does not currently have FIPS 140-2 or 3 accreditation (as at 8th January 2010).
We have always maintained that the standard SafeStick is more secure than the FIPS baseline accreditaion. However SafeStick IS currently undergoing FIPS accreditation, and already has UK Government CESG / CCTM certification.
The truth is that this a US Government "baseline" for a security product, a "tick box" if you will for customers, and while it does involve rigorous testing of products it does not guarantee that a product is 100% secure, just that it meets a baseline security standard.
Many vendors think that data security means data encryption. The Encryption component is actually a very small part of the overall security implementation of the device as the above vulnerability demonstrates. Products must be designed to ensure secure password management, authentication, encryption key management, design assurance as well as physical security.
In this vulnerability case, the vendors created "backdoors" to unlock all devices, using software running on the host PC and still passed the FIPS 140-2 Level 2 validation.
Article Details
Article ID:
591
Created On:
08 Jan 2010 09:53 AM
This answer was helpful
This answer was not helpful
User Comments
Add a Comment
Sharing is good. If you have a comment about this entry, please feel free to share. The comments might be reviewed by our staff, and may require approval before being posted. Questions posted will not be answered. Please submit a Ticket for support requests.
Image verification required
Please enter the characters that appear to the right in the space provided. This is just to verify that you are a human.
Fullname:
Email: (Optional)
Comments:
Back
Login
[Lost Password]
Email:
Password:
Remember Me:
Search
-- Entire Support Site --
Knowledgebase
Downloads
Article Options
Add Comment
Print Article
PDF Version
Email Article
Add to Favorites
Home
|
Register
|
Submit a Ticket
|
Knowledgebase
|
Downloads
Language:
English (U.K.)
by Softek SupportSuite v3.70.02
