Major flaws in USB stick software leads to secure drives being unlocked easily

Reports claiming that hardware-encrypted USB flash drives were hacked earlier this week have revealed a major flaw in the products' design.

German security firm SySS published reports detailing the vulnerabilities in Kingston, SanDisk and Verbatim flash drives, and detailed how they can be hacked. It claimed that the vulnerability lies in a major flaw in the design of the affected products.

It said that there was an inherent design error in the software that runs on the host PC to verify the correctness of a user's password, and is not secure. SySS said it was equivalent to a single shared backdoor password for all of these devices, as security analysts were able to write a program that sent the ‘unlock' code regardless of the password entered, and gain immediate access to the flash drive's entire contents.

SanDisk has issued a security bulletin, saying it had ‘recently identified a potential vulnerability in the access control mechanism and has provided a product update to address the issue'. It said that the issue is only applicable to the application running on the host and does not apply to the device hardware or firmware, and all Enterprise USB flash drives being shipped to customers as of today contain the product update.

It said: “SanDisk has also taken measures to inform customers and channel partners about the issue and has provided a software product update online to secure existing Cruzer Enterprise USB flash drive devices.

“Preserving customer security and product reliability continues to be a top priority at SanDisk. SanDisk will continue to work diligently with customers as well as third-party security researchers to maintain high levels of security.”

Verbatim also said that it had ‘recently identified a potential vulnerability in the access control application and has provided a product update to address the issue'.

It said in a security update: “This issue is only applicable to the application running on the host system. It does not apply to the device hardware. Maintaining the security of your data is a top priority at Verbatim. We will continue to work diligently to provide the highest levels of security for your data.”

Kingston said that individuals should contact its technology support to receive an update.

David Jevans, CEO at IronKey, said: “The products that were hacked were made by storage companies that primarily manufacture consumer memory products for cameras and MP3 players.

“IronKey is first and foremost a security company. This incident illustrates that securing portable storage devices requires deep architectural understanding, threat modelling, security review and attention to detail in implementation.”

Anders Pettersson, CSO at BlockMaster, said: “A flaw has been found in competing products to SafeStick. SafeStick does not contain this flaw. The flaw exposed by the independent penetration testing firm SySS enables any user to access the unencrypted data quickly on all shipped drives from select competitors without the required password.

“BlockMaster issues this statement to clearly inform customers and partners that this is not a flaw found in any version of SafeStick.”

Sign up to our newsletters