Cracked USB drives show NIST certification is not so secure

The H reports that experts from German penetration testing company SYSS discovered a flaw in the way that the Windows-based password entry program accesses the encrypted USB drives. The Windows software always sends the same character string to the drive to gain access to the data, regardless of the password that is used, it was discovered. It was therefore relatively simple to alter the program, making it send the character string to access the encrypted data regardless of which password was entered.

The news has caused a panic among drive vendors. Kingston issued a recall for its DataTraveler BlackBox, Secure, and Elite ranges of encrypted USB drives, although the company said that several of its other drives were not affected.

Verbatim chose not to recall its encrypted drives, but instead provided a software update to fix the problem. "This issue is only applicable to the application running on the host system," the company noted. "It does not apply to the device hardware."

SanDisk indicated the same thing, providing a software patch for its encrypted device access mechanism. The flaw affects 16 of its encrypted drive SKUs, it said.

All of these encrypted drives were issued with a FIPS 140-2 Level 2 certificate by the National Institute of Standards and Technology in the US. This enables them to be used to store sensitive government data.

What’s hot on Infosecurity Magazine?