Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB flash drives

Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB flash drives

Summary: A word of warning to those of you who rely on hardware-based encrypted USB flash drives. Security firm SySS has reportedly cracked the AES 256-bit hardware-based encryption used on flash drives manufactured by Kingston, SanDisk and Verbatim.

TOPICS: Hardware

A word of warning to those of you who rely on hardware-based encrypted USB flash drives. Security firm SySS has reportedly cracked the AES 256-bit hardware-based encryption used on flash drives manufactured by Kingston, SanDisk and Verbatim.

The crack relies on a weakness so astoundingly bone-headed that it's almost hard to believe. While the data on the drive is indeed encrypted using 256-bit crypto, there's a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used. What's also staggering is that this character string is the same for Kingston, SanDisk and Verbatim USB flash drives.

Cracking the drives is therefore quite an easy process. The folks at SySS wrote an application that always sent the appropriate string to the drive, irrespective of the password entered, and therefore gained immediate access to all the data on the drive.

This is a big deal also from a point of certification. These drives are sold as meeting security standards making them suitable for use with sensitive US Government data (unclassified rating) and have a FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST).

Vendors have had a mixed reaction to the news. Kingston has done the right thing and issued a recall. Verbatim and SanDisk has issued a statement and have updates available, but the threat is downplayed.

Bottom line, check your flash drives!

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wow

    thats so astoundingly retarded of the vendors. Its looking to be that whatever "certification" labling on the drives by the manufacturer is to be taken with a grain of salt. I guess Ill go back to using my TrueCrypt scenario - at least that I KNOW doesnt make a boneheaded mistake like these drives did. I wonder how IronKey holds up?
  • RE: Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB flash drives

    Does anyone know if the same weakness exists for U3 drives as well? I see that they are part of the recall.
    • oops

      I meant to say that U3 drives are NOT part of the recall
      • U3 = Cr@p

        U3 isn't encryption, it's a registry hijacker. U3 technology and others like it are pure crap... I've seen them toast computers just by pluging a drive in...
        • um...

          U3 doesn't employ a virtualization scheme so it doesn't do anything to the registry that plugging in a basic USB drive doesn't do - this comment is both uninformed and irrelevant to my question. Sandisk U3 drives do encrypt the data in memory and the U3 framework does allow the user to require a correct password to be entered in order for the drive to be accessible to the file system. What I'm asking here is if the same work around that works against the enterprise drives also works against U3 drives? Can the encrypted data on the drive be accessed without authenticating?
          • Your answer is YES

            The same vulnerability here is probably present in the U3 things, which by the way, have been DISCONTINUED and will not work on Windows 7.
          • U3 works for me on Win7

            Please check your information. I have many U3 UFDs and they all work for me on Win7. Do you mean that a specific U3 application does not work?
          • No, I meant the ENTIRE U3 Launchpad doesn't work

            And one of my applications that I use a lot (ACDSee Pro 3) locks up every single time I put a U3 drive in the computer without closing it first... when a regular old USB drive being put on doesn't make it barf like that.
            Finally had to use the 'U3 uninstaller' to totally remove the U3 stuff from the drive and treat it like a regular flash drive.

            I'll espouse a bit more: I have gotten the Launchpad to work by setting it for Windows Vista compatibility mode... but that's a pain.

            U3 has also been totally discontinued now... it was bought out by Microsoft and they are not supporting it anymore and have such down that section totally.
    • Yes U3 drives are subject.

      Yes the encryption built into the drives has nothing to do with them being U3 drives. U3 is only a way for programing on the drives to operate directly from the drive. So U3 is a program feature and the encryption problem is a hardware problem related to the encryption program used by the drives to encrypt/decrypt data on the drive.
      • NIST = NOT Secure!... IronKey = SAFE :D

        IronKey is Military Grade security. But sizes are limited at the moment. Here's a quote on how it works:

        "Plenty of USB storage keys are on the market, but Ironkey is the first to use military level encryption. Sold in 1GB, 2GB, and 4GB sizes, the key features a processor called the Cryptochip, which uses Public Key Cryptography ciphers linked to an online account to create encryption keys on the hardware. A Federal Information Processing standard 140-2 compliant true random number generator on the Cryptochip ensure that encryption keys are extremely secure and totally random."


        This works on the principle of Secure Java. Which runs on all Secure CC transactions. Along with other Secure Banking Transactions even on Cell Phones.

        The Mighty unhackable Sony PS3 and BD+ Game Disks also have a similar system. Using remote encryption authentication techniques. Random Keys are guaranteed every time. Hack one and it's changed, disabled then listed. Remote authentication ensures in both direction who each party is and the identity of the device.

        On the other hand Xbox 360 has been hacked since 6mos after it came out with DVD Game Disks and no remote key authentication!

        So Microsoft should quit using security techniques even kindergartners can hack in ActiveX .NET! :D
  • Ironkey

    Developed for US military using proprietary encryption.
    • The encryption is not proprietary.

      The device may have proprietary software on it,
      but the encryption itself if not proprietary,
      and you don't want it to be proprietary.

      Proprietary == untested, unproven. Reverse
      engineering has often proven to be the downfall
      of proprietary encryption algorithms.

      The best encryption algorithms are those that
      are tested and proven under the scrutiny of the
      larger security community and the general

      Ironkey uses 256 bit AES, which is tested and
      found to be very strong. Even though it's a
      publicly available algorithm, there's yet to be
      found a major weakness. That says a lot about
      the security of the algorithm.

      Note that the weakness was not the encryption
      itself, but rather terrible handling of the
      encryption key. AES itself wasn't broken.

      According to Ironkey, their devices have been
      checked and don't have that vulnerability.


    • MXI Security

      USED by the US military ;)
  • A bit confused

    I get that the encryption method was busted, but I find the description a bit confusing. Are you saying that the user has to access a hardware program and but once the program is run it always uses the same key to unencrypt the data? And they broke it by determining what that unencryption key is, so they can pull the encrypted data off the drive and then unencrypt it?
  • Don't call it NIST certified

    Some of algorithms used by the products meet NIST FIPS
    standards, but that's far different than being NIST
    certified. If you wanted to sell a device to the
    government for top secret usage for example, and even if
    all the components meet the standards, the NSA still
    inspects the implementation. Just because you're using
    AES doesn't mean you implemented AES correctly.

    In this case, the products implement strong encryption
    but useless authentication.
    • I may be mistaken

      But the Kingston BlackBox USB drive actually [b]is[/b] NIST certified, at least at FIPS 140-2, whatever that means.
    • Sandisk and Kingston have NIST certified CMs

      Both Sandisk and Kingston have UFD controllers certified as FIPS 140-2 Lvel 2 cryptographic modules. The certificate numbers are: 932 and 929. If these are the controllers in the devices tested then it is proper to label them "FIPS 140-2 Inside".
  • RE: Encryption busted on NIST-certified Kingston, SanDisk and Verbatim USB flash drives

    Epic fail as usual... lazyness and obscurity will always prevail !!
  • The emperor wears no clothes!

    So as we have seen in the past, even the best laid plans of mice and men can fail for the stupidest reasons...
    question is just how the affected vendors will handle it.
    I mean it should be simple enough for them to write new firmware that doesn't use the same decryption key regardless of password.
    Then the drives could be retrofitted and saved.
    Additionally, one would have to have physical possesion of the device to get the data anyway.
    But this is like a big stink on the face of these manufacturers....!
  • SHHhhhhs!

    Didn't the Chinese already do this; since they make all of them?