IronKey: Our USB storage is secure
I'm a big fan of IronKeyUSB flash drives, so I thought that given the recent security vulnerability that was uncovered that affected certain Kingston, SanDisk and Verbatim drives I'd pass on the following from David Jevans, the CEO of the company.
In response to the reports that certain hardware-encrypted USB flash drives have been hacked on Monday, Jan. 4, IronKey, maker of the world's most secure flash drive, today announced that its devices are not vulnerable to the serious architectural flaw that has compromised many 'secure' USB storage devices. IronKey customers remain safe.
Reports detailing the vulnerabilities, and how to hack these devices, have been published by German security firm SySS. The vulnerability is a major flaw in the design of the affected products. In short, the products use software that runs on the host PC to verify the correctness of a user's password. This is an inherent design error, and is not secure. It is equivalent to a single shared backdoor password for all of these devices. Security analysts were able to write a simple unlocker tool patching the software and unlocking any of those devices instantaneously without the user's password.
"This security flaw means that data on the affected products is at risk of disclosure," said Dr. Dan Boneh, a leading authority in the fields of cryptography and computer science, and professor of computer science at Stanford University in applied cryptography and computer security. "FIPS 140-2 security validation is a useful tool in assessing the security of encryption products. However, it is not a guarantee that a product is secure. Implementing an encryption algorithm is only a part of a security implementation. Vendors building encryption products need to be skilled at security architecture, design, penetration testing and vulnerability analysis."
Designed to be the most secure portable storage devices in the world, IronKey devices verify the correctness of a user's password in hardware on the device. The security of IronKey devices does not depend on software on the host PC, which as this attack illustrates, can easily be tampered with. Additionally, IronKey devices do not have unlock codes or backdoors. Every IronKey device has unique random AES encryption keys that are generated on the device when a user initializes it.
"The products that were hacked were made by storage companies that primarily manufacture consumer memory products for cameras and MP3 players," David Jevans, CEO at IronKey said. "IronKey is first and foremost a security company. This incident illustrates that securing portable storage devices requires deep architectural understanding, threat modeling, security review and attention to detail in implementation."
Many years of security architecture and threat modeling have been applied to the design and development of IronKey devices. IronKey S200 and D200 products are validated to FIPS 140-2 Level 3, a far higher standard than FIPS 140-2 Level 2 for the products affected by this hack. Level 3 has much higher requirements for encryption key management, authentication, design assurance and physical security.