Kingston flash drives suffer password flaw

Kingston Technology has asked customers to return certain models of its DataTraveler secure flash drives for an update, following the discovery of a flaw in the memory sticks.

The affected models include the DataTraveler BlackBox; DataTraveler Secure — Privacy Edition; and DataTraveler Elite — Privacy Edition.

The flaw lies in how the drives process passwords, Jim Selby, Kingston's manager of European product marketing, told ZDNet UK on Monday.

"The encryption itself is sound, but there is a small loophole regarding the processing of the password," said Selby. "Someone who is skilled enough, with the right tools, could exploit the weakness."

The flaw, which is exploitable if a hacker has physical access to the drives, was brought to Kingston's attention by a German penetration testing company called SySS, said Selby. SySS wrote a piece of software that uncovered the workings of the password authentication process, he added.

Kingston first alerted customers to the flaw before Christmas by posting a warning on its drive information page.

Selby urged UK customers to contact Kingston's customer support team on 01932 738950 to arrange to have drives updated. At the moment, customers need to physically send the drive back to Kingston for a factory reset. However, Selby said the company was in the process of working on a firmware update that can be downloaded.