Tuesday, January 05, 2010

Decrypting USB flash drives is easy

According to this Slashdot article, a company has successfully decrypted USB flash drives. In our experience, this is probably true. Several years ago, we put a USB sniffer on the bus and found that most USB flash drives can be trivially broken.

It's a familiar story. Hackers don't break encryption, they break how encryption is used. In this case, hackers didn't break AES, they broke the fact the vendors didn't encrypt the drive with the password.

This is why you should distrust marketing messages like "military grade encryption" or "FIPS certified encryption". Sure, the encryption is secure, but that doesn't mean the vendor hasn't done something boneheaded, like leaving the password in clear-text.

If you are concerned about your USB drive, the easiest way to check it is to use a USB sniffer. There are lots of freeware and open-source products, as well as expensive hardware sniffers. You can check what is being sent to the drive in order to decrypt it. We have seen all sorts of weird things, such as the software asking the drive for the password (which we then see being sent in the clear over the USB bus). In this case, it appears that the software asks the drive if the password is correct, but then unlocks the drive using a fixed string.

There are only a few chipsets out there for USB drives. Regardless of the vendor name and the case on the outside, most drives are often the same on the inside. This is why there is a chain of failure. A vendor like Kingston doesn't know the innards of the chip. They simply build a product around it, and ship it through their channels. They trust that the chipset vendor knows what they are doing. This is why you can never trust encrypted USB drives: there is nobody that stands behind them. It would suggesting using a product like TrueCrypt or PGP disk on top of the flash drive, because these guys do stand behind their encryption.

10 comments:

jah said...

not sure about that second paragraph...

Emmett Jorgensen said...

Not all USB flash drive manufacturers have fallen prey to this flaw. Kanguru Solutions Kanguru Defender Elite encrypted flash drives are safe from this flaw. We also offer the ability to remotely manage our drives to help keep devices in compliance with organizational policies.

TechSlice said...

I think the hackers have a bit too much free time on their hands.

WBW said...

The motivation of the attacker does not play into the equation of risk. It's most functional to assume unlimited time, resources and knowledge when assessing risk values.

Anonymous said...

Interestingly, IronKey (ironkey.com) predicted this vulnerability and itself steered clear of it. I remember the first round of SANDisks so-called secure flash drives that did all the encryption in software, which caught the embarrassed when the software was compromised. It's sad that the same thing happened with hardware encryption in a way that they could have only done deliberately. Looks like a freebie backdoor for law enforcement to me.

Unknown said...

No matter what hackers actually do.. only truth is our data needs more safety. i have seen a lok-itusb which can help it out

Jenni said...

I got this info from an older blog, January 5th 2010
I am doing research for a book, and I want to make sure my information is accurate. If I had an encrypted flash drive, (an older one, say 2 to 4 years) I could hack it to get the information off it by using a UBS sniffer, is that correct? I wouldn’t necessarily need the pass code? How time consuming, what would the process be like? Does the soft ware search different codes to break it? Or does it try random letter or number until it lines up and cracks it?

Robert Graham said...

What we found were cases where the device would send the password in cleartext across the USB bus. By using a USB sniffer, we found the password.

Unknown said...
This comment has been removed by a blog administrator.
rax said...
This comment has been removed by a blog administrator.