SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.
The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.
"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier.
Verbatim warned that the security flaw exists in its Verbatim Corporate Secure and Corporate Secure FIPS Edition series of USB flash drives; SanDisk revealed a threat related to its Cruzer Enterprise series of USB flash drives. Both companies issued online application upgrades to address the issue.
According to SanDisk and Verbatim, the security issue only applies to the application running on the host system; it doesn't apply to the drive itself or the drive's firmware. Computerworld reported earlier this week that Kingston had recalled its DataTraveler secure USB flash drives so it could update the devices because of the same issue. The Kingston models affected include the DataTraveler BlackBox, DataTraveler Secure-Privacy Edition and DataTraveler Elite-Privacy Edition.
All three companies claimed their USB drives had met security criteria set by the Federal Information Processing Standard (FIPS) 140-2. FIPS is a U.S. government standard used to accredit devices with encryption algorithms. The standard was developed by the National Institute of Standards and Technology and includes both hardware and software components. FIPS 140 covers four levels of security.
"There are lots of certifications out there, and they mean very different things," Schneier said. "These certifications are far more about marketing than they are about real security."
Storage companies tout FIPS 140-2 certification as part of their marketing materials, stating that their devices are secure enough for use by government agencies. Because of security problems in the past, however, the government has banned the use of removable flash media devices by its employees.
"What does the NIST certification mean? Is it a good standard or a bad standard? That certainly is the issue here," Schneier said. "If you look at the NIST certification, all it means ... is there's some level of tamper resistance in the hardware. Does it mean it's any good? No."
German security company SySS GmbH found the flaw when it tested the drives' security and designed code for each device that modifies the software running in the computer's memory, telling it to always authorize the password -- no matter who enters it or what it is.
Schneier said NIST will likely have to revamp its certification standards to cover the hardware-based encryption flaw found by SySS.
In a response to a Computerworld inquiry, NIST said it is aware of the vulnerability involving several FIPS 140-2-validated USB drives and is now reviewing information on the flaw.
According to NIST, the FIPS 140-2 certification only covers cryptographic modules, which scramble data into an encrypted format that is indecipherable. The data is then decrypted and retrieved only by entering the correct password, key or other means of authentication processed by the module.
"From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability," a statement read. "Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue."
According to Fountain Valley, Calif.-based Kingston, the security flaw involves the way the drives process passwords. According to Kingston, "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on" its DataTraveler encryption-enable USB drives.
A Kingston spokesman said the company would not comment on any specifics surrounding the security flaw, because "anything we say [could give] other hackers fuel and clues" as to how to break into the drive's security features.
The security flaw appears to be in the password authentication process in the host computer's memory. When a new USB flash drive from one of the companies is used for the first time, software on the device tells the computer it's a CD-ROM, allowing it to automatically ask for a password to unlock data on the device after a password is established. While the user's password is stored on the USB drive, the authentication code runs on the PC or a server's CPU.
Ultimately, that host system's authentication password for each company is the same on all of its devices.
"So if a hacker is able to find those default set of characters, all they need to do is return those and they will have access to encrypted data on the drive," said David Jevans, CEO of high-end USB manufacturer IronKey Corp. IronKey makes USB drives using higher-cost single-level cell NAND flash memory, compared with the more typical multilevel cell NAND flash that most other manufacturers use.
Jevans agreed that FIPS certification, which IronKey also touts, is to some extent marketingspeak that's needed to sell to government agencies and private corporations. But "there's more value to it," he said.
"We don't want people implementing proprietary cryptographic algorithms, which are almost always shown to be flawed," Jevans said. "That's one benefit: FIPS specifies that you will use well-known cryptographic algorithms, and AES went through a long and detailed public evaluation."
When Kingston, SanDisk and Verbatim issued their warnings, IronKey was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks. Jevans said that's because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system.
"We don't trust the computer at all," he said. "The computer could have malware on it or have hackers accessing it. In our security design, we said we have to assume the computer is completely untrustworthy. That's where we started our threat modeling."
Jevans said FIPS doesn't tell vendors how to build a secure product but assumes that the manufacturer knows what it's doing. "When I talk to our FIPS analysis guys who helped write the standard, they said they've known about this problem for a long time."
The reason current FIPS standards don't defend against the vulnerability is because in a corporate environment, being able to unlock and manage hundreds of USB flash drives with a single administrative password is useful, Jevans noted, "which is effectively what this vulnerability is."
The device password, which is unlocked by a user password, is built into the software that resides on all of the USB drives.
"You can see why, in a data center environment, that makes sense. But that's very different from millions of users walking around with these things," he said. "That's not currently contemplated with the FIPS standards and where I think they're going to be evolving it."
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian, send e-mail to firstname.lastname@example.org or subscribe to Lucas's RSS feed .