FIPS 140-2 Level 2 Certified USB Memory Stick Cracked

Encrypting USB Flash memory from Kingston, SanDisk and Verbatim. Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. This is emphasised by the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST), which validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password.

This is from the H-Online Article:
NIST-certified USB Flash drives with hardware encryption cracked
Yes; DCI specifies that the euqipment meets FIPs Level 3, not level 2. But 3 huge companies making the same mistake? Hmmm. Plus, this is not just a DCinema issue, this affect everyone who tries to keep their personal or work computer safe, trusting devices and technology of this type. My guess is that there was an Application Note that specified how to make a particular chipset work (which all the manufacturers used.) It was the Application Note that everyone followed and which had the implementation flaw. Just a guess.

The article continues, excepted below. There is also some fine commentary about this issue at: Schnieier on Security.


The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. … the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers’ nets. … the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations…

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool … The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a “potential vulnerability in the access control application” and provided a software update.

Leave a Reply

Your email address will not be published. Required fields are marked *

+ eighty seven = ninety three