Secure USB Flaw Exposed

A flaw in USB vendor SanDisk’s secure USB technology is leaving multiple devices vulnerable to attack, and has led to the recall and patching of multiple vendors’ secure USB drive products.  The flaw resides in the password-handling process of the encrypted USB keys. 

SanDisk has issued a security alert and updates for multiple Cruzer Enterprise models that fixes the bug in the access-control features.  SanDisk emphasized in their alert that the flaw was not in the device hardware or firmware, but in the application that runs on the host system.

Kingston Technologies, which uses SanDisk software in its products, has recalled 3 of its secure USB drives, warning its customers that data on the encrypted drives could be accessed by seasoned attackers with local access and a specialized tool in their notice. Kingston recommends the drives be physically returned for updates, although they are also reported to be working on a downloadable patch.

Verbatim, which also uses SanDisk technology, has issued an update alert on some of its USB products, as well.

The vulnerability, which was discovered by researchers at German penetration testing firm SySS, would basically provide access to data on the drives if a weakness in the way the software handles passwords was exploited.  The problem lays in the fact that they check passwords using software, and rely on the same underlying master password. They are relying on software on a computer to check if a password is correct.  Vendor IronKey suggests that their devices, which use dedicated hardware components for security measures are the way to go.

Vulnerability finds for secure USB drives have been rare, with the biggest threats to these devices historically being malware contamination.  Some say this newly discovered password-handling flaw is only the tip of the iceberg when it comes to potential bugs that could be found in secure USBs that rely on software controls.  Software-based password validation technology may leave the door open for trouble, as any software element is bound to be subject to flaws.

Affected Devices:

  • SanDisk Cruzer Enterprise USB flash drive CZ22 & CZ32
  • SanDisk Cruzer Enterprise with McAfee USB flash drive CZ38
  • SanDisk Cruzer Enterprise FIPS Edition with McAfee USB flash drive CZ46
  • Kingston Technologies DataTraveler BlackBox
  • Kingston Technologies DataTraveler Secure”Privacy Edition
  • Kingston Technologies DataTraveler Elite”Privacy Edition