We have experienced a surge in popularity of our laptop and USB drive encryption in recent months. We are often asked about full disk encryption for USB drives as an alternative to our current Software as a Service (SaaS) encryption offering which just doesn’t encrypt data but can also eliminate it.
The debate on the matter continues, but this week ZDNet reported on some findings by German IT security firm, SySS. They found that they could bypass the passwords that protect the hardware protection in USB keys from Kingston, SanDisk and Verbatim. In essence the hardware based USB drives are easily crackable, while software based don’t have this issue.
These manufacturers successfully protect stored files using AES 256-bit encryption. The problem is the authentication system. When the user enters a password, software then passes a data string instead of the password to the data access system on the memory stick. This is always the same string. This allows a 3rd party application to pass this same string to the data access engine without knowing the password. The data may be encrypted but the authentication system is vulnerable.
The manufacturers have had different responses. Kingston has taken this very seriously and issued a recall. Verbatim and SanDisk have only released updates.
Related posts:
