Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for December 2009

SanDisk Cruzer Enterprise Secure USB Flash Drive Hacked

with 3 comments

Less than 24 hours after reporting that Kingston’s secure USB flash drives have been hacked, it appears that SanDisk’s secure USB flash drives have been hacked as well. According to SanDisk, they have “recently identified a potential vulnerability in the access control mechanism” for their Cruzer Enterprise series of flash drives. Given that access control is literally the key to any secure environment, it seems safe to interpret this as the “corporately correct” way of saying that SanDisk Cruzer Enterprise devices have a security hole.

This calls to mind a previously detailed SanDisk Cruzer Enterprise secure USB flash drive vulnerability.

Here is the relevant text from SanDisk’s website that covers this newly reported vulnerability:

***

Security Bulletin December 2009

Overview
The Cruzer® Enterprise series of USB flash drives are equipped with a hardware-based encryption module and an access control mechanism to protect company data. SanDisk has recently identified a potential vulnerability in the access control mechanism and has provided a product update to address the issue.

Important Note: This issue is only applicable to the application running on the host and does not apply to the device hardware or firmware.

As a result, all Cruzer Enterprise USB flash drives being shipped to customers as of today contain the product update. SanDisk has also taken measures to inform customers and channel partners about the issue and has provided a software product update online to secure existing Cruzer Enterprise USB flash drive devices.

Devices to which this change applies

  • Cruzer® Enterprise USB flash drive, CZ22 – 1GB, 2GB, 4GB, 8GB
  • Cruzer® Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
  • Cruzer® Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
  • Cruzer® Enterprise FIPS Edition with McAfee USB flash drive, CZ46 – 1GB, 2GB, 4GB, 8GB

***

It should be noted that, as with the Kingston secure USB flash drive hack, this vulnerability impacts FIPS validated flash drives, which are marketed to U.S. and Canadian government agencies and thus should be considered the most secure of the devices offered by these companies.

As a little background, the FIPS 140-2 certification is divided into four possible security levels, the highest of which is Security Level 4. Currently, the highest level of FIPS 140-2 validation available for flash drives is Security Level 3, offered by only a few vendors. Security Level 3 is the first level that includes tests for physical security and/or tamper detection-response circuitry, designed to “zeroize” all plaintext critical security parameters (CSPs). However, both of the compromised series of devices offered by Kingston and SanDisk had FIPS products that had only been validated to Security Level 2, which does not include this critical requirement.

In resolving this issue SanDisk claims to have taken measures to inform customers and channel partners, and has provided a software product update online that purportedly fixes the problem.

As always, stay safe and avoid a false sense of security.

Written by Alice

December 22, 2009 at 17:44

Kingston Secure USB Flash Drive Hacked

with 4 comments

It appears that Kingston’s secure flash drives have been hacked. In case the page changes, what follows is the information that Kingston is currently posting about the vulnerability of their DataTraveler series of secure flash drives.

***

Kingston’s Secure USB Drive Information Page

It has recently been brought to our attention that a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on the following Kingston Secure USB drives:

  • DataTraveler BlackBox (DTBB)
  • DataTraveler Secure – Privacy Edition (DTSP)
  • DataTraveler Elite – Privacy Edition (DTEP)

***

Looking through this list it will be interesting to see if DataTraveler BlackBox will maintain its FIPS 140-2 Level 2 certification, an important qualifier for government purchasers in the United States and Canada.

If you own a Kingston it appears the only way to correct this flaw is to send your flash drive back to Kingston for a factory update, during which all data will be erased. While Kingston has acknowledged the flaw in their secure products, they do not appear to have taken the step of issuing a general recall of all compromised devices. As of yet there is also no indication as to whether large-volume or other registered customers will be notified of the vulnerability.

As always, stay safe and avoid a false sense of security.

Written by Alice

December 22, 2009 at 00:53