Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for January 2010

Kingston Acknowledges Security Vulnerability in Hardware, SanDisk to Follow?

leave a comment »

Back in December I wrote about Kingston acknowledging that a number of Kingston’s secure USB flash drives had been hacked. Yesterday, Kingston issued a press release announcing they would “replace affected secure USB flash drives with upgraded security architecture, new drives”. For a company that operates on lean margins this has got to be a huge expense, one that would only be incurred if there was no other choice. In issuing this press release, Kingston has effectively acknowledged that the security vulnerability plaguing its devices is the result of a fatal design flaw, not a software issue that could be resolved with a downloadable patch.

In terms of their replacements, Bob has learned that the new devices will be available around the end of January and will be much slower than the units they are replacing, with data transfer rates of about 5MB/sec. They will be based on entirely new hardware with an entirely new design architecture. Given the speed with which these devices are becoming available it is reasonable to assume that these were to be the next phase of secure USB flash drives to be sold by Kingston, though the transfer rates bring into question whether they have been fully optimized.

The fact that Kingston has issued a total recall of their affected secure usb flash drives brings up another interesting issue. As reported before, SanDisk secure USB flash drives have been hacked, as well as similar devices made by Verbatim. All three companies’ devices share a similar vulnerability, revealed around the same time, and yet SanDisk and Verbatim maintain that a software update is sufficient to render their devices once again secure. Either the differences in implementation between these devices are significant enough that SanDisk and Verbatim have dodged a bullet, or they are avoiding making the tough decision to issue a full recall.

These companies bear watching to see if they will come to the same, painful conclusion that Kingston has reached, or if they will be able to resolve their problems in a less costly manner.

As always, stay safe and avoid a false sense of security.

Written by Alice

January 14, 2010 at 20:40