Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for the ‘Kingston: DataTraveler Series’ Category

Kingston Acknowledges Security Vulnerability in Hardware, SanDisk to Follow?

leave a comment »

Back in December I wrote about Kingston acknowledging that a number of Kingston’s secure USB flash drives had been hacked. Yesterday, Kingston issued a press release announcing they would “replace affected secure USB flash drives with upgraded security architecture, new drives”. For a company that operates on lean margins this has got to be a huge expense, one that would only be incurred if there was no other choice. In issuing this press release, Kingston has effectively acknowledged that the security vulnerability plaguing its devices is the result of a fatal design flaw, not a software issue that could be resolved with a downloadable patch.

In terms of their replacements, Bob has learned that the new devices will be available around the end of January and will be much slower than the units they are replacing, with data transfer rates of about 5MB/sec. They will be based on entirely new hardware with an entirely new design architecture. Given the speed with which these devices are becoming available it is reasonable to assume that these were to be the next phase of secure USB flash drives to be sold by Kingston, though the transfer rates bring into question whether they have been fully optimized.

The fact that Kingston has issued a total recall of their affected secure usb flash drives brings up another interesting issue. As reported before, SanDisk secure USB flash drives have been hacked, as well as similar devices made by Verbatim. All three companies’ devices share a similar vulnerability, revealed around the same time, and yet SanDisk and Verbatim maintain that a software update is sufficient to render their devices once again secure. Either the differences in implementation between these devices are significant enough that SanDisk and Verbatim have dodged a bullet, or they are avoiding making the tough decision to issue a full recall.

These companies bear watching to see if they will come to the same, painful conclusion that Kingston has reached, or if they will be able to resolve their problems in a less costly manner.

As always, stay safe and avoid a false sense of security.

Advertisements

Written by Alice

January 14, 2010 at 20:40

Kingston Secure USB Flash Drive Hacked

with 4 comments

It appears that Kingston’s secure flash drives have been hacked. In case the page changes, what follows is the information that Kingston is currently posting about the vulnerability of their DataTraveler series of secure flash drives.

***

Kingston’s Secure USB Drive Information Page

It has recently been brought to our attention that a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on the following Kingston Secure USB drives:

  • DataTraveler BlackBox (DTBB)
  • DataTraveler Secure – Privacy Edition (DTSP)
  • DataTraveler Elite – Privacy Edition (DTEP)

***

Looking through this list it will be interesting to see if DataTraveler BlackBox will maintain its FIPS 140-2 Level 2 certification, an important qualifier for government purchasers in the United States and Canada.

If you own a Kingston it appears the only way to correct this flaw is to send your flash drive back to Kingston for a factory update, during which all data will be erased. While Kingston has acknowledged the flaw in their secure products, they do not appear to have taken the step of issuing a general recall of all compromised devices. As of yet there is also no indication as to whether large-volume or other registered customers will be notified of the vulnerability.

As always, stay safe and avoid a false sense of security.

Written by Alice

December 22, 2009 at 00:53