Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Archive for the ‘SanDisk Cruzer Enterprise’ Category

Kingston Acknowledges Security Vulnerability in Hardware, SanDisk to Follow?

leave a comment »

Back in December I wrote about Kingston acknowledging that a number of Kingston’s secure USB flash drives had been hacked. Yesterday, Kingston issued a press release announcing they would “replace affected secure USB flash drives with upgraded security architecture, new drives”. For a company that operates on lean margins this has got to be a huge expense, one that would only be incurred if there was no other choice. In issuing this press release, Kingston has effectively acknowledged that the security vulnerability plaguing its devices is the result of a fatal design flaw, not a software issue that could be resolved with a downloadable patch.

In terms of their replacements, Bob has learned that the new devices will be available around the end of January and will be much slower than the units they are replacing, with data transfer rates of about 5MB/sec. They will be based on entirely new hardware with an entirely new design architecture. Given the speed with which these devices are becoming available it is reasonable to assume that these were to be the next phase of secure USB flash drives to be sold by Kingston, though the transfer rates bring into question whether they have been fully optimized.

The fact that Kingston has issued a total recall of their affected secure usb flash drives brings up another interesting issue. As reported before, SanDisk secure USB flash drives have been hacked, as well as similar devices made by Verbatim. All three companies’ devices share a similar vulnerability, revealed around the same time, and yet SanDisk and Verbatim maintain that a software update is sufficient to render their devices once again secure. Either the differences in implementation between these devices are significant enough that SanDisk and Verbatim have dodged a bullet, or they are avoiding making the tough decision to issue a full recall.

These companies bear watching to see if they will come to the same, painful conclusion that Kingston has reached, or if they will be able to resolve their problems in a less costly manner.

As always, stay safe and avoid a false sense of security.


Written by Alice

January 14, 2010 at 20:40

SanDisk Cruzer Enterprise Secure USB Flash Drive Hacked

with 3 comments

Less than 24 hours after reporting that Kingston’s secure USB flash drives have been hacked, it appears that SanDisk’s secure USB flash drives have been hacked as well. According to SanDisk, they have “recently identified a potential vulnerability in the access control mechanism” for their Cruzer Enterprise series of flash drives. Given that access control is literally the key to any secure environment, it seems safe to interpret this as the “corporately correct” way of saying that SanDisk Cruzer Enterprise devices have a security hole.

This calls to mind a previously detailed SanDisk Cruzer Enterprise secure USB flash drive vulnerability.

Here is the relevant text from SanDisk’s website that covers this newly reported vulnerability:


Security Bulletin December 2009

The Cruzer® Enterprise series of USB flash drives are equipped with a hardware-based encryption module and an access control mechanism to protect company data. SanDisk has recently identified a potential vulnerability in the access control mechanism and has provided a product update to address the issue.

Important Note: This issue is only applicable to the application running on the host and does not apply to the device hardware or firmware.

As a result, all Cruzer Enterprise USB flash drives being shipped to customers as of today contain the product update. SanDisk has also taken measures to inform customers and channel partners about the issue and has provided a software product update online to secure existing Cruzer Enterprise USB flash drive devices.

Devices to which this change applies

  • Cruzer® Enterprise USB flash drive, CZ22 – 1GB, 2GB, 4GB, 8GB
  • Cruzer® Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
  • Cruzer® Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
  • Cruzer® Enterprise FIPS Edition with McAfee USB flash drive, CZ46 – 1GB, 2GB, 4GB, 8GB


It should be noted that, as with the Kingston secure USB flash drive hack, this vulnerability impacts FIPS validated flash drives, which are marketed to U.S. and Canadian government agencies and thus should be considered the most secure of the devices offered by these companies.

As a little background, the FIPS 140-2 certification is divided into four possible security levels, the highest of which is Security Level 4. Currently, the highest level of FIPS 140-2 validation available for flash drives is Security Level 3, offered by only a few vendors. Security Level 3 is the first level that includes tests for physical security and/or tamper detection-response circuitry, designed to “zeroize” all plaintext critical security parameters (CSPs). However, both of the compromised series of devices offered by Kingston and SanDisk had FIPS products that had only been validated to Security Level 2, which does not include this critical requirement.

In resolving this issue SanDisk claims to have taken measures to inform customers and channel partners, and has provided a software product update online that purportedly fixes the problem.

As always, stay safe and avoid a false sense of security.

Written by Alice

December 22, 2009 at 17:44

SanDisk Enterprise Cruzer Secure USB Flash Drive Vulnerability

with 2 comments

Wow, Bob has found a second secure flash drive that suffers from a major autorun vulnerability. A new PDF details this new SanDisk Enterprise Cruzer vulnerability. The trust we can place in the SanDisk Enterprise Cruzer (and the OEM’d Kingston Data Traveler Elite Privacy Edition) is now as strong as the trust we can place in the supply chain.

What was the name of the delivery guy that brought that box of shiny new Cruzers to the office? Hope he couldn’t be convinced to let someone alone with that box for a few hours…. If that someone was hostile, the network might have a new, uninvited user – or worse.

Heck, even if the supply chain is rock solid, a hostile outsider could leverage an organization’s use of the SanDisk Cruzer to penetrate their defenses by planting a malware-infected device in any number of ways. In this way, the trust placed in the device makes it more of a danger to the organization than if it were untrusted.

As always, stay safe and avoid a false sense of security.

Written by Alice

February 18, 2009 at 21:27