Bob ‘n Alice On Security

Helping to Avoid a False Sense of Security

Vulnerability Analysis of Secure USB Flash Drives

leave a comment »

Here is a link to a cool vulnerability analysis of secure USB flash drives that unveils no less than four vulnerabilities in various products. It also offers solutions that all six manufacturers could have applied to prevent these vulnerabilities.

Here is a list of the vendors and their products containing the vulnerabilities mentioned:
ATP Electronics – ToughDrive
Samsung Electronics – SUM-2GTB
Samsung Pleomax – SPUB S50
LG Electronics – Mini Slide
Imation – iFLASHSLIM
SanDisk – Cruzer Micro

As always, stay safe and avoid a false sense of security.

Advertisements

Written by Bob

April 30, 2009 at 18:51

Raidon Staray-S Series Cracked

leave a comment »

Here’s a link to a recent and well-documented cracking session by Christiane Rütten at The H Security. In it the Staray S325, put out by Raidon, is found to have multiple vulnerabilities and is thoroughly cracked. The moral of the story: even hardware encryption is of no benefit if implemented on budget drives with poor encryption.

http://www.h-online.com/security/Cracking-budget-encryption–/features/112548

As always, stay safe and avoid a false sense of security.

Written by Alice

March 30, 2009 at 20:22

MXI Attempts To Block Malware But Doesn’t Get It Quite Right

with one comment

Perhaps in a response to Bob’s analysis of the MXI Stealth MXP device, the manufacturer has responded with a technology that purports to prevent malicious code from being written to the “read only” partition of their Stealth MXP secure hardware encrypted flash drive.

In a very strangely worded press release on February 17, 2009, the company announced “MXI Security Expands Lockdown Delivery Service to Help Enterprise Customers Fight Malicious Software”. This allows enterprise customers to use their ACCESS Enterprise software to set a “unique management code” that guarantees that the software on devices cannot be modified by anyone except the end customer.

We tested this functionality on a Stealth MXP device. Basically a user or administrator can set a code or password which must be entered correctly when performing a software update to the “read only” partition. We set this access code, and then tried to update the software on the “read only” partition. As advertised, the software update was not successful without first entering the access code.

mxiupdatebruteforceable

However, we also determined that this access code is not protected against brute force password guessing! Unlike the device password, it seems that you can try an infinite number of access codes. We tried an incorrect code 100 times, and then we entered the correct code, and the device again allowed us to load malicious software onto the “read only” partition.

mxibrutesuccessful

It’s strange that a security company would miss out on such an obvious vulnerability. Any attacker wishing to infect a user’s device with malware could do a brute force attack on the access code of the device in order to overwrite the “read only” partition.

Even if the devices correctly prevented a brute-force password guessing attack on the access code, this still would not prevent a malicious attacker from infecting their own new device, and leaving it in the company parking lot where an employee might pick it up and plug it in to an internal company computer.

I agree with Bob’s initial comment that secure devices should actually require a valid digital signature on the software before allowing an update to happen.

As always, stay safe and avoid a false sense of security.

Written by Alice

March 5, 2009 at 14:48

SanDisk Enterprise Cruzer Secure USB Flash Drive Vulnerability

with 2 comments

Wow, Bob has found a second secure flash drive that suffers from a major autorun vulnerability. A new PDF details this new SanDisk Enterprise Cruzer vulnerability. The trust we can place in the SanDisk Enterprise Cruzer (and the OEM’d Kingston Data Traveler Elite Privacy Edition) is now as strong as the trust we can place in the supply chain.

What was the name of the delivery guy that brought that box of shiny new Cruzers to the office? Hope he couldn’t be convinced to let someone alone with that box for a few hours…. If that someone was hostile, the network might have a new, uninvited user – or worse.

Heck, even if the supply chain is rock solid, a hostile outsider could leverage an organization’s use of the SanDisk Cruzer to penetrate their defenses by planting a malware-infected device in any number of ways. In this way, the trust placed in the device makes it more of a danger to the organization than if it were untrusted.

As always, stay safe and avoid a false sense of security.

Written by Alice

February 18, 2009 at 21:27

MXI Secure USB Flash Drive Trojan Vulnerability

leave a comment »

Well, Bob has done it again. He just sent me a PDF that reveals a major vulnerability in MXI’s secure usb drive, the Stealth MXP.

The short version is that anyone carrying a Stealth MXP could be carrying a trojan. Read the PDF on the MXI Stealth MXP trojan vulnerability to learn the details – it should give you some idea of what you’re facing. It will also likely spur an immediate security review of all Stealth MXPs deployed by security-sensitive organizations. The decision that will need to be made is whether or not a thorough scan of the “read only” partition will be sufficient to reveal any and all malware, and thus regain confidence in the devices. Perhaps MXI Security will release some sort of validator to run against their drives to confirm that they haven’t been tampered with.

This is unfortunate for customers of MXI Security, as it follows on top of the MXP Stealth crack revealed a few months ago by the folks at Objectif Sécurité. It will be curious to see if another patch will follow MXI06-001 to remedy this new fault.

While we’re looking at the Stealth MXP, it is interesting to note that it uses another security technology that has been hacked on numerous occasions – biometric fingerprint scanners. Probably the best known case was when the folks at the popular TV show MythBusters hacked a fingerprint scanner, though there have been many others. While biometric scanners are often positioned as an additional layer of security, they are clearly an additional layer of false security, and as such are best avoided.

As always, stay safe and avoid a false sense of security.

Written by Alice

February 4, 2009 at 14:59

Friends Don’t Let Friends Use ECB-Mode Encryption

leave a comment »

A number of companies create a false sense of security by using weak encryption modes in their products or services. Customers think they are covered because they’re using cutting edge AES encryption, when in reality the mode of that encryption leaves them vulnerable.

In particular, Electronic Codebook or ECB mode encryption is poor at hiding data patterns, as identical blocks of plaintext are coded into identical blocks of ciphertext. This makes it ineffective at encrypting certain types of data, especially that stored in images or BLOBs.

Here is a well known example of ECB mode encryption at work:

Original

Original

Original

ECB Mode Encrypted

Securely Encrypted

Securely Encrypted

As you can see, in ECB mode the outline of Tux the penguin can still be easily made out despite the encryption. There are a number of alternative encryption modes that avoid this weakness, but the one perhaps most frequently found is Cipher-Block Chaining or CBC mode encryption. It is generally agreed within the cryptographic community that CBC is superior to ECB, and that the latter should be avoided in most cases.

Despite this, many companies – especially those for whom security is an add-on to insecure offerings – sell security products or services that use ECB mode encryption because it is cheaper and easier to implement. Often they hide this fact deep in technical specs or avoid mentioning their encryption mode at all. Here are three such companies in the secure flash drive space and their guilty offerings:

As always, stay safe and avoid a false sense of security.

Written by Alice

January 28, 2009 at 20:54

Posted in Uncategorized

Spritesmods Breaks a Biometric “Secure USB Flash Drive”

leave a comment »

Sprites mods has a nicely detailed article on how they broke through the biometric finger print reader on the BioSlimDisk, a supposedly secure USB memory stick, and were able to access the information stored on the device.

It’s yet another indication that encryption of data really doesn’t do much of a job of protecting it, if the product doesn’t deal with issues such as key generation, key management, brute force attacks, modification of firmware, or simple power attacks against the chips.

As always, stay safe and avoid a false sense of security.

Written by Alice

January 21, 2009 at 18:50