This information might be about a week old now, but seeing as I have been going over the Enterprise and Personal offerings from Ironkey, I thought I would briefly touch on this newly found vulnerability, and what devices are currently known to be vulnerable.
So late Dec 2009 SySS produced a couple of papers detailing how they have managed to bypass the security on Sandisk and Kingston Secure USB storage devices. Basically they have designed a tool that produces a static unlock code to always unlock the affected devices. Its my understanding that this is possible due to a flaw in how the users passcode is verified on the PC and signaled to the device.
This is obviously a significant issue, and I know personally of many organisations that have deployed these devices in their organisations, and this will also include Government organisations as most of the devices are classified as FIPS 140-2 compliant.
So should you be worried, well yes if your using one of the following devices:
- SanDisk Cruzer Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
- Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB
- SanDisk Cruzer Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
- SanDisk Cruzer Enterprise USB flash drive, CZ22 – 1GB, 2GB, 4GB, 8GB
- SanDisk Cruzer Enterprise FIPS Edition with McAfee USB flash drive, CZ46 – 1GB
- Kingston DataTraveler BlackBox (DTBB)
- Kingston DataTraveler Secure – Privacy Edition (DTSP)
- Verbatim Corporate Secure USB Flash Drive 1GB, 2GB, 4GB, 8GB
- Kingston DataTraveler Elite – Privacy Edition (DTEP)
As I was looking at Ironkey devices at the time of all these, I have had confirmation from Ironkey that as far as they are aware they are not susceptible to this type of vulnerability due to the architecture used in their devices, and the fact that all verification occurs at the onboard hardware level.