Is the U3 Smart Drive Encryption Any Good?

Carlos asks: "I was searching encryption software for USB pen drives, and came across the U3 Smart Drive platform which offers portability and privacy through software and hardware. There are already several well-known hardware manufacturers offering U3 Smart Drives. Do they are really better than a plain USB drive plus encryption software such as TrueCrypt or it's just marketing hype?"

PC Magazine Review

[tgtanman]

PCMag did a review of the U3 technology (though the review is almost a year old)

u3 just doesn't work

[cliffhanger407]

U3 doesn't work any better than any other encryption. in fact, if anything, a corporate level encryption is always going to have better product quality control than U3. Plus, U3 doesn't work on probably 50% of the machines i have to put it into (tech support=putting in jump drive 50+ times a day), which means that if it doesn't work then there's no way to get it unencrypted. Basically any computer system which doesn't permit access to the AppData folder means it doesn't load the U3 software. (It claims it doesn't install anything, but it's definitely there). The other thing is that there are a lot of programs which just don't like U3 and will crash it even if you have the right permissions. Plus, it doesn't work on mac or linux.

Re:u3 just doesn't work

[tropicdog]

"Plus, U3 doesn't work on probably 50% of the machines"

I totally agree, in many Corporate environments these are going to be functionally useless. A recent helpdesk case I worked on involved one of these U3 drives. Because U3 basically creates a partition that tells Windows that it is a read only CDROM format, CD burning software would not function at all and Windows (Win2000 in this instance with limited user rights applied) totally locked up until the U3 drive was removed.
Management gave me a 1GB version to use on the job. I was annoyed with the auto-launch feature it provided and promptly searched for and downloaded the U3 removal utility. I gained the space that U3 occupied on the drive and can use it on any computer in our environment w/o problems.

U3 Pro's and cons

[DarkMantle]

Lets cover some U3 Pro's and cons (I have a U3 USB Drive from Geek Squad)

Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
Con - Only works on WinXP

Pro - password protect your data so that confidential information is not easily accessable.
Con - a script could continue to try passwords from a list in an attempt to login.

Basically, the password protection stops the U3 drive from showing the volume. But multiple attempts to login do not result in time delays, or lockouts. Basically a script could keep the autorun going and sending different words or key presses until it gains access. Brute force kind of behaviour.

But the drive will say "insert a disk into drive X:" if the password is not entered.

So, not bad, never tried hacking it, but it could potentially be brute forced.

Re:U3 Pro's and cons

[Professor_UNIX]

Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
Con - Only works on WinXP

But there's certainly nothing stopping you from using Portable Firefox or Portable Thunderbird or Portable OpenOffice on a regular flash drive, and "U3 Technology" only works with certain U3-aware applications so it's not like you can encapsulate any program and make it U3-aware. I figured right away this was a completely useless feature and blew it away using the uninstaller. Unfortunately you seem to need a Windows box to run the uninstaller so I had to go hunt one down to remove this garbage since I use Macs 99% of the time.

Re:U3 Pro's and cons

[jmorris42]

> Unless I'm very wrong, brute-forcing can be pretty easily averted by simply using a long enough password. Last I checked, 8 chars is secure.

Wrong. 500 characters wouldn't secure a piece of crap like that. It is software only encryption, written by people who almost certainly don't understand the concept, and sold to people who don't understand that putting a flash drive in some random PC at an Internet cafe is unsafe.

Don't you people understand what that means? Odds are the password gets XORed with something lame and stored on the flash drive. Only a matter of time before somebody gets around to disassembling the crapware Win32 executable and writing a point and shoot password extraction program. Yes they COULD have done the crypto right but we know they didn't... or should know by now. After all they need a back way in themselves so they can unlock drives when somebody forgets their password and whines long enough on the support lines or when some LEO is looking for kiddie porn.

U3 'encryption' is a joke

[HaloZero]

All of ten minutes and a copy of Acronis yielded the sum of the data on an 'encrypted' U3 Cruzer disk. All the password protection thing does is prevent the drive from mounting correctly in Windows.

I didn't bother testing the drive on my mac before I just blew the U3 partition away.

Re:U3 'encryption' is a joke

[PlusFiveTroll]

I'm beginning to agree with you that U3 security is a joke. After googling for about 10 minutes here I've not been able to find much 'real' information on the security of U3. Its all press releases loaded with buzzwords, and no whitepapers telling how the drives work and which encryption standards are present.

That concerns me, encryption is far eaiser to get wrong then right. On the TrueCrypt forums they are pretty good at telling you how bad there dog food is, and how to to lessen these risks. I'll stick with TC and a good security policy for now.

Re:U3 'encryption' is a joke

[SanityInAnarchy]

You know there is always a better or faster or cheaper way. With this program it is the same as with a car. There is no 100% protection, but it help's a lot to lock it.

</sarcasm>

Actually, the WebSafe "Website Encryption" is much better for keeping away "prying ices" than U3. At least WebSafe actually does some kind of encryption, even if the decryption algorithm and the keys are right there in the source code for everyone to see. U3, on the other hand, at least appears to claim encryption where there is none. I'll direct you to their website, where they claim:

The U3 platform is designed to leave no trace of the user's data or application usage on the host computer after the smart drive is removed. The U3 platform also supports the creation of security solutions to protect the privacy and security of user data and applications. These solutions include encrypted files and folders, and sign-on and password protection and management.

Oh, I get it. They "support the creation" of encryption, when actually, if you look at their smart drive page, the word "encryption" is nowhere to be found. Instead, it's all about "Password Management" -- so they keep themselves clean, but it's obviously confusing enough to fool customers, especially when others claim "Secure data encryption" on what they call a "U3 Smart Drive", although I can't figure out whether Verbatim is wrong/lying or whether they've simply taken the existing U3 software and actually added encryption.

Or maybe there's some other loophole. But even if I wasn't planning on using the encryption, I wouldn't do business with these jokers. (U3, not necessarily Verbatim.) It's clearly designed to fool people into thinking they're getting something they're not, which really makes them no better than the WebSafe moron -- and perhaps significantly worse, as the WebSafe guy may actually still believe his product is worth something.

Re:U3 sucks infinitely

[NMThor]

To uninstall, check out FAQ #6 @ http://www.u3.com/support/default.aspx

Re:U3 sucks infinitely

[WilliamSChips]

Oh, didn't know about that. When I was trying to remove that crap I did a Google search and ended up on an Ars page which told me to use the Geek Squad's remover.

TrueCrypt is not for USB sticks

[kasperd]

TrueCrypt makes use of tweakable block ciphers. The idea with tweakable block ciphers is good, but it is no magic bullet. And unfortunately TrueCrypt reuse the tweaks every time the same sector is overwritten, which means the proofs for security of tweakable block ciphers does not apply to TrueCrypt. Depending on the attack scenario this may a threat. Using a USB stick is going to make this problem worse.

It is not the USB protocol which is a problem, but rather the fact that a USB stick store the data in flash using a wear leveling algorithm. That means that even though from TrueCrypt's point of view it is writing to the same sector number, it is physically writing to different flash cells. This again means, that for some time both the old and the new version may physically exist in the storage. This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.

I don't know anything about U3, so I cannot tell you for sure if it is better or worse than TrueCrypt. But with the number of weaknesses which have been seen in storage encryptions, I'd expect anything new to have a few of its own. In spite of the minor weakness in TrueCrypt, I'd still perefer that over something with weaknesses I don't know about.

My advice for encryption on USB sticks is to not rely on transparent encryption and rather use something like GPG. Of course combining TrueCrypt and GPG is not going to harm security. GPG encrypted files on a TrueCrypt encrypted storage should be pretty safe.

Re:TrueCrypt is not for USB sticks

[kasperd]

Choose erease free space after installing. This will fill the remaining space on the drive with files, then overwrite them to the security level you choose.

I agree this will add a little bit of security. But as this happens on a higher layer than the wear leveling, there is no guarantee that it will actually overwrite the physical locations you are interested in overwriting. Of course if you do multiple passes, I'd expect the wear leveling to spread them evenly over all locations including the ones you needed wiped. And BTW you don't need any unfree software to do it, you can just create a file filling all free space and then use the wipe command.

Is there any spec's on what encryption type/standard U3 is using?

That is indeed a very relevant question. If you come across an encryption were such a specification is not available for anybody to read, assume it is because the encryption is no good. If the specification is too vague and only states the name of a block cipher being used such as AES and doesn't tell you in detail what mode it is using, I'd also avoid it. And if it ever states anything like military strength encryption, I'd avoid it. TrueCrypt is one of the best documented storage encryptions I know about.

Re:TrueCrypt is not for USB sticks

[kasperd]

I assume this is actually aa problem of tweakable block ciphers?

Not really. If you just used an ordinary cipher instead of a tweakable cipher, the problem would be much worse. However using an ordinary cipher in CBC mode does not have this problem. CBC is a probabilistic encryption, which means same data encrypted more than once will produce different data. But this also means data grows, which is inconvenient for a transparent storage encryption.

Tweakable block ciphers is an elegant solution for this problem. But it is no magic bullet. If you reuse a tweak, it is no more secure than an ordinary cipher. And even if you don't reuse a tweak you still cannot use it more times than the birthday limit imposed by the block size. (AFAIR the number of times you can safely reuse a tweakable block cipher is two or three times less that of an ordinary cipher).

You could actually replace the cipher in a CBC encryption with a tweakable cipher and get something slightly safer. But the quite common practice in storage encryptions of replacing the random IV in a CBC encryption with a deterministic value is always going to be insecure. The extra space is provably necesarry (shown independently by Kristian Gjøsteen and myself).

It is possible to come up with ways to generate the tweak in a way that requires less disk space than the random IV for CBC encryption. So for that reason tweakable ciphers is clearly an interesting way to do storage encryption. But as soon as you have a space overhead, however little it may be, you have a problem with atomicity of updates. That means you are going to need extra copies of some of the data to avoid data loss in case the system for whatever reason doesn't complete an update. But you could still have significantly less overhead than the random IV for CBC encryption. CBC would usually be 3-6% overhead, a clever system designed using tweakable block ciphers could use less than 1% overhead. Now if I could just come up with an efficient way to detect the need for recovering an incomplete write....

Otherwise the simple attack on any sector-based encryption would be to read the raw data at different times....

Unfortunately most sector-based encryption schemes does have such a weakness. The impact of the weakness may differ from the worst encryption leaking everything to the best encryption leaking only the sector number of writes and when a write is identical to something that earlier existed in the same sector. TrueCrypt is somewhere between these two extremes. The best deterministic encryptions I know of requires approximately twice as much CPU time than the more secure probabilistic encryptions.

Re:TrueCrypt is not for USB sticks

[PlusFiveTroll]

TrueCrypt no longer uses CBC in the latest versions, LRW mode has been the default mode since some time in the 4.1 version and beyond.

Re:TrueCrypt is not for USB sticks

[kasperd]

TrueCrypt no longer uses CBC in the latest versions, LRW mode has been the default mode since some time in the 4.1 version and beyond.

I compared the encryption used by TrueCrypt to CBC, that is very different from saying TrueCrypt uses CBC. In fact what TrueCrypt used to use is the not quite CBC mode you get by replacing the random IV with the sector number. The new mode did eliminate the very easy fingerprinting, but introduced a different kind of fingerprinting possible as long as you could get multiple versions of the same sector. A real CBC mode would be more secure than both of them, but a bit unpractical.

And if you carefully read my description from before, you should recognize, that it is the mode known as LRW. I don't like the name of that mode, because to me it looks like this mode was invented by someone who read the article by Liskov, Rivest, and Wagner but did not fully understand it.

I wouldn't use any "secure" flash drive ever again

[argent]

We bought a bunch of "secure" drives (unintentionally, I might add, we had no interest in the "security" features), and found that unlike regular flash drives anything that damaged the file system on the drive meant you had a dead device... because you couldn't reformat it without a special program... and getting a copy of that program was basically impossible. Oh, they claimed you could do it by sending a letter from the CEO on corporate letterhead requesting a copy... and jumping through additional hoops after that... but there was never a response from this "initial handshake".

Now, they're not terribly expensive... but they're no more secure than an encrypted file system in a regular file on the drive. You're paying more money for no better security than you can set up yourself, and dealing with the hidden costs of lost data... both directly, and because the guy in the field can't initialise a trashed file system himself so he doesn't have a device handy to get a copy of the customer's data when he needs it.

The whole technology seems to be implemented in the wrong place to me.

Re:U3 sucks infinitely

FYI, I tried this on my U3 drive and it didn't work. Only the removal utility seemed to get rid of it. My guess is that U3 is more than just software - there must be some firmware-level thing that reserves its disk space and emulates a CD-ROM drive...