Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is the U3 Smart Drive Encryption Any Good?

Posted by ryuzaki0 on from the is-the-value-added-truly-added-value dept.

Carlos asks: "I was searching encryption software for USB pen drives, and came across the U3 Smart Drive platform which offers portability and privacy through software and hardware. There are already several well-known hardware manufacturers offering U3 Smart Drives. Do they are really better than a plain USB drive plus encryption software such as TrueCrypt or it's just marketing hype?"

10 of 61 comments (clear)

  1. PC Magazine Review by tgtanman · · Score: 5, Informative

    PCMag did a review of the U3 technology (though the review is almost a year old)

  2. u3 just doesn't work by cliffhanger407 · · Score: 5, Informative

    U3 doesn't work any better than any other encryption. in fact, if anything, a corporate level encryption is always going to have better product quality control than U3. Plus, U3 doesn't work on probably 50% of the machines i have to put it into (tech support=putting in jump drive 50+ times a day), which means that if it doesn't work then there's no way to get it unencrypted. Basically any computer system which doesn't permit access to the AppData folder means it doesn't load the U3 software. (It claims it doesn't install anything, but it's definitely there). The other thing is that there are a lot of programs which just don't like U3 and will crash it even if you have the right permissions. Plus, it doesn't work on mac or linux.

    1. Re:u3 just doesn't work by tropicdog · · Score: 5, Informative

      "Plus, U3 doesn't work on probably 50% of the machines"

      I totally agree, in many Corporate environments these are going to be functionally useless. A recent helpdesk case I worked on involved one of these U3 drives. Because U3 basically creates a partition that tells Windows that it is a read only CDROM format, CD burning software would not function at all and Windows (Win2000 in this instance with limited user rights applied) totally locked up until the U3 drive was removed.
      Management gave me a 1GB version to use on the job. I was annoyed with the auto-launch feature it provided and promptly searched for and downloaded the U3 removal utility. I gained the space that U3 occupied on the drive and can use it on any computer in our environment w/o problems.

  3. U3 Pro's and cons by DarkMantle · · Score: 4, Informative

    Lets cover some U3 Pro's and cons (I have a U3 USB Drive from Geek Squad)

    Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
    Con - Only works on WinXP

    Pro - password protect your data so that confidential information is not easily accessable.
    Con - a script could continue to try passwords from a list in an attempt to login.

    Basically, the password protection stops the U3 drive from showing the volume. But multiple attempts to login do not result in time delays, or lockouts. Basically a script could keep the autorun going and sending different words or key presses until it gains access. Brute force kind of behaviour.

    But the drive will say "insert a disk into drive X:" if the password is not entered.

    So, not bad, never tried hacking it, but it could potentially be brute forced.

    --
    DarkMantle I been bored, so I started a blog.
    1. Re:U3 Pro's and cons by Professor_UNIX · · Score: 3, Informative

      Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
      Con - Only works on WinXP

      But there's certainly nothing stopping you from using Portable Firefox or Portable Thunderbird or Portable OpenOffice on a regular flash drive, and "U3 Technology" only works with certain U3-aware applications so it's not like you can encapsulate any program and make it U3-aware. I figured right away this was a completely useless feature and blew it away using the uninstaller. Unfortunately you seem to need a Windows box to run the uninstaller so I had to go hunt one down to remove this garbage since I use Macs 99% of the time.
    2. Re:U3 Pro's and cons by jmorris42 · · Score: 3, Informative

      > Unless I'm very wrong, brute-forcing can be pretty easily averted by simply using a long enough password. Last I checked, 8 chars is secure.

      Wrong. 500 characters wouldn't secure a piece of crap like that. It is software only encryption, written by people who almost certainly don't understand the concept, and sold to people who don't understand that putting a flash drive in some random PC at an Internet cafe is unsafe.

      Don't you people understand what that means? Odds are the password gets XORed with something lame and stored on the flash drive. Only a matter of time before somebody gets around to disassembling the crapware Win32 executable and writing a point and shoot password extraction program. Yes they COULD have done the crypto right but we know they didn't... or should know by now. After all they need a back way in themselves so they can unlock drives when somebody forgets their password and whines long enough on the support lines or when some LEO is looking for kiddie porn.

      --
      Democrat delenda est
  4. U3 'encryption' is a joke by HaloZero · · Score: 4, Informative

    All of ten minutes and a copy of Acronis yielded the sum of the data on an 'encrypted' U3 Cruzer disk. All the password protection thing does is prevent the drive from mounting correctly in Windows.

    I didn't bother testing the drive on my mac before I just blew the U3 partition away.

    --
    Informatus Technologicus
    1. Re:U3 'encryption' is a joke by SanityInAnarchy · · Score: 3, Informative

      You know there is always a better or faster or cheaper way. With this program it is the same as with a car. There is no 100% protection, but it help's a lot to lock it.

      </sarcasm>

      Actually, the WebSafe "Website Encryption" is much better for keeping away "prying ices" than U3. At least WebSafe actually does some kind of encryption, even if the decryption algorithm and the keys are right there in the source code for everyone to see. U3, on the other hand, at least appears to claim encryption where there is none. I'll direct you to their website, where they claim:

      The U3 platform is designed to leave no trace of the user's data or application usage on the host computer after the smart drive is removed. The U3 platform also supports the creation of security solutions to protect the privacy and security of user data and applications. These solutions include encrypted files and folders, and sign-on and password protection and management.

      Oh, I get it. They "support the creation" of encryption, when actually, if you look at their smart drive page, the word "encryption" is nowhere to be found. Instead, it's all about "Password Management" -- so they keep themselves clean, but it's obviously confusing enough to fool customers, especially when others claim "Secure data encryption" on what they call a "U3 Smart Drive", although I can't figure out whether Verbatim is wrong/lying or whether they've simply taken the existing U3 software and actually added encryption.

      Or maybe there's some other loophole. But even if I wasn't planning on using the encryption, I wouldn't do business with these jokers. (U3, not necessarily Verbatim.) It's clearly designed to fool people into thinking they're getting something they're not, which really makes them no better than the WebSafe moron -- and perhaps significantly worse, as the WebSafe guy may actually still believe his product is worth something.

      --
      Don't thank God, thank a doctor!
  5. Re:U3 sucks infinitely by NMThor · · Score: 3, Informative

    To uninstall, check out FAQ #6 @ http://www.u3.com/support/default.aspx

  6. TrueCrypt is not for USB sticks by kasperd · · Score: 5, Informative

    TrueCrypt makes use of tweakable block ciphers. The idea with tweakable block ciphers is good, but it is no magic bullet. And unfortunately TrueCrypt reuse the tweaks every time the same sector is overwritten, which means the proofs for security of tweakable block ciphers does not apply to TrueCrypt. Depending on the attack scenario this may a threat. Using a USB stick is going to make this problem worse.

    It is not the USB protocol which is a problem, but rather the fact that a USB stick store the data in flash using a wear leveling algorithm. That means that even though from TrueCrypt's point of view it is writing to the same sector number, it is physically writing to different flash cells. This again means, that for some time both the old and the new version may physically exist in the storage. This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.

    I don't know anything about U3, so I cannot tell you for sure if it is better or worse than TrueCrypt. But with the number of weaknesses which have been seen in storage encryptions, I'd expect anything new to have a few of its own. In spite of the minor weakness in TrueCrypt, I'd still perefer that over something with weaknesses I don't know about.

    My advice for encryption on USB sticks is to not rely on transparent encryption and rather use something like GPG. Of course combining TrueCrypt and GPG is not going to harm security. GPG encrypted files on a TrueCrypt encrypted storage should be pretty safe.

    --

    Do you care about the security of your wireless mouse?