Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protected Memory Stick Easily Cracked

Posted by kdawson on from the not-that-hard-a-hack dept.

Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"

7 of 220 comments (clear)

  1. Well they could have been like other companies by insanemime · · Score: 5, Insightful

    At least they had the balls to admit that something was wrong and try to take steps to fix it. It will be intresting to see if they recall the ones already sold.

    1. Re:Well they could have been like other companies by antime · · Score: 5, Insightful

      What they admitted is that they have no idea what they are doing and have no idea what they are selling. You would have to be an idiot to buy anything security-related from a company like that.

    2. Re:Well they could have been like other companies by FuzzyDaddy · · Score: 4, Insightful
      I don't know about you, but I don't keep original copies of data on a USB key. I use it to transfer files from one computer to another, so wiping the data after unsuccessful attempts, in this context, strikes me as a good idea.

      --
      It's not wasting time, I'm educating myself.
    3. Re:Well they could have been like other companies by morgan_greywolf · · Score: 4, Insightful

      Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function


      Wait. The executable was compiled with debug symbols turned on? With functions with easy-to-understand names? I mean, I know it's only security-through-obscurity, but c'mon! At least up the ante a little bit ... many programmers are not skilled enough to disassemble a program with no symbol table. And the ones that are ... *shrug* rely on the security of your methods, not on the obscurity of your code. IOW, they should have used encryption, even with the self-destruct mechanism.
      --
      My blog
    4. Re:Well they could have been like other companies by TheRaven64 · · Score: 4, Insightful
      It is unlikely that the only copy of sensitive data would be on the USB stick. If it is destroyed, you still have the original copy somewhere more secure than your pocket. If it's destroyed accidentally, it could be a lot less of a problem than if it fell into the wrong hands.

      There are a lot of situations where having a local copy of the data is a convenience, rather than a necessity, and this would allow the convenience without the risk of it being stolen. If it's accidentally destroyed, then it's an inconvenience, not a disaster.

      --
      I am TheRaven on Soylent News
  2. Re:TrueCrypt by Rob+T+Firefly · · Score: 5, Insightful

    The type of people who have got the wherewithal to set up TrueCrpyt are not the market this was aiming for. This seems like a product made for the techno-clueless PHB types who just want to buy something off the shelf they can stick in their magic computer box and have it "just work," and who see that high a price on a simple 1-gig USB stick not as an obvious ripoff, but as a measure of how much good computer magic it must surely contain.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  3. A surprise and a non-surprise. by eddy · · Score: 5, Insightful

    No surprise that the security is non-existant, but a nice surprise that tweakers.net[0] have people skilled enough to do a thorough technical review. Tip-of-the-Hat to the reviewers and keep the good work up. Anyone can run 3D benchmarks and make graphs against the previous generation, but this requires a different level of technical know-how. It's always been my hope that the future would feature this type of review, using reverse-engineering techniques for indepth technical reviews, as a norm not an exception.

    [0] No disrespect to the people of tweakers.net, I mean in the sense of 'any popular review site'.

    --
    Belief is the currency of delusion.