Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protected Memory Stick Easily Cracked

Posted by kdawson on from the not-that-hard-a-hack dept.

Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"

2 of 220 comments (clear)

  1. Nice one! by Anonymous Coward · · Score: 5, Interesting

    At least the manufacturer is doing the right thing and eating crow over this. Here in the US the company would probably have just sued the hackers under DMCA while continuing to sell the defective product.

  2. Re:Well they could have been like other companies by Lazerf4rt · · Score: 5, Interesting

    Well, not completely. A spokesperson for the product is reported saying:

    Our customers are happy with the level of protection that our product offers. Normally, the amount of security is sufficient, not everyone has the technical expertise that you have.

    This is quite a different statement from the one made near the start of the article.

    The stick was commissioned by the French government and - according to the company's press release - the result is revolutionary, ultra safe and approved by the French intelligence service.

    Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function, and change the return value from 0 to 1. Pretty embarassing. But the article went pretty easy on them after that. Really good read by the way.