Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protected Memory Stick Easily Cracked

Posted by kdawson on from the not-that-hard-a-hack dept.

Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"

25 of 220 comments (clear)

  1. Well they could have been like other companies by insanemime · · Score: 5, Insightful

    At least they had the balls to admit that something was wrong and try to take steps to fix it. It will be intresting to see if they recall the ones already sold.

    1. Re:Well they could have been like other companies by tritonman · · Score: 4, Interesting

      Destroying the contents on a bad password attempt is crazy. Especially when you use very cryptic passwords. People tend to type wrong, hold the shift key down too long, not hold the shift key down when necessary. Sometimes I have to type my passwords two or three times before getting it right. Destroying important sensitive information because I accidentally typed it wrong is just plain stupid. These kind of technologies will only be a pain for people using them legitimately, and anyone who wants to hack to get the information will generally be able to find some way to get it, thus it is only extends the problems and provides no solutions.

    2. Re:Well they could have been like other companies by antime · · Score: 5, Insightful

      What they admitted is that they have no idea what they are doing and have no idea what they are selling. You would have to be an idiot to buy anything security-related from a company like that.

    3. Re:Well they could have been like other companies by Lazerf4rt · · Score: 5, Interesting

      Well, not completely. A spokesperson for the product is reported saying:

      Our customers are happy with the level of protection that our product offers. Normally, the amount of security is sufficient, not everyone has the technical expertise that you have.

      This is quite a different statement from the one made near the start of the article.

      The stick was commissioned by the French government and - according to the company's press release - the result is revolutionary, ultra safe and approved by the French intelligence service.

      Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function, and change the return value from 0 to 1. Pretty embarassing. But the article went pretty easy on them after that. Really good read by the way.

    4. Re:Well they could have been like other companies by FuzzyDaddy · · Score: 4, Insightful
      I don't know about you, but I don't keep original copies of data on a USB key. I use it to transfer files from one computer to another, so wiping the data after unsuccessful attempts, in this context, strikes me as a good idea.

      --
      It's not wasting time, I'm educating myself.
    5. Re:Well they could have been like other companies by jandrese · · Score: 4, Funny

      I love the part where it is "approved by the French intelligence service". Of course it is, since it's so easy to break. Of course it's not approved for their own use, they just want everybody else to use it.

      --

      I read the internet for the articles.
    6. Re:Well they could have been like other companies by @madeus · · Score: 3, Insightful

      it's not that silly. I contend it is not only silly, but sufficently bad to warrent legal action, because whoever built it must have known how badly it was designed to start with.

      It appears that the system doesn't use a form of encyption unlocked by a key (entered by the user) to store the data - and that instead it simply requires use of a single instruction to the USB device indicate the data ought to be accessible or not. That just sounds ludicrous.

      If it had been developed in good faith, and this were a bug (rather than part of the design) and/or the result of a sphosticated exploit that it would have been hard to predict, I would be sympathetic. As I would if they had clearly indicated it's limitations (which they could have, but if they've taken the website down now, I'm guessing not).

      What's particularly telling for me is, while the company were quite happy to tout the supposed virtues of the product, they are clearly worried about it now they have been found out. That repesents a staggering failure by the designers of the software, their managers, the marketing and product design teams, the HR department who hired all these people of clearly very dubious virtue and the senior management involved.

      Either they are crooks (because they were complicit in touting such a crummy product that didn't really do what it claimed to do in a reasonable way) or are they are all, really, really dumb (and none of them asked pertinent questions of the other parties at any stage of product development).
    7. Re:Well they could have been like other companies by computational+super · · Score: 4, Funny
      You would have to be an idiot to buy anything security-related from a company like that.

      Which is a shame for this company, because idiots are in such short supply these days...

      --
      Proud neuron in the Slashdot hivemind since 2002.
    8. Re:Well they could have been like other companies by morgan_greywolf · · Score: 4, Insightful

      Funny part is, all they did was run the program in a debugger, put a breakpoint after the clearly labelled "VerifyPassWord" function


      Wait. The executable was compiled with debug symbols turned on? With functions with easy-to-understand names? I mean, I know it's only security-through-obscurity, but c'mon! At least up the ante a little bit ... many programmers are not skilled enough to disassemble a program with no symbol table. And the ones that are ... *shrug* rely on the security of your methods, not on the obscurity of your code. IOW, they should have used encryption, even with the self-destruct mechanism.
      --
      My blog
    9. Re:Well they could have been like other companies by TheRaven64 · · Score: 4, Insightful
      It is unlikely that the only copy of sensitive data would be on the USB stick. If it is destroyed, you still have the original copy somewhere more secure than your pocket. If it's destroyed accidentally, it could be a lot less of a problem than if it fell into the wrong hands.

      There are a lot of situations where having a local copy of the data is a convenience, rather than a necessity, and this would allow the convenience without the risk of it being stolen. If it's accidentally destroyed, then it's an inconvenience, not a disaster.

      --
      I am TheRaven on Soylent News
  2. Nice one! by Anonymous Coward · · Score: 5, Interesting

    At least the manufacturer is doing the right thing and eating crow over this. Here in the US the company would probably have just sued the hackers under DMCA while continuing to sell the defective product.

  3. Just put - by ditoa · · Score: 4, Informative

    TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.

    1. Re:Just put - by jawtheshark · · Score: 3, Informative

      Once Truecrypt is installed on a machine (by Administrator) every Limited User can use it without problems. I have it set up that way at home.

      Running Truecrypt requires a driver and inserting that in the operating system requires Admin, once it's there, using it is allowed by everyone

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  4. TrueCrypt by Teckla · · Score: 5, Informative

    Most Slashdotters know you should not trust the built in security on these devices.

    The solution for real security on these devices is to use TrueCrypt.

    It's not hard to use, though the more technical among us may need to help out the less technically inclined to get things rolling. Once it's setup, though, it's secure and easy to use.

  5. This begs the question...... by 8127972 · · Score: 4, Interesting

    ...... Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out?

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  6. A cheaper alternative that actually works by jrumney · · Score: 4, Informative
    1. 1Gb USB stick - from around $20 (maybe even cheaper)
    2. Truecrypt - free

    No self-destruct, but hard enough enryption for all but the most sensitive secret data.

  7. Dumb design by binaryDigit · · Score: 4, Interesting

    The whole thing is just stupid. Oh where to start ...

    - self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.

    - No security support in hardware, just desolder the actual memory and stick it into your favourite $15 MS. Brilliant.

    - So smug in their design they don't even encrypt the data. Outstanding.

    - Software designed apparently by a 12 yo. Oh wait, a 12yo probably wouldn't have made it so dumb. Maybe it was a 6yo, were there identifiers named after Spongebob characters?

    Actually, the bigger problem is that so many govt agencies approved of this thing, apparently, without it going through any type of remotely rigorous testing and verification. As much as our US govt agencies get ripped for doing stupid stuff, it's clear that they don't have the market cornered on such activity.

    Hey, I have a secure self destructing bridge to sell to ....

  8. Re:TrueCrypt by Rob+T+Firefly · · Score: 5, Insightful

    The type of people who have got the wherewithal to set up TrueCrpyt are not the market this was aiming for. This seems like a product made for the techno-clueless PHB types who just want to buy something off the shelf they can stick in their magic computer box and have it "just work," and who see that high a price on a simple 1-gig USB stick not as an obvious ripoff, but as a measure of how much good computer magic it must surely contain.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  9. Re:This RAISES the question...... by Xanni · · Score: 5, Informative

    http://begthequestion.info/

    --
    http://www.glasswings.com/
  10. There's Your Problem by organgtool · · Score: 3, Funny

    The developers of the Secustick are looking into the problem and they think that the issue is with their algorithm that encrypts the data into ASCII.

    1. Re:There's Your Problem by vidarh · · Score: 4, Interesting
      I worked for a company years ago where several of the engineers were seriously impressed when I showed them I could "break" their "base64 encryption" in realtime...

      They had added it to close a previous security problem I'd pointed out with their product that stored an internal customer id in a cookie to grant access to a web app - problem was, the customer id's were allocated sequentially, so anyone brute-forcing it would get access to all their customer data in minutes, including the adress books of the entire top management team.... base64 "encrypting" the customer id was supposed to prevent anyone from trying that trick again... I left that company pretty much as soon as I could..

  11. A surprise and a non-surprise. by eddy · · Score: 5, Insightful

    No surprise that the security is non-existant, but a nice surprise that tweakers.net[0] have people skilled enough to do a thorough technical review. Tip-of-the-Hat to the reviewers and keep the good work up. Anyone can run 3D benchmarks and make graphs against the previous generation, but this requires a different level of technical know-how. It's always been my hope that the future would feature this type of review, using reverse-engineering techniques for indepth technical reviews, as a norm not an exception.

    [0] No disrespect to the people of tweakers.net, I mean in the sense of 'any popular review site'.

    --
    Belief is the currency of delusion.
  12. Mod +1 erudite-sounding by jpellino · · Score: 3, Funny

    mod -5 absent-the-day-they-covered-fallacies

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  13. It should have been obvious by hey! · · Score: 3, Insightful

    When they are harping on the device's unique technology.

    Unique and secure are mutually exclusive.

    It is not possible, through a feat of sheer genius, to make something that is both novel and demonstrably secure. It turns out that genius isn't a particularly rare commodity. With 6.5 billion people in the world, there are 6,500 people who are walking around with one-in-a-million levels of intellect. Any one of those people, on a good day, can beat any other person on earth in a battle of wits. Any one of of the millions of people with one-in-a-thousand intellects probably can, too.

    Security is the one aspect of technology where state of the art is better than something which advances state of the art. State of the art means nobody has yet, even on the best day they've ever had, been able to beat it. We've seen some recent examples where very narrow vulnerabilities have been found in hashing algorithms, which has forced the state of the art to change slightly to favor drop in replacements. But by in large the state of the art has been remarkably stable over a long, long time. Anybody who claims to have something nobody else has probably has something worthless, if he has anything at all.

    This is why product security is so bad. It's not possible to differentiate yourself based on security, without affecting other areas such as usability. There is considerable irony in this fact: a product that is carefully thought out and implemented using widely known techniques would have a good chance of being unique. The problem is selling the product. Lotus Notes is a good example. It has its strengths and weaknesses, but as of the early 90s it was the most secure email system in the world. In fact it still would be. But it wasn't the easiest to use or administer. Unfortunately their attempts to make the system more attractive were failures. It's never been more attractive than Exchange. But it's always been more secure.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  14. Stupid is as stupid does by mlwmohawk · · Score: 3, Insightful

    Like other posters, I am at a loss at where to start.

    (1) If you don't have encryption, GOOD ENCRYPTION, you can't protect squat.
    (2) "Self Destruct" is interesting, but unless you have a custom micro-controller on the ram stick, AND an independent power supply, AND the device potted in epoxy, it is all just a made for TV gimmick.
    (3) Password.exe? I didn't see this in the article, but what happens if one plugs it into a Mac, Linux, FreeBSD, etc? Does it just work or does it self destruct?
    (4) With reference to #2, since the article showed that one could make the device read-only, would self-destruct no longer work? If so, it MUST be potted in epoxy.
    (5) Does the "self destruct" operate on the PC or th ram stick? We all know if it runs on the PC, it is doomed to fail.

    If they want to REALLY do this:

    (1) before everything, encrypt the data. This buys the device time to operate and basic security.
    (2) Install a PIC or something that MUST have an encoded heart beat with some sort of hard to reproduce calculated byte pattern.
    (3) Without a valid heart beat, the PIC will simply not enable the flash device.
    (4) With a valid heart beat, the system must pass a valid password hash string within a reasonable amount of time to the PIC, or the data will be destroyed.
    (5) After a number of failed attempts, the PIC will destroy the data.
    (6) When the heart beat stops, the PIC disables the flash. (It is presumed that the software clears he file system cache as well.)
    (7) Pot the damned device in epoxy.