Slashdot Mirror
7 Secure USB Drives Reviewed
jcatcw writes "Computerworld has reviewed seven USB drives that use either encryption or a physical keypad to protect stored data, and found big differences in I/O speeds, ease of use and strength of security. In the case of the drive using a key pad, the editors were able to break open the device and access the data, bypassing the PIN security. They also state that there is little difference between 128-bit and 256-bit AES encryption because neither has been broken yet. The drives reviewed were the SanDisk Cruzer, the Lexar JumpDrive, the Kingston DataTraveler, the Imation Pivot Plus, the Corsair Survivor, the Corsair Padlock and the IronKey Secure USB Drive. The editors chose the IronKey as the most secure."
One of our vendors sent us a demo drive, it was a small enclosure for a laptop size drive, and had a firewire interface. Instead of two firewire ports on the back, it had a firewire port and another identical looking firewire port, which was for the key. I assume the key was merely a very small firewire flash drive with the encryption key on the drive.
The vendor assured us it was properly secured, and I got first crack at it. We were quite disappointed.
I found that while each block on the hard drive WAS encrypted (by the firewire-to-ide bridge board), they were each encrypted using the same key, and no salt. This means that every block was encrypted in the same way.
This by itself probably seems harmless, but it reveals information that should not be revealed. Let me propose a scenario:
I engineer myself a position working at a rival company, and get physical access to their R&D lab, unsupervised. I have a 1/2 hr lunch break of time to find the drive containing the comany's secret recipes. I open the cabinet and find 30 of these secured drives. I was intending on taking the drive and copying it, but christ, there's 30 of them. I brought along a portable 1gb drive which would fit maybe 5 of them, but not 30.
So which ones do I copy? The bad news... I can tell which ones to copy.
I can look at the blocks on the disk and immediately spot any drives that have not been formatted, because their first 50 blocks are all going to contain the same random garbage in each block. OK that narrows it down to 8 drives. I can only image 5. So I look further.
I can now tell which drives are formatted FAT32, APS (apple HFS), etc. I can do this because I know what blocks are zeros (because there are a lot of them and they are all the same) and so I can tell which bytes in the other blocks are NOT zeros, and this makes determingin format AND used space trivial. I know the drive I'm looking for is FAT32, and that breaks it down to 3 drives. I could just go with the one drive that clearly has 30 gb used on it, and skip the others that appear very lightly used, but this has given me plenty of time so I happily image the 3 drives to my portable and sneak out in under 20 minutes.
Now of course we have to break the data, but the moral of the story here is, they allowed me way too much information from the supposedly secure drive, and it was enough to make what could have been a fruitless attempt into what may be a very successful attempt.
I brought this issue to the manufacturers, and was brushed off. They did not consider this a problem. riiiiight.
I work for the Department of Redundancy Department.
FYI I am using an IronKey (4GB Enterprise edition) right now on a Mac OSX box with the key formatted with FAT32.
It works wonderfully on the Mac for basic encryptio/decryption/file access, and I am also mounting it to a WinXP virtual image within VMWare Fusion. The VM XP thing works flawlessly, including auto-mounting, and I initialized the key on the VM prior to using it on the Mac.
The company promises Linux drivers soon.
A few years ago I bought a 1 gigabyte BioStik and it works really well. It can read 2 fingerprints. The only down side is, you need to actually issue the linux 'eject' command (or in windows remove safely option) or else the filesystem basically gets corrupted. Other than that, it's a great stick and quite secure. It has anti-tampering on it, so if someone tries to open it up, it immediately wipes the disk clean.
A good solution would be where the drive holds a little (rechargable) battery, which can use a led to display whether we're in locked or unlocked mode, plus a little keypad (like the one on a briefcase, with wheels, but then electronic, and larger (more numbers) to unlock it. You have to unlock it just before you enter it into the USB slot, and it will lock automatically when you take it out. The drive is naturally locked (that is, the data is stored encrypted), and the voltage on the USB drive feeds a decryption mechanism on a little extra chip. Does this stuff exist yet ?
Religion is what happens when nature strikes and groupthink goes wrong.
A friend of mine ordered the Iron Key a few months ago. It didn't work at all, so he sent it back for a replacement. The replacement broke after 3 days. I would think reliability should be incorporated into the 'security' factor. If the data is lost, even if its into thin air, that's not very secure at all. SO the question is: was my friend's experience with the Iron Key an isolated incident/bad luck, or is there indeed a reliability problem (and thus a security problem) with the Iron Key??
The winner was the same product that I see advertised here on slashdot while typing this response.
I'm sure that's just pure coincidence, though.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.