Slashdot Mirror
Self-Destructing USB Stick
Hugh Pickens writes "PC World reports that Victorinox, maker of the legendary Swiss Army Knife, has launched a new super-secure memory stick that sounds like something out of Mission: Impossible. The Secure Pro USB comes in 8GB, 16GB, and 32GB sizes, and provides a variety of security measures including fingerprint identification, a thermal sensor, and even a self-destruct mechanism. Victorinox says the Secure is 'the most secure [device] of its kind available to the public.' The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.' While offering no explanation how the self-destruct mechanism works, Victorinox says that if someone tries to forcibly open the memory stick it triggers a self-destruct mechanism that 'irrevocably burns [the Secure's] CPU and memory chip.' At a contest held in London, Victorinox put its money where its mouth was and put the Secure Pro to the test offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."
to 37 degrees celsius ?
Read radical news here
Presumably, if you had physical access to the drive, wouldn't you have more time to crack it than two hours?
Learn something new.
I thought that we had stopped 10 years ago to consider such scam contest as serious security proof?
Surely if somebody can chop off your finger he can also warm it up?
This message will self destruct in 30 seconds...
It's because I'm new here isn't it?
Just remember to take it out of your pocket before getting back on that plane.
I'd be interested in one without the knife as something to play with, but I'm not sure I want to carry all the rest of it around with me (I'm not some knife freak, but I want a USB stick to be just a USB stick).
Cut off the finger stick in mouth then use.
Against the trojan on the computer you hook it up to.
The knife might be useful for cutting off your finger though.
Teacher, I swear I wrote up the entire 40 page paper, but I burned my thumb really bad the other day and when I went to retrieve my paper, it exploded.
Only 2 hours? What are they scared that this thing will be crackable in 3? Seriously, if you are buying one of these to keep something secret on, and you lose it. It will have to remain resistant to attacks for way longer than that.
This is (of course) just a cheap publicity stunt.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
I'm doing fine destroying USB sticks on my own... why would I ever want to do so deliberately... can't count how many have gone through the wash. I've run a couple over with my car... My kids who think they can be jammed into the airconditioning slots in the car... sigh...
http://www.beanleafpress.com
Does it have a physical read/write switch?
Here is a picture of the launch event. (safe for work. Really!) Surely a hacker who looks like that must be a expert in hacking USB sticks. ;)
Srsly.
I'm yet to see any USB stick or memory card which I consider "secure." Most of them just use poor software tricks and hacks to secure data, and often do so far worse than off the shelf security software like TrueCrypt. To be honest the best security mechanism you could put on a USB stick would be a physical lock to slow someone down who DOESN'T want you to know they're accessing your drive (e.g. Wife, Coworker, Friends, etc). Just a little rolling combination lock with three digits would slow someone down by at least an hour.
Watch them try to push this as the next anti-piracy technology.
So she could not use the device. Security should have fingerprint, strong password, challenge question and voice recognition.
Help end the use of Sigs. Tomorrow
No detached fingers necessary. Many scanners can be fooled by "reactivating" the most recent fingerprint with the moisture in the exhaled air.
And _really_ professional fingerprint scanners don't check temperature, they check blood oxygen saturation and pulse. That makes cutting of any appendages pretty much a non-issue - it's easier to fool the thing with a dummy finger (or the actual finger that's still attached to the unconscious or otherwise compliant owner) than trying to simulate blood oxygen saturation and pulse with a detached finger.
"...if they could break into the USB drive within two hours. They failed."
Am I completely deluded if I think that if crackers have a physical access to a USB drive, they just may be able to withhold it for more than two hours? Maybe I'm proposing a completely implausible scenario here, but suppose the USB drive has been "stolen" (a term which means "physically removed from the possession of the legitimate owner" for those who don't grok this high-tech security lingo) - in such case, the legitimate owner may, theoretically, need more than 2 hours to recover the USB drive, and the attacker can use a longer period of time to their advantage. I remember reading in the literature that "stolen" USB drives may, in some cases, be recovered days, weeks, months later - and in many cases, they may never be recovered. Whether that qualifies as significantly longer than 2 hours, I don't know. I'm not an expert.
In case you're wondering, no, I don't put much faith in hacking contests, especially if the scenarios they test have small obvious flaws like this. =)
It burns the inside when opened? Let's see what happens when you pry it open while pouring liquid helium over it.
This reminds me of the IBM Secure Cryptoprocessors, which are *pretty much* physically secure. But still people get in now and then usually through software or neat stasis tricks so the device can't respond to your intrusion.
coool! now people can steal company secrets securely :-D
Now Jason can keep one of these around to keep his Swiss bank account number on. No need for invasive butch^H^H^H^H^Hsurgery or fancy projection systems. He just needs to try to keep his fingers out of frigid sea water.
Free, as in your money being freed from the confines of your account.
That's barely enough time to even read the specifications. To be taken seriously, the challenge should have given them at least a week, possibly several.
For keeping my secrets safe for two hours, I wouldn't need to shell out that much money...
In reality the reaction is to just start killing or maiming people until you cooperate.
Truly I tell you, Randall knows of your problems, and he maketh them amusing.
Last week in Texas, three men with assault rifles attempted to ambush and execute a family of four to steal the rims from their SUV. Human life is worthless to criminals.
that within 1-2 months we will find out that:
1) the finger print scanner is not actually linked to the encryption key, but is just to "power on" the device.
2) the encryption key is processed in host (windoze) based software and that a usb control packet (the exact same packet for all devices) is simply sent to the onboard controller to tell it to "allow access".
3) the encryption, while purporting to be aes256, is so poorly implimented that it in effect becomes a 16-bit key, thereby becoming brute-forcable on an old C-64 in only 2 days.
Some mornings I can't get into my own e-mail account in under two hours, why so low? Why not.. three?
Here's guessing a blogger will get into one by next month.
-- 'The' Lord and Master Bitman On High, Master Of All
I saw a self-destructed sample of this unit at CES in January. It did not self destruct from an opening attempt, as opening those is quite easy. The drive is enclosed by a simple clear plastic shell (not epoxy filled). The 'destruction' was caused by presumably supplying voltage in excess of the USB spec. You could literally pry the plastic off of the USB drive with the included knife, and it would work just fine (sans enclosure).
Also, it would be nice if PCWorld at would at least get the name of these things correct:
http://www.swissarmy.com/multitools/Pages/Category.aspx?category=presentation+pro&
Perhaps the USB-only part is dubbed 'Secure', but you won't ask for that name when you want to buy one.
Allyn Malventano
Storage Editor, PC Perspective
this sig was brought to you by the letter
The self destruct mechanism link in TFA is a link to a review of Ironkey's self destruct. I was going to say, this isn't anything new. I had a Sandisk brick itself when it could not be ejected. We switched to Ironkey. We havn't had any problems with these and the encryption is hardware based so it is pretty fast. There is an option to have the drive be capable of being reformatted if you can't enter the password within 10 attempts.
I have not had a lot of love for fingerprint scanners readers. I think I will stay with Ironkey.
...can I get one ? I mean: my tax eviction records should be backed up somewhere, some day...
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Is it just me thinking this or are the "other features" such as a knife blade, etc. going to cause me more security problems than this thing is worth?
When are they going to make a USB Stick with a corkscrew? I might just need to recover with a bottle of wine after my thumb drive destroys itself.
There should be a MacGyver episode where he uses the self-destructing USB swiss army knife as a detonator of some explosives he concocted in order to escape some thug...
I once had a signature.
I ran over a cheapo USB flash drive with my car (2100lb. sports coupe). The connector needed to be bent back into shape, and the plastic casing is badly damaged but it still works fine to this day.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Magnesium. Case closed.
China build these for them. And they will be loaded with virus and will destruct at very strange times.
I prefer the "u" in honour as it seems to be missing these days.
You're thinking about the problem all wrong - you don't need to recreate the environment that the sensor expects, you need to deliver the response that it wants. Most blood oxygen and pulse sensors are merely combinations of LEDs and photosensors which look for the amount of light reflected back and track its variation.
All you need to fool one of these is a gummy frog with an embedded LED that will provide the necessary feedback. Add a rubber cement cast of the subject's fingerprint and you're golden. The implementation is left as an exercise for the reader ;^)
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
The infamous smart cards used by cell phones and governments do this but in a smaller scale. After several failed attempts to use your PIN the secrets (keys, certs, data) on the card are erased. Actually, a circuit physically burns out the memory and permanently disables it. The card must be replaced with a new one at your local smart card processing office.
Kriston
Rather than try to "protect" the data contained within a thumb stick (which is kind of passive if you think about it), why not actively try to destroy all data to whatever is connected to the thumb stick instead...
Criminal: "Ha! I stole this thumb stick from that stupid corporation, and I am sure it is just stuffed with credit card info! Now to just use these easily available utilities I found online to crack it..."
Plugs in device
PC: "Password: "
Criminal: "Pffft I can just ignore that, now where did I put that cracker utility..."
PC: "Timeout. Initiating self destruct!"
Criminal: "Pfft as if it is going to blow up or something, what a joke..."
PC: "Virus Loaded....Deleting all files.... Complete. Have a nice day!"
Criminal: "....."
Criminal: "....."
Not sure about being run over by cars through; a titanium cased one perhaps?
The Titanium USB flash drives are not made with titanium cases. The cases are cheap steel. The first generation ones were made with a titanum "coated" finish, but still a steel case. I have several and a magnet sticks to them, and you can crush the case flat, a lot easier than you'd think.
If the case was real titanium, it would be a quite springy metal that would return back to it's original shape under mild physical almost-crushing force.
This thing already exists. Its called the Ironkey and it actually got FIPS approval which goes a little past giving a couple of people two hours to break into the flash drive.
The Achilles' heel here is that it likely uses magnetic memory. Find something capable of identifying magnetic charges with an adequate resolution (passive MRI?) or perhaps an electron micrograph of the internals of the storage medium, and an analysis of the magnetic domain arrangement could potentially yield the useful information you're looking for. Granted, it'd probably roast the thing beyond redemption, but a picture is worth a thousand words, and it wouldn't take 2 hours to get that picture, assuming a mobile setup. The process for doing this, mind you, would NOT be trivial, expensive, cumbersome, and might require a mobile computer with a fair amount of processing power to analyze the image, but a dedicated government entity, or even a well funded criminal organization ( drug cartels, anyone?) could manage to implement this. Just reinforces the old adage, if two people know about it, it's not a secret.
A far easier circumvention method, though, and an obvious one, would be to compromise the system on which it is being read. The USB stick might be secure, but highly doubtful the reading unit (PC, Mac, etc, pick your poison) will be equally so, or even more fundamental, the "monkey in the middle" handling the blasted thing. People are largely more easily compromised than any system ever could be, just appeal to any of the "MICE" conditions (Money, Ideology, Conscience, Ego), and you're all set.
Why buy some fancy thing when you could D.I.Y. with a commodity drive with a TrueCrypt filesystem on it?
The city of Gainesville, Georgia has a local ordinance that says it is illegal to eat fried chicken with anything other than your fingers. Apparently it was adopted in 1961 as a joke back in the day when Gainesville was considered the chicken capital of the southeast, and the main restaurant in town wanted to show off its cooking. Apparently, they still enforce this now and then. ;-)
I'm not tense. I'm just terribly, terribly, alert.
Give them a month or two and see what happens.
Guarding against crackers that have a limited amount of time might be a worthwhile goal, but it _must not_ be the standard you design by.
So now, if somebody wants to sabatogue a data collection effort, they don't need to connect the storage device to a system and delete/scramble it's data. They don't need to do anything major to physically destroy the device. They simply need to learn the minimum 'tamper' thing needed to cause the storage device to brick itself. And the owner of the device probably doesn't even need to find out until much later, when it's too late, that the data is gone.
...because if you to try to bring it in cabin, or forget to leave it inside your luggage, the customs will nicely autodestruct it for you
Or you'd just pay Chipworks to do it for you
If they can put back together an EEPROM from a data recorder from the Swissair 111 crash where the chip was partially destroyed, they should have no problem whatsoever taking apart a USB key fob to get the data out. Plus their prices for something like this are generally less than the prize that was offered.
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=00922915 ...or if not the Canadians, give it to the Australians:
http://portal.acm.org/citation.cfm?id=1363217.1363243
Or trojan the machine they plug it into and wait for it to be unlocked.
-- Terry
Oh great, just another tool for the islamist's to ignite their privates with :0)
FragHARD or don't frag at all
I just want to know how they tested the detached finger scenario.... "Hey Frank, Wanna lend a hand on this test?"
In two hours? What a lame test. That makes me trust the product less than if they didn't bother doing a contest at all. Giving the attackers 100 units (and providing more upon request) and giving them 6 months would be reasonable.
.
Make it self destruct.
.
Analise the residues.
.
Implement Counter Measures.
.
Extract Chips.
.
Begin crytonalysis of Chips
.
Figureit all out - evetually.
.
Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.
Hmmm. I think I could like that place. Do they have an ordinance against using cutlery for eating pizza?