Slashdot Mirror

← Back to Stories (view on slashdot.org)

Self-Destructing USB Stick

Posted by samzenpus on from the secure-the-bits dept.

Hugh Pickens writes "PC World reports that Victorinox, maker of the legendary Swiss Army Knife, has launched a new super-secure memory stick that sounds like something out of Mission: Impossible. The Secure Pro USB comes in 8GB, 16GB, and 32GB sizes, and provides a variety of security measures including fingerprint identification, a thermal sensor, and even a self-destruct mechanism. Victorinox says the Secure is 'the most secure [device] of its kind available to the public.' The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.' While offering no explanation how the self-destruct mechanism works, Victorinox says that if someone tries to forcibly open the memory stick it triggers a self-destruct mechanism that 'irrevocably burns [the Secure's] CPU and memory chip.' At a contest held in London, Victorinox put its money where its mouth was and put the Secure Pro to the test offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."

23 of 223 comments (clear)

  1. What if they cut the finger and heat it by unity100 · · Score: 5, Insightful

    to 37 degrees celsius ?

    --
    Read radical news here
    1. Re:What if they cut the finger and heat it by jamesh · · Score: 5, Insightful

      Or alternatively, find someone the owner of the USB stick cares about and threaten to cut off that persons finger if the owner doesn't cooperate.

    2. Re:What if they cut the finger and heat it by Anonymous Coward · · Score: 5, Funny

      http://xkcd.com/538/

    3. Re:What if they cut the finger and heat it by John+Hasler · · Score: 4, Insightful

      Some guy who finds your USB stick on the train isn't going to hunt you down and beat the password out of you. If he had motive and opportunity to do that he would already have done it.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  2. Two hours? by mog007 · · Score: 5, Insightful

    Presumably, if you had physical access to the drive, wouldn't you have more time to crack it than two hours?

    --
    Learn something new.
    1. Re:Two hours? by compro01 · · Score: 4, Interesting

      And people have never lied about that before.

      --
      upon the advice of my lawyer, i have no sig at this time
    2. Re:Two hours? by somersault · · Score: 4, Funny

      Except that anyone using a secure USB stick as the only copy of important data deserves to loose it if they loose the password.

      Dear gods man, twice in the same sentence? WHAT HAVE YOU DONE?!! Run, before the most foul ranks from the deepest depths of nether spelling nazi hell are unleashed and rain their fiery vengeance upon you!

      --
      which is totally what she said
    3. Re:Two hours? by spacerog · · Score: 4, Insightful

      "At a contest held in London, Victorinox was offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."

      Umm, they weren't Pros. The contest was open to anyone who preregistered and you got to keep the knife after the contest. Not only that there were several restrictions on the contest. First you have to live in the UK, preregister and you only get two hours. Because ya know the bad guys always tell you who they are and always give up after two hours. Oh, and you have to be present to win, no Internet based attacks, you can only use Windows 64bit or whatever Linux flavor they are providing and of course you have to give up your exploit if you win. All that and more for a measly hundred thousand pounds? Yeah, no thanks, but hey it makes for great publicity and it is a cool knife.

      So called "Hacker Challenges" are not a valid security assessment.

      - Space Rogue

    4. Re:Two hours? by TheRaven64 · · Score: 4, Interesting

      Mod parent up. Apple's File Vault, for example, stores the key in a silly way, which reduces the effective key length of their 128-bit AES implementation to something closer to 112 bits. Given that the recent attacks on AES reduce the complexity further, so File Vault with AES-128 is creeping closer to being feasible to crack. Hardware AES is potentially vulnerable to side-channel attacks.

      If the drive is secure, you don't give attackers 2 hours to break it, you publish the implementation details and give a prize to the first person to demonstrate a feasible attack with this knowledge.

      --
      I am TheRaven on Soylent News
    5. Re:Two hours? by Rich0 · · Score: 4, Interesting

      Yup.

      Plus, if somebody did need to crack one of these within two hours of getting their hands on it with minimal equipment this isn't how they'd go about it.

      Step one for an attacker would be to go to a store and just buy a dozen of these USB drives. Then they attack the drives from home with a full machine shop, a clean room, electron microscopes, logic analyzers, FPGAs, and the works.

      Then they figure out how to defeat the devices defenses, and then package that up into a minimal set of tools and steps needed to accomplish the feat in a few minutes.

      Then when they steal the device they already know exactly what they're doing and it takes them no time at all.

      It would be like a bank robber deciding on a whim to break into a bank, without checking plans, casing the place, identifying the vault make/model, etc. Like anything, a quickly executed mission depends on good planning.

  3. Thermal sensor? by zmotula · · Score: 5, Insightful

    The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.'

    Surely if somebody can chop off your finger he can also warm it up?

  4. Won't help you by Lorens · · Score: 4, Funny

    Against the trojan on the computer you hook it up to.

    The knife might be useful for cutting off your finger though.

  5. Re:Shame it has a knife on it by boef · · Score: 4, Funny

    Indeed.
    Not only do you have to let it out of your sight/control if you fly, it also comes with a built in way for someone to threaten you or cut off your finger (and use it quickly.. they are not nice to touch once they go cold)

  6. Excuses, Excuses by kiehlster · · Score: 4, Funny

    Teacher, I swear I wrote up the entire 40 page paper, but I burned my thumb really bad the other day and when I went to retrieve my paper, it exploded.

  7. A small flaw in the test plan... by WWWWolf · · Score: 5, Funny

    "...if they could break into the USB drive within two hours. They failed."

    Am I completely deluded if I think that if crackers have a physical access to a USB drive, they just may be able to withhold it for more than two hours? Maybe I'm proposing a completely implausible scenario here, but suppose the USB drive has been "stolen" (a term which means "physically removed from the possession of the legitimate owner" for those who don't grok this high-tech security lingo) - in such case, the legitimate owner may, theoretically, need more than 2 hours to recover the USB drive, and the attacker can use a longer period of time to their advantage. I remember reading in the literature that "stolen" USB drives may, in some cases, be recovered days, weeks, months later - and in many cases, they may never be recovered. Whether that qualifies as significantly longer than 2 hours, I don't know. I'm not an expert.

    In case you're wondering, no, I don't put much faith in hacking contests, especially if the scenarios they test have small obvious flaws like this. =)

  8. Re:What if they just breathe at the sensor? by fuzzyfuzzyfungus · · Score: 4, Interesting

    Just for curiosity's sake, I'm trying to think of how difficult that would actually be....

    Exposing blood to air gives your pretty decent oxygen saturation. Doing that for any great length of time is likely to cause clotting or other nastiness, so it isn't exactly an alternative to the "lung" side of "heart lung machine"; but this isn't medicine we are talking about, just fooling a sensor. In the same vein, the sensor isn't going to care about blood type, immune matching, or anything like that. Also, a finger doesn't have that much volume to in. A few CCs of fresh blood(from say, yourself, or the same guy you took the finger from), exposed to air for a few seconds, would be fine.

    Pulse could presumably be simulated with a low power pump(perhaps a small peristaltic unit), with its power supply being turned on and off at roughly the right frequency. I can't imagine that huge exactness is required, since the pulse rates of humans vary fairly widely with conditions, and people would be pissed if their fingerprint scanner doesn't work if they've just run up a flight of stairs, or are freaking out about the big presentation in 20 minutes.

    The real difficulty, or lack thereof, would really come down to the artery/vein structure of the finger. If you can get away with just connecting to a couple of big blood vessels and ignoring some minor leakage(since this is all temporary and nonmedical), an amateur willing to just shove a few little tubes in there should do fine. If the sensor can detect(and is tuned to care about) the details of the vascalature, you'd pretty much need a cooperative microsurgeon, a fancy microscope, and real surgical kit. That would probably be problematic for most applications.

    Obviously, the above would be a huge pain in the ass, even under good conditions, and is highly unlikely to be worth it(probably easier just to show the owner of the finger your pair of bolt cutters, and let him operate the scanner for you, unless you are in an environment where the cameras would pick up on that, in which case the above described apparatus could, quite plausibly, be fit down the sleeve of a not-too-suspicious garment).

    Perhaps more practical, I wonder how difficult it would be to produce a variant of the classic "gelatin finger with correct fingerprint" that reads as having oxygen sat and a pulse? Would one made of blood agar return plausible results under optical oxygen saturation tests? If so, that's raise the bar from "supermarket" to "laboratory supply house"; but that wouldn't be too bad. For pulse, the question is "how complex does your simulated vasculature have to be?" Any decently competent modeler can probably mould a simple circulatory loop into a gel finger; but achieving an actual capillary structure is sci-fi self-assembling nanomaterials stuff...

  9. I predict by Anonymous Coward · · Score: 5, Insightful

    that within 1-2 months we will find out that:

    1) the finger print scanner is not actually linked to the encryption key, but is just to "power on" the device.

    2) the encryption key is processed in host (windoze) based software and that a usb control packet (the exact same packet for all devices) is simply sent to the onboard controller to tell it to "allow access".

    3) the encryption, while purporting to be aes256, is so poorly implimented that it in effect becomes a 16-bit key, thereby becoming brute-forcable on an old C-64 in only 2 days.

  10. Article is exaggerating things just a tad... by AllynM · · Score: 4, Interesting

    I saw a self-destructed sample of this unit at CES in January. It did not self destruct from an opening attempt, as opening those is quite easy. The drive is enclosed by a simple clear plastic shell (not epoxy filled). The 'destruction' was caused by presumably supplying voltage in excess of the USB spec. You could literally pry the plastic off of the USB drive with the included knife, and it would work just fine (sans enclosure).

    Also, it would be nice if PCWorld at would at least get the name of these things correct:
    http://www.swissarmy.com/multitools/Pages/Category.aspx?category=presentation+pro&

    Perhaps the USB-only part is dubbed 'Secure', but you won't ask for that name when you want to buy one.

    Allyn Malventano
    Storage Editor, PC Perspective

    --
    this sig was brought to you by the letter /.
  11. Re:Shame it has a knife on it by jweller · · Score: 4, Informative

    I doubt very seriously that it's incendiary. I would guess that it is electrical in nature. I built an anti tamper device before and used a 300v photo flash cap run down the ground rail. VERY effective. Actually blew some SMB components off of the board and set several tantalum capacitors on fire.

    Although I guess that could be considered incendiary....

  12. Re:You're naive. by Anonymous Coward · · Score: 5, Informative

    Human life is worthless to criminals.

    Human life is worthless to murderers. The term criminals covers a wide variety of law-breakers from litterers to mass-murderers.

  13. Victorinox by Ukab+the+Great · · Score: 4, Funny

    When are they going to make a USB Stick with a corkscrew? I might just need to recover with a bottle of wine after my thumb drive destroys itself.

  14. Re:You're naive. by Ihmhi · · Score: 4, Insightful

    With the insane amount of laws most industrialized nations have on the books, everyone is a criminal. They like it that way. They'll always have something to hold over your head to get you to cooperate.

    Take an afternoon, head to your local library, and just read up on your local laws - city, town, county, whatever the smallest area of government you can narrow it down to. Good luck figuring that stuff out, much less following every single one without breaking any.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  15. A good Offensive is teh best Defense... by DarthVain · · Score: 4, Funny

    Rather than try to "protect" the data contained within a thumb stick (which is kind of passive if you think about it), why not actively try to destroy all data to whatever is connected to the thumb stick instead...

    Criminal: "Ha! I stole this thumb stick from that stupid corporation, and I am sure it is just stuffed with credit card info! Now to just use these easily available utilities I found online to crack it..."
    Plugs in device
    PC: "Password: "
    Criminal: "Pffft I can just ignore that, now where did I put that cracker utility..."
    PC: "Timeout. Initiating self destruct!"
    Criminal: "Pfft as if it is going to blow up or something, what a joke..."
    PC: "Virus Loaded....Deleting all files.... Complete. Have a nice day!"
    Criminal: "....."
    Criminal: "....."