Fed Certified Flash Drives Easily Hacked

pic3-30USB flash drives that encrypt stored data using AES 256-bit hardware encryption are designed to meet the most stringent of security requirements. These drives -- produced by multiple manufacturers -- are FIPS 140-2 Level 2 certified by the US National Institute of Standards and Technology (NIST), designating them appropriate for sensitive government uses.

But as recently described on The H Security, security experts have found these drives to be surprisingly simple to hack, leaving potentially sensitive data extremely vulnerable.

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism.... During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations.... Cracking the drives is therefore quite simple. [Security] experts wrote a small tool for the active password entry program's RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive.

Manufacturers of these drives have had varied responses to the discovered flaw -- from a complete product product recall in one case, to software updates in other instances. There has, however, been no comment from the NIST regarding the effect this discovery may -- or may not -- have on the products' FIPS 140-2 certifications.