IronKey Response to USB Vulnerability Report

AA-03291

IronKey Response to USB Vulnerability Report

USB Vulnerabilities Exploited – IronKey Customers Protected!
January 5, 2010

1. What is the news relating to a hack of NIST-certified USB Flash drives with hardware encryption?

On January 4, 2010, it was widely reported that certain hardware-encrypted USB flash drives have been hacked. The vendors affected are SanDisk, Kingston and Verbatim. Of particular concern is that some of these devices have received FIPS 140-2 Level 2 security validation from the US Government organization NIST. FIPS 140-2 security validation is required for Government agencies to use encryption products.

Reports on the details of the vulnerabilities, and how to hack these devices, have been published by German security firm SySS. The affected devices include:

* SanDisk Cruzer® Enterprise FIPS Edition with McAfee USB flash drive, CZ46 - 1GB, SanDisk Cruzer® Enterprise FIPS Edition USB flash drive, CZ32 - 1GB, 2GB, 4GB, 8GB
* SanDisk Cruzer® Enterprise with McAfee USB flash drive, CZ38 - 1GB, 2GB, 4GB, 8GB
* SanDisk Cruzer® Enterprise USB flash drive, CZ22 - 1GB, 2GB, 4GB, 8GB
* Kingston DataTraveler BlackBox (DTBB)
* Kingston DataTraveler Secure – Privacy Edition (DTSP)
* Kingston DataTraveler Elite – Privacy Edition (DTEP)
* Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB
* Verbatim Corporate Secure USB Flash Drive 1GB, 2GB, 4GB, 8GB


2. What is the vulnerability?

The vulnerability is an architectural flaw in the design of those affected products. Simply put, those products are using software that runs on the host PC to verify the correctness of a user’s password, and then sending a signal to the device to unlock itself. This is an inherent design flaw, and is not secure. SySS was able to write a simple unlocker tool that patches the software to always send the unlock code to the devices. They can unlock any of those devices instantaneously without knowing the user’s password.

The security flaws in the design of those products that permit this hack are:
- Relying on software on the host PC to validate the correctness of a user’s password. Such software can easily be tampered with.
- Using a static unlock code. This is essentially like having the same backdoor password on all devices. It not only allows attackers to unlock any of these devices, but it allows the vendors to unlock any of these devices as well.
- Not preventing against password replay attacks. Once the unlock code is known, it can be used over and over again.


3. Is IronKey vulnerable to this hack?

No. IronKey security analysts have analyzed the vulnerabilities that have been reported in the SanDisk, Kingston and Verbatim products. IronKey products do not suffer from this vulnerability. The data of IronKey customers is secure. 


4. How is IronKey different?

IronKey devices are designed to be the most secure portable storage devices in the world. Years of security design and threat modeling have been applied to the design and development of IronKey devices. 
* IronKey devices verify the correctness of a user’s password in hardware on the device. The security of IronKey devices does not depend on software on the host PC, which as this attack illustrates, can easily be tampered with.
* IronKey devices do not have unlock codes or backdoors. 
* IronKey prevents password replay attacks by using nonces, and establishing an encrypted communication path between the device and the host PC.
* Every IronKey device has unique random AES encryption keys that are generated on the device when a user initializes it. These encryption keys cannot be exported from the device. Furthermore, these keys are themselves encrypted with a SHA-256 hash of the user’s password, which lends another layer of cryptographic security to the protection of encryption keys.
* IronKey devices store encryption keys and password brute force counters in a tamper-resistant CryptoChip that has hardware protections against physical attack as well.


5. How could these devices get FIPS 140-2 Level 2 security certified by NIST with such a critical vulnerability?

FIPS 140-2 is a US Government security standard. It does not guarantee that a product is secure, and it is not a substitute for having deep technical expertise in the design and implementation of a security product. Some vendors think that data security means data encryption. The reality is that encryption is a small part of securing portable storage devices. Deep architectural knowledge is required in the areas of password management, authentication, encryption key management, roles and services, design assurance and physical security. 
In this case, the affected vendors created products that effectively used the same password to unlock all devices, and still passed the FIPS 140-2 Level 2 validation. It is vitally important that security vendors apply proper security architecture and review to their designs, and not solely rely on the FIPS review process.


6. Where can I find more information out vulnerability?

* SySS Paper on How to Hack SanDisk hardware encrypted USB flash drives.
http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/syss_knackt_sandisk_usb-stick.pdf

* SySS Paper on How to Hack Kingston hardware encrypted USB flash drives.
http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/syss_knackt_kingston_usb-stick.pdf



7. Did SySS test IronKey?

If SySS has tested an IronKey, they have not shared the results with us. IronKey products have been extensively tested by third party security labs, as well as numerous government security labs and agencies.


Resources:

SanDisk Security Bulletin December 2009. Cruzer Enterprise FIPS Edition with McAfee USB Flash Drive. “Vulnerability in the access control mechanism”
http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009

SanDisk Security Bulletin March 2009. Cruzer Enterprise FIPS Edition. “Prevent unauthorized user to compromise the integrity of the read-only CD-ROM partition in these devices.”
http://www.sandisk.com/business-solutions/enterprise/technical-support/sandisk-security-bulletin

Verbatim Important Security Update December 2009.
http://www.verbatim.com/security/security-update.cfm

“Kingston Admits Some USB Sticks Can Be Hacked”. PC Advisor, January 4, 2010
http://www.pcadvisor.co.uk/news/index.cfm?rss&newsid=3209433

“Kingston Admits ‘Secure’ USB Drives Are Vulnerable”, PCWorld, January 5, 2010
http://www.pcworld.com/article/185872/kingston_admits_secure_usb_drives_are_vulnerable.html

“Kingston Issues Recall for Certain Thumb Drives”, Ubergizmo, Dec 31, 2009
http://www.ubergizmo.com/15/archives/2009/12/kingston_issues_recall_for_certain_thumb_drives.html

“Secure USB Flaw Exposed”, Dark Reading, January 4, 2010
http://www.darkreading.com/insiderthreat/security/encryption/showarticle.jhtml?articleid=222200174



APPENDIX

The FIPS 140-2 standard has four different levels of security. The FIPS-validated devices that were hacked were validated to Level 2 of the standard. Upon inspection of the FIPS security policy of these products, we see that only the device controller and attached eeprom are covered by the FIPS validation. The flash memory where data is stored, and the rest of the device, are not covered by the FIPS validation.

With respect to this specific critical vulnerability, FIPS 140-2 Level 2 validation does not require a vendor to authenticate the user of a device. 

IronKey S200 and D200 products are validated to FIPS 140-2 Level 3, a higher standard of FIPS 140-2 than the products affected by this hack. Level 3 has much higher requirements for encryption key management, authentication and physical security.