Once the unlock code is known, it can be used over and over again. Not preventing against password replay attacks. It not only allows attackers to unlock any of these devices, but it allows the vendors to unlock any of these devices as well. This is essentially like having the same backdoor password on all devices.
#Usb security flaw software
Such software can easily be tampered with. Relying on software on the host PC to validate the correctness of a user’s password. The security flaws in the design of those products that permit this hack are: They can unlock any of those devices instantaneously without knowing the user’s password. SySS was able to write a simple unlocker tool that patches the software to always send the unlock code to the devices. This is an inherent design flaw, and is not secure.
Simply put, those products are using software that runs on the host PC to verify the correctness of a user’s password, and then sending a signal to the device to unlock itself. The vulnerability is an architectural flaw in the design of those affected products. * Verbatim Corporate Secure USB Flash Drive 1GB, 2GB, 4GB, 8GB * Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB * Kingston DataTraveler Elite – Privacy Edition (DTEP) * Kingston DataTraveler Secure – Privacy Edition (DTSP)
* SanDisk Cruzer® Enterprise USB flash drive, CZ22 - 1GB, 2GB, 4GB, 8GB * SanDisk Cruzer® Enterprise with McAfee USB flash drive, CZ38 - 1GB, 2GB, 4GB, 8GB * SanDisk Cruzer® Enterprise FIPS Edition with McAfee USB flash drive, CZ46 - 1GB, SanDisk Cruzer® Enterprise FIPS Edition USB flash drive, CZ32 - 1GB, 2GB, 4GB, 8GB
#Usb security flaw how to
Reports on the details of the vulnerabilities, and how to hack these devices, have been published by German security firm SySS. FIPS 140-2 security validation is required for Government agencies to use encryption products. Of particular concern is that some of these devices have received FIPS 140-2 Level 2 security validation from the US Government organization NIST. The vendors affected are SanDisk, Kingston and Verbatim. On January 4, 2010, it was widely reported that certain hardware-encrypted USB flash drives have been hacked. What is the news relating to a hack of NIST-certified USB Flash drives with hardware encryption? USB Vulnerabilities Exploited – IronKey Customers Protected!ġ. IronKey Response to USB Vulnerability Report
0 kommentar(er)
