In the past year, many vendors have rushed onto the bandwagon to produce secure USB flash drives, which promise to protect the data stored on them with robust encryption. Ostensibly, the only way to access the encrypted data would be to supply a password to the flash drive, with the authentication performed through a software applet launched when the flash drive is plugged in.
I would like to urge caution when shopping for a secure flash drive for your SMB, though. You see, many of them might not be truly secure.
In fact, flaws were discovered by German penetration testing firm SySS on some USB drives made by SanDisk. This triggered a recall of products such as the SanDisk Cruzer Enterprise USB flash drive, models CZ22 and CZ32, among others from the same company. Certain products from Kingston Technologies, which security experts say uses SanDisk software in its products, were also affected and recalled. You can read more about the details of the recall here.
While SanDisk emphasized then that the vulnerability discovered in the access-control mechanism was limited to the application that runs on the host system, and not related to the hardware or firmware, specialist secure flash drive maker IronKey was less kind in its appraisal.
The rival company wrote about the recall and outlined the problem:
The vulnerability is an architectural flaw in the design of those affected products. Simply put, those products are using software that runs on the host PC to verify the correctness of a user's password, and then sending a signal to the device to unlock itself. This is an inherent design flaw, and is not secure. SySS was able to write a simple unlocker tool that patches the software to always send the unlock code to the devices.
In a nutshell, IronKey is saying that the recalled secure flash drives were hacked because they do not implement complete hardware-based authentication. In contrast, the IronKey works by sending the user-supplied password directly to the IronKey device, where an on-board security controller will check whether it is correct. Supplying the wrong password 10 times in a row will result in the deletion of the decryption key from the controller, effectively rendering the stored data permanently inaccessible.
Recently, another company decided to take the concept of hardware authentication a step further. The LOK-IT is as far as I know the first and only model that uses physical keys on the flash drive. And since there is no software involved, the LOK-IT is effectively platform-independent. In addition, the LOK-IT is bootable since no software needs to be executed to unlock it. If you are interested, I just explored the features of the LOK-IT.
Due to marketing language and lack of real details from most secure flash drive makers, it might not be clear which vendors are making models that are truly secure. What is apparent though is that the hacked devices earlier this year were only validated to FIPS 140-2 Level 2, which specifies standards only for the device controller and attached EEPROM (electrically erasable programmable read-only memory).
On the other hand, the stricter FIPS 140-2 Level 3 validation covers areas such as authentication, physical security and key management to much higher requirements. On this front, the IronKey S200 and D200 products are validated to FIPS 140-2 Level 3, while the LOK-IT is undergoing certification for it.
Ultimately, be sure to examine the exact FIPS 140-2 certification carefully, and if in doubt, ask more probing questions. In the meantime, do you know of any good secure flash drives to recommend? What special security or management features do they come with?