If you’re like me, you’ve taken to carrying important data on USB sticks or flash drives. They’re handy, you can use them on any PC, and with built-in encryption even if you lost them it was no big deal. Bad news: It’s now a big deal.
The German security company SySS GmbH discovered that many, but not all, of today’s encrypted USB sticks and flash drives are actually vulnerable to a relatively easy attack. It is not that the encryption itself-usually AES (Advanced Encryption Standard) encryption–that has been broken. It hasn’t been. Despite what you may have read from some fear-mongers, AES remains unbroken.
What has happened though is that it appears many vendors didn’t think through how they let people use the encryption in the first place. When you use a new encrypted USB drive for the first time, the drive already has a default device password. When the device’s software asks for you to enter a password, it places its device password on your computer to authorize your drive and your password. Once on the computer, SySS discovered that you could watch the password authorization process.
That was bad enough. With it, a patient cracker could tease out what the device password was. What was worse was that the company discovered that companies were using the same device password on all their drives. Whoops!