Independent memory giant Kingston Technology has issued a highly unusual warning that several of its supposedly secure encrypted USB drives can be hacked.
The precise nature of the hack has not been disclosed, but the company named named three drive models, the DataTraveler BlackBox, the DataTraveler Secure - Privacy Edition, and the DataTraveler Elite - Privacy Edition, as being vulnerable to "a skilled person with the proper tools and physical access to the drives."
All of the drives use highly-secure 256-bit AES encryption, so it is likely that the vulnerability in some way allows an attacker access to the encryption key stored inside the drive, which would give free access to the data. Achieving this would be unlikely to be trivial, but exactly how non-trivial is impossible to gauge without the sort of information the company is not going to offer for fear of encouraging attacks.
The company pointed out in mitigation that the warning does not apply to a number of its other secure USB stick products, including the DataTraveler Locker, DataTraveler Locker+, DataTraveler Vault, DataTraveler Vault - Privacy Edition, DataTraveler Elite, and DataTraveler Secure. Two of the models affected, the Secure and Elite, are also no longer on sale though they would still be in use by many organisations.
That this situation has occurred at all is embarrassing enough, but for it to have occurred to the current DataTraveler BlackBox is especially sobering. That particular drive is sold as secure to the US federal FIPS 140-2 Level 2 standard, featuring enforced password complexity, lock-down after a specified number of unsuccessful attempts to foil brute forcing, and is encased in a water-proof titanium case. In the UK a 2GB version of one of these drives sells for a premium price of between £70 ($115) and £90.
The FIPS 140-2 Level 2 should guarantee that the device in question will show evidence of physical tampering if such a thing has been attempted. It is only at Level 3 and 4 that the device has to resist physical tampering, which would block any access to the encryption key stored within the drive.
Rival USB stick specialist Origin Storage jumped on the Kingston hack with some glee. "The days of selecting the cheapest secure USB drive and similar storage technologies are now long gone, as the Kingston situation clearly shows," said managing director Andy Cordial.
Kingston Technology has published a slew of country-specific telephone numbers that customers can contact to have the drives returned.