LOS ALTOS, Calif., Jan. 7 /PRNewswire/ -- In response to the reports that certain hardware-encrypted USB flash drives have been hacked on Monday, Jan. 4, IronKey, maker of the world's most secure flash drive, today announced that its devices are not vulnerable to the serious architectural flaw that has compromised many 'secure' USB storage devices. IronKey customers remain safe.
Reports detailing the vulnerabilities, and how to hack these devices, have been published by German security firm SySS. The vulnerability is a major flaw in the design of the affected products. In short, the products use software that runs on the host PC to verify the correctness of a user's password. This is an inherent design error, and is not secure. It is equivalent to a single shared backdoor password for all of these devices. Security analysts were able to write a simple unlocker tool patching the software and unlocking any of those devices instantaneously without the user's password.
"This security flaw means that data on the affected products is at risk of disclosure," said Dr. Dan Boneh, a leading authority in the fields of cryptography and computer science, and professor of computer science at Stanford University in applied cryptography and computer security. "FIPS 140-2 security validation is a useful tool in assessing the security of encryption products. However, it is not a guarantee that a product is secure. Implementing an encryption algorithm is only a part of a security implementation. Vendors building encryption products need to be skilled at security architecture, design, penetration testing and vulnerability analysis."
Designed to be the most secure portable storage devices in the world, IronKey devices verify the correctness of a user's password in hardware on the device. The security of IronKey devices does not depend on software on the host PC, which as this attack illustrates, can easily be tampered with. Additionally, IronKey devices do not have unlock codes or backdoors. Every IronKey device has unique random AES encryption keys that are generated on the device when a user initializes it.
"The products that were hacked were made by storage companies that primarily manufacture consumer memory products for cameras and MP3 players," David Jevans, CEO at IronKey said. "IronKey is first and foremost a security company. This incident illustrates that securing portable storage devices requires deep architectural understanding, threat modeling, security review and attention to detail in implementation."
Many years of security architecture and threat modeling have been applied to the design and development of IronKey devices. IronKey S200 and D200 products are validated to FIPS 140-2, Level 3, a far higher standard than FIPS 140-2, level 2 for the products affected by this hack. Level 3 has much higher requirements for encryption key management, authentication, design assurance and physical security.
IronKey will host a webinar on this topic on Wednesday, January 13, 2010 at 10:00am PST.
Register to attend at: https://ironkeyevent.webex.com/ironkeyevent/onstage/g.php?d=665879884&
Social Media Destinations:
- IronKey CEO Blog: http://blog.ironkey.com/
- FAQ on Flash Drive Flaw: https://www.ironkey.com/usb-flash-drive-flaw-exposed
- IronKey Forum: https://forum.ironkey.com/
- Linked In: http://www.linkedin.com/companies/ironkey-inc
- About FIPS 140-2 validation: https://www.ironkey.com/FIPS140
- IronKey FIPS Certificate: http://cs-www.ncsl.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1149.pdf
- IronKey Security Policy: http://cs-www.ncsl.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1149.pdf
IronKey's award-winning products and services combine the world's most secure flash drive with the world's most powerful USB management software. IronKey's USB flash drives bring the power of authentication, encryption, identity management and privacy to government, businesses and consumers in 23 countries. IronKey's management software and associated services allow enterprises of all sizes, government agencies, the military, and other organizations to take back control of the mobile data that has been leaking out of their organizations due to the uncontrolled proliferation of USB drives. IronKey products are FIPS 140-2, Level 3 validated. With IronKey, organizations centrally administer, remotely manage, and enforce policies on thousands of devices located anywhere in the world. Thousands of customers use IronKey, including Fortune 500 companies, enterprise organizations in financial services, healthcare and legal markets, as well as government agencies, including FEMA, NATO and DHS. For more information, please visit www.IronKey.com.