If mobile workers in your organization protect corporate data by carrying it on secure encrypted USB drives then it you may imagine that the data is safe, but it turns out that some encrypted drives are more secure than others.
In early January, German security firm SySS showed that data stored on supposedly secure AES 256-bit hardware-encrypted USB flash drives made by SanDisk, Kingston and Verbatim could be accessed relatively easily without the need to supply the password. Some of the models affected, including the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition, had been given FIPS 140-2 Level 2 security validation, which is required for use by US government agencies.
No flaw was discovered in the AES cipher itself. Rather, the problem lay with the Windows-based password entry application that runs on the host PC . It turns out that—put simply—entering the correct password results in a specific 32-byte string being sent to the drive to unlock it. The problem is that this string, which SySS has identified, is the same for every drive. The company was able to write an In-Memory Patcher software tool that modifies the password verification application at runtime so that it always produces the 32-byte string, regardless of the password supplied. Effectively, the 32-byte string provides a back door into any of these "secure" USB drives which is available to anyone who knows about it.
One secure USB drive that was not affected by the bug was the SafeStick, produced by Sweden-based specialist secure memory stick vendor BlockMaster. BlockMaster, like IronKey—another specialist secure memory stick vendor—performs password verification in hardware on the USB stick itself rather than relying on hackable software running on a PC. And BlockMaster claims that the SafeStick is tamper-proof because the device controller is sealed in epoxy, and strong enough to withstand being driven over by a 2,500 pound Range Rover, hit with a 10 pound sledgehammer, and repeatedly put through a washing machine on a hot cycle. All this makes the SecureStick more expensive than ordinary USB drives, but—as SySS has shown—more secure as well.
SafeStick has been made with large organizations in mind, and management capabilities are provided by Blockmaster's SafeConsole software. In contrast to IronKey's hosted management system which is accessed over the Internet, SafeConsole is a server-based product which runs on Linux or Windows, and which can optionally be linked to Active Directory.
When used without SafeConsole, the user inserts a SafeStick onto a computer, waits a few seconds for a small application window to open, and types in the device password. If correct, the drive is unlocked and the user has access to all the files stored on it. If the password is entered incorrectly, a password hint appears. An onboard counter records incorrect password attempts, and if an incorrect password is supplied a set number of times consecutively, the drive is disabled.
SafeStick Password Entry Application
The SafeConsole management system provides a range of extra features to help administer large numbers of devices and users. After a relatively straightforward enrollment process, which can be used to deploy new drives or to add drives that are already in use, and which registers particular devices to specific users - the system offers:
- Custom password policy: multiple password policies for different user groups can be pushed to drives, specifying password length and complexity, and password duration limits
- Remote Password Reset over the phone or by email, in case a user forgets the password
- Remote Kill, Disable or Mark as Lost: In case of a lost drive, a SafeConsole administrator can kill the device so it can no longer be accessed, disable it without destroying the contents until the password is reset, or keep it locked but set it to display a custom "return to owner" request
- Secure file distribution: one of the more unusual features of SafeConsole which is not found in IronKey's Enterprise software is the ability to push documents, applications, and any other type of file securely to SafeSticks—even when they are being used out in the field.
- Configurable timeout period: another feature that sets the SafeStick apart from the IronKey is that the former can be configured to lock itself automatically if left idle for more than a set number of minutes. Given that one of the most likely loss scenarios is a user inserting the device into a machine, unlocking it, and then walking off leaving it unlocked, this feature is potentially very valuable indeed.
SafeConsole Password Recovery Configuration
Prices range from $59 for 1Gb, $119 for 4Gb, up to $1039 for a 64Gb unit. Faster 4Gb and 8Gb "Supersonic" versions are available for $139 and $219 respectively. The SafeConsole management software comes in three licensing levels—Intro, Enforce, and Enforce & Enable. The Intro version includes custom password policies; the Enforce version also includes remote password reset, status management, and configurable timeout periods; the Enforce & Enable license also includes a certificate carrier, automatic local backup, and secure file distribution. The Intro license is free with orders of over 100 SafeSticks; the Enforce license is $12 per user for 1,000 users; the Enforce & Enable is $16 per user for this volume.
The SafeStick is in the process of being certified to FIPS 140-2 Level 2, but has not as yet received it—unlike the IronKey. However the bug discovered in the SanDisk, Verbatim and Kingston secure drive software shows that this certification means very little in terms of security, even if it is required for use in some organizations. Like the IronKey, no flaw has yet been found in the SafeStick and its management software, making both a solid sound choice for large scale enterprise and public sector deployment. In the UK BlockMaster has won a contract to supply over 100,000 SafeSticks to National Health Service (NHS) hospitals around the country.
Direct comparisons between the SafeStick and the IronKey are difficult because their feature sets differ so widely, but the IronKey appears to have many more fine touches aimed at ensuring security—such as the ability to enter the device password using an onscreen keyboard to defeat keyloggers. But it could be argued that the single fact that the SafeStick locks automatically after a few minutes of idle time gives it the edge over its rival: leave it plugged in to a computer in a hotel business center and the window of opportunity for anyone else to access its contents is restricted to just a couple of minutes.
Ultimately, if you are looking for a secure USB drive solution, both the IronKey and the SafeStick deserve serious consideration.