[Fwd] NIST-certified USB Flash drives with hardware encryption cracked

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jan 6 20:12:29 PST 2010


Encrypting USB Flash memory from Kingston, SanDisk and Verbatim Vergrv_ern
Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with
AES 256-bit hardware encryption that supposedly meet the highest security
standards. This is emphasised by the FIPS 140-2 Level 2 certificate issued by
the US National Institute of Standards and Technology (NIST), which validates
the USB drives for use with sensitive government data. Security firm SySS,
however, has found that despite this it is relatively easy to access the
unencrypted data, even without the required password.


The real question, however, remains unanswered . how could USB Flash drives
that exhibit such a serious security hole be given one of the highest
certificates for crypto devices? Even more importantly, perhaps . what is the
value of a certification that fails to detect such holes?

#include <standard debate about the value, or lack thereof, of FIPS 140 certification>


More information about the cypherpunks-legacy mailing list