«
»
 

FIPS 140-2 Level 2 Certified USB Flash drives with hardware encryption CRACKED!

| April 9th, 2010
Kingston Data Traveler 101R
Image by Unwinged via Flickr
Are you kidding me? The statement below is THE most important in the entire article.  Thanks to Juergen Schmidt for this article.

how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps – what is the value of a certification that fails to detect such holes?

via NIST-certified USB Flash drives with hardware encryption cracked – The H Security: News and Features.

So we can’t seem to trust the FIPS 140-2 Level 2 certification any longer.  Who does this testing?  Who is responsible for this?  Someone needs to figure it out ricky-tick.

This type of vulnerability is going to make using USB devices simply unacceptable for everyone.

Reblog this post [with Zemanta]
  • Share/Bookmark

Posted on Friday, April 9th, 2010 at 16:09 in Failures, InfoSec, Military, Security, Stupid, standards | rss feed for comments| Both comments and pings are currently closed.

  • Eric
    Before condemning all secure flash drives, I think you need a better understanding of what FIPS is actually testing.

    FIPS 140 certification only tests the crypto algorithm, not key management. Key management and key handling are outside the bounds of FIPS 140.

    The encryption on these drives wasn't actually cracked, it was the key management. Essentially, they found a "back door" because the key management on these drives isn't handled on the hardware encrypted portion of the drives themselves. It is handled on the front end via software, and that is where the mistake was.

    Also, there are several manufacturers that weren't affected by this. Kanguru Solutions and Ironkey both have drives where the key management is done on the drive and thus more secure. Both are FIPS Certified and, to my knowledge, very secure.

    If you still take issue with FIPS, there are other certifications that encompass more security aspects, such as Common Criteria.
blog comments powered by Disqus

© 2008-2010 dc0de\'s notes... & dc0de.com All Rights Reserved -- Copyright notice by Blog Copyright