As a result, hardware-encrypted USB sticks have seemed like a good idea, even if they are hideously expensive (the SanDisk Cruzer Enterprise 8GB retails for nearly £300 at the time of writing; 10 times more than a non-encrypted version). Trouble is, it turns out they’re utter rubbish. When it comes down to it, all Verbatim, SanDisk, and Kingston hardware-encrypted USB sticks use the same encryption system. That system uses AES-256. Unfortunately, every single stick uses the same encryption key, regardless of the password the user sets, as reported on ZDNet:Hmmm ... also troubling ...
“The crack relies on a weakness so astoundingly bone-headed that it’s almost hard to believe. While the data on the drive is indeed encrypted using 256-bit crypto, there’s a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used.”Good work, morons. Nice to see you’re taking this security lark seriously.
2010-01-10
