In a statement, a company spokesperson said that someone with physical access to the flash drive could access the encrypted data, given the will to do so and the skill needed. The spokesperson went on to mention that the encryption used is sound, only that “there is a small loophole regarding the processing of the password.”
While the data on the drive is indeed encrypted using 256-bit AES encryption, there’s a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used. This character string is the same for not only Kingston USB flash drives but those of SanDisk and Verbatim as well.
Cracking the drives is therefore quite an easy process. The folks at the security firm SySS wrote an application that always sent the appropriate string to the drive, irrespective of the password entered, and therefore gained immediate access to all the data on the drive.
These drives are sold as meeting security standards making them suitable for use with sensitive US Government data (unclassified rating) and have a FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST) and companies like CapMed (Newtown, Pa.) -- to name one -- are putting personal health records on USB drives.
If you're using one of these USB stick from Kingston, SanDisk or Verbatim, you may want to get in touch with them.
