'Secure' flash drives need to take it to the next level

Secure encryption doesn't protect against physical tampering, until they get to Level 3

About a year ago, GCN reported that many thumb drives certified under the Federal Information Processing Standards weren’t as secure as their certifications would lead you to believe. You can find what we had to say on the subject both here and here

The upshot: The 256-bit encryption of these devices has always been secure, but their vulnerability lies in the authentication software that runs outside the device on the connecting computer.

This has always been the Achilles’ heel and Catch-22 of this type of device. You can’t have the authentication inside the encrypted area because that is allowing access before log-in. And you can’t have the authentication outside, either, since that makes it vulnerable to hacking.

New lines of FIPS 140-2 Level 2-certified thumb drives are coming out, and there is little word as to whether they have solved this little dilemma. However, it doesn’t look good, since they don’t seem to be bragging that they have solved it, and you know that if they could claim this as a feature they would go on and on about it. The fact that they are Level 2 and not Level 3 also is telling.
A huge problem with key drives is how easy they are to physically tamper with. Now, your average high school kid probably can’t do this, but a spy who goes to the trouble of stealing your key drive probably has the ability to crack it.

A device with Level 2 compliance means you are protected only in terms of the data encryption, authentication and evidence of tampering. Those Level 2 drives don’t have anything to stop hackers from physically fiddling with them.

So even if they have that authentication software problem ironed out, someone could directly access the encryption key through the circuitry and get at the data that way. However, a Level 3-compliant device goes further with steps such as seating the data chip in a special resin that tears it apart should anyone try to get inside.

Most of the new key drives we have seen in the lab are merely Level 2-compliant. These are generally cheaper to make, even if their security features are kind of a paper tiger. A Level 3-certified device would cost about twice as much to make and likewise cost the consumer about two-and-a-half times as much to buy. IronKey says it has the first Level 3-certified drive. That high end of the market is definitely less populated, though it’s where most of the government lives.

If manufacturers are ever going to get the government to fully trust thumb-sized flash drives again, they are going to have to deal with that issue. And in the short term, that means making more FIPS 140-2 Level 3 certified devices, and probably making the pricing as attractive as possible.

As soon as manufacturers see that this is the way to go, thumb drives will once again start to be welcome in the government workplace. Until then, it’s just more window dressing to cover up a bad foundation.

About the Author

Greg Crowe is a former GCN staff writer who covered mobile technology.

inside gcn

  • AI regulation

    Congress takes first steps toward regulating artificial intelligence

Reader Comments

Sat, Apr 23, 2011 Ron LaPedis San Jose

Thank you for this article Greg. I absolutely agree with you on the importance of FIPS 140-2 Level 3 to prevents data disclosure through tampering. All SPYRUS USB encrypting flash drives are Level 3 validated and available directly from us or from Amazon in the USA. In the grand scheme of things, our Hydra Privacy Card devices are actually LESS expensive than many Level 2 devices since the encrypted data can be stored on removable microSD memory cards. This design means that you pay for the FIPS 140-2 Level 3 protection ONCE, no matter how much data you have to store. Run out of space, pop in a new card. But that's not all! Once a file is encrypted by the Hydra Privacy Card, you can store it anywhere, not just on the device, since the data can only be decrypted when the device is plugged in an unlocked. Encrypt an entire hard drive if you want to, with FIPS 140-2 Level 3 protection.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group