New key drives are more secure, but still hackable until they get to Level 3.
About a year ago, GCN reported that many thumb drives certified under the Federal Information Processing Standards weren’t as secure as their certifications would lead you to believe. You can find what we had to say on the subject both here and here.
The upshot: The 256-bit encryption of these devices has always been secure, but their vulnerability lies in the authentication software that runs outside the device on the connecting computer.
This has always been the Achilles’ heel and Catch-22 of this type of device. You can’t have the authentication inside the encrypted area because that is allowing access before log-in. And you can’t have the authentication outside, either, since that makes it vulnerable to hacking.
New lines of FIPS 140-2 Level 2-certified thumb drives are coming out, and there is little word as to whether they have solved this little dilemma. However, it doesn’t look good, since they don’t seem to be bragging that they have solved it, and you know that if they could claim this as a feature they would go on and on about it. The fact that they are Level 2 and not Level 3 also is telling.
A huge problem with key drives is how easy they are to physically tamper with. Now, your average high school kid probably can’t do this, but a spy who goes to the trouble of stealing your key drive probably has the ability to crack it.
A device with Level 2 compliance means you are protected only in terms of the data encryption, authentication and evidence of tampering. Those Level 2 drives don’t have anything to stop hackers from physically fiddling with them.
So even if they have that authentication software problem ironed out, someone could directly access the encryption key through the circuitry and get at the data that way. However, a Level 3-compliant device goes further with steps such as seating the data chip in a special resin that tears it apart should anyone try to get inside.
Most of the new key drives we have seen in the lab are merely Level 2-compliant. These are generally cheaper to make, even if their security features are kind of a paper tiger. A Level 3-certified device would cost about twice as much to make and likewise cost the consumer about two-and-a-half times as much to buy. IronKey says it has the first Level 3-certified drive. That high end of the market is definitely less populated, though it’s where most of the government lives.
If manufacturers are ever going to get the government to fully trust thumb-sized flash drives again, they are going to have to deal with that issue. And in the short term, that means making more FIPS 140-2 Level 3 certified devices, and probably making the pricing as attractive as possible.
As soon as manufacturers see that this is the way to go, thumb drives will once again start to be welcome in the government workplace. Until then, it’s just more window dressing to cover up a bad foundation.