Welcome

Conclusion

Seemingly, the checking of the password and the unlocking of the stick are two separate processes, both initiated from the PC. From the point of view of the stick, they're both separate processes and unlocking can happen just fine if no valid password is entered. This is a Big Flaw. As an indication to how big: The best sticks handle all the encryption to/from the flash themselves and don't keep a password at all: the fact that the data can't be decrypted without it makes it safe. The mediocre sticks store a password inside the flash-controller and check it against a password sent by the PC before unlocking the flash-memory. This way, the password can't be found by reading out the flash-chip maually. The bad ones do the same but store the password on flash. The Secustick is even worse than that: it stores the password on flash and lets the PC do the validation, while as soon as the stick gets stolen, the PC it is put into is completely non-trustworthy.

This has big implications for the security of the stick: every program can send the unlocking sequence without asking for the password. The PASSWORD.exe program can even be easily modified to accept any password at all. If such a program would be made and turned loose on the Internet, everyone with just a little skill in Googling stuff would be able to access the stick without problems.

My recommendation: If you like the keychain, the box or the nice metal casing of the stick and are prepared to shell out E130,- for it, by all means go ahead and buy it. If you want security, buy a much cheaper, non-security USB-stick and use a program like TrueCrypt. Or even use a plain old USB-stick without encryption: while that isn't a safe thing to do at all, it at least doesn't give you the illusion of safety the SecuStick does.

« Prev 4 

14 comments

MensaWater wrote at 25 Jan 2016, 15.31:

Article written in 2007. Is this really still valid? The suggestion to use TrueCrypt is funny because the link it takes you to is a page that tells you TrueCrypt is no longer considered secure.

John wrote at 5 Feb 2014, 21.44:

Ohmygosh, you use W32Dasm for a debugger! While it still does the job, it's slow, cranky and old as hell. There is (and it was there for YEARS) much more flexible and powerful tool: OllyDbg. Can be obtained at ollydbg.de (main site) and tuts4you.com is a great source for scripts and plugins.

Team CryptX2 wrote at 28 Nov 2012, 10.16:

Haha, its funny and sad at the same time to see products like this. That is why we decided to develop a REAL solution. the CryptX2: an Open Source Hardware Encrypted Storage Device at http://www.cryptx2.com/ Let us know if you have any questions or feedback about it. Thanks

Tzisorey wrote at 28 Aug 2010, 9.08:

I've been trying to find a USB thumb drive that still has a hardware-based write-protect switch, for the times I have to get tools onto a system with virus infections, etc. Now that I know that it may be as easy as connecting a pin to GND, I'm tempted to try my first ever hardware hack! You've inspired me!

Valheru wrote at 23 Nov 2007, 13.40:

I am a bit curious now if the ironkey (www.ironkey.com) is also such an insecure solution. If you ever test that one can you let me know on valheru@valheru.org ? thnx.

mtt wrote at 12 Sep 2007, 7.38:

i want to copy the lockstar usb key that is used in konica minolta minilab system to protect the license. that usb drive path can't find in the my computer why? i wanna know how to crack.......... help me..... plz send information to thantin@gmail.com help.......................me

chaos theory wrote at 22 Aug 2007, 0.25:

das eigelijk wel vet gepest voor da bedrijf da die dinge maakt

steve wrote at 8 Aug 2007, 3.15:

color blind can't read captcha depending on location ;-) or color vs. background [4th try]

Ed wrote at 11 May 2007, 11.33:

Any infos on the Kingston DataTaveller Range or BioSlimDisk?? I'm looking for a reasonably priced secure stick, the BioSlim does appear to offer max security, but it also costs 300... adrian@gmxpro.de

Rootarded wrote at 9 May 2007, 20.26:

Awsome work, I really enjoyed reading it. I've never really trusted those "secure" USB sticks (even though some of them use 3-DES/AES or whatever). My USB stick has four files: truecrypt.exe, tryecrypt.sys, passwd.exe and content.aes. passwd.exe is used to get the key from my server and then launches truecrypt with with the received key. As far as I know, it's pretty secure as I only need to remove the key from the server if the stick is lost. (OT: Talking about security, your captcha should use sessions instead of a base64 encoded string ;-)

Slash_Fury wrote at 24 Apr 2007, 2.17:

You are awesome and I want you to have mah babies. That's pretty sweet. I'm looking to go into Computer Science and Engineering myself, so hopefully I'll learn how to do all the fun stuff like this :P

Sprite_tm wrote at 22 Apr 2007, 16.43:

Robert: About a day, it was relatively easy. I wasted most of the time trying to transplant the NAND flash to another USB-stick first, which turned out to be fruitless. UnixFan: The people whom we got the stick from got informed and stopped selling it. I don't know if they contacted the people whom they got the stick from, tho'.

UnixFan wrote at 21 Apr 2007, 17.53:

Wow, That manufacture is quite pathetic.. Seriously, Who trusts a non-trusted system with password authentication tasks? Has this review been sent in to the manufactures? (Or people using the stick?..)

Robert wrote at 18 Apr 2007, 0.52:

Good review, How much time did you need to figure this out?

Leave a comment:

Your name:

What does this picture say?
Sorry, this is a captcha

Your comment:


© 2006-2016 Sprite_tm - Contact