Do you like my hacking? If so, please consider leaving something in the
Fediverse (Mastodon etc): @Sprite_tm@social. spritesmods.com
Seemingly, the checking of the password and the unlocking of the stick are two separate processes, both initiated from the PC. From the point of view of the stick, they're both separate processes and unlocking can happen just fine if no valid password is entered. This is a Big Flaw. As an indication to how big: The best sticks handle all the encryption to/from the flash themselves and don't keep a password at all: the fact that the data can't be decrypted without it makes it safe. The mediocre sticks store a password inside the flash-controller and check it against a password sent by the PC before unlocking the flash-memory. This way, the password can't be found by reading out the flash-chip maually. The bad ones do the same but store the password on flash. The Secustick is even worse than that: it stores the password on flash and lets the PC do the validation, while as soon as the stick gets stolen, the PC it is put into is completely non-trustworthy.
This has big implications for the security of the stick: every program can send the unlocking sequence without asking for the password. The PASSWORD.exe program can even be easily modified to accept any password at all. If such a program would be made and turned loose on the Internet, everyone with just a little skill in Googling stuff would be able to access the stick without problems.
My recommendation: If you like the keychain, the box or the nice metal casing of the stick and are prepared to shell out E130,- for it, by all means go ahead and buy it. If you want security, buy a much cheaper, non-security USB-stick and use a program like TrueCrypt. Or even use a plain old USB-stick without encryption: while that isn't a safe thing to do at all, it at least doesn't give you the illusion of safety the SecuStick does.
« Prev 4
15 commentsArticle written in 2007. Is this really still valid? The suggestion to use TrueCrypt is funny because the link it takes you to is a page that tells you TrueCrypt is no longer considered secure.
Ohmygosh, you use W32Dasm for a debugger! While it still does the job, it's slow, cranky and old as hell. There is (and it was there for YEARS) much more flexible and powerful tool: OllyDbg. Can be obtained at ollydbg.de (main site) and tuts4you.com is a great source for scripts and plugins.
Haha, its funny and sad at the same time to see products like this. That is why we decided to develop a REAL solution. the CryptX2: an Open Source Hardware Encrypted Storage Device at http://www.cryptx2.com/ Let us know if you have any questions or feedback about it. Thanks
I\'ve been trying to find a USB thumb drive that still has a hardware-based write-protect switch, for the times I have to get tools onto a system with virus infections, etc. Now that I know that it may be as easy as connecting a pin to GND, I\'m tempted to try my first ever hardware hack! You\'ve inspired me!
I am a bit curious now if the ironkey (www.ironkey.com) is also such an insecure solution. If you ever test that one can you let me know on valheru@valheru.org ? thnx.
i want to copy the lockstar usb key that is used in konica minolta minilab system to protect the license. that usb drive path can't find in the my computer why? i wanna know how to crack.......... help me..... plz send information to thantin@gmail.com help.......................me
das eigelijk wel vet gepest voor da bedrijf da die dinge maakt
color blind can't read captcha depending on location ;-) or color vs. background [4th try]
Any infos on the Kingston DataTaveller Range or BioSlimDisk?? I'm looking for a reasonably priced secure stick, the BioSlim does appear to offer max security, but it also costs €300... adrian@gmxpro.de
Awsome work, I really enjoyed reading it. I've never really trusted those "secure" USB sticks (even though some of them use 3-DES/AES or whatever). My USB stick has four files: truecrypt.exe, tryecrypt.sys, passwd.exe and content.aes. passwd.exe is used to get the key from my server and then launches truecrypt with with the received key. As far as I know, it's pretty secure as I only need to remove the key from the server if the stick is lost. (OT: Talking about security, your captcha should use sessions instead of a base64 encoded string ;-)
You are awesome and I want you to have mah babies. That's pretty sweet. I'm looking to go into Computer Science and Engineering myself, so hopefully I'll learn how to do all the fun stuff like this :P
Robert: About a day, it was relatively easy. I wasted most of the time trying to transplant the NAND flash to another USB-stick first, which turned out to be fruitless. UnixFan: The people whom we got the stick from got informed and stopped selling it. I don't know if they contacted the people whom they got the stick from, tho'.
Wow, That manufacture is quite pathetic.. Seriously, Who trusts a non-trusted system with password authentication tasks? Has this review been sent in to the manufactures? (Or people using the stick?..)
Good review, How much time did you need to figure this out?
@ MensaWater - That's why you use fork of now obsolete and unsupported TrueCrypt named VeraCrypt...