January 12, 2010 11:25 AM
How three vendors screwed up USB stick security
Three companies admit they suffered the same egregiously stupid encryption flaw in some of their expensive ‘secure’ USB sticks at the same time. And these turned out to have been certified using an important-sounding US government security standard, FIPS-140 Level 2.
It now looks as if the ‘FIPSgate’ scandal affects not only Kingston, as we reported last week, but SanDisk and Verbatim as well. To summarise, all three companies admitted that the technology to secure the encryption passphrase on a number of current and past enterprise-class USB stick drives could be hacked by something as simple as a memory resident program.
It took a German security company to find this out (the vendors were unaware of the issue), but it is not impossible to imagine the hacking department of some dodgy government probing for the same flaw, which brings us to the nub of this scandal.
Worry number one is that it happened at all.
Worry number two is that it happened at three different companies, confounding the naive belief that diversity of supplier protects businesses.
Worry number three, as lots of commentators have pointed out, is that these drives came plastered with FIPS-140 Level 2 stickers all over them. It’s not that this standard is directly at fault per se, but that the use of these government security standards as catch-all marketing baubles can create a false sense of security.
As we’ve long pointed out, the paradox of security standards does not mean that a product is secure, merely that it is ‘securable’. In other words, if properly implemented this drive should guarantee to meet named security levels, which does not reflect on other possible flaws in its design not covered by the standard. As eminent blogger Bruce Schneier points, nobody knows that FIPS-140 Level 2 guarantees anyway.
What we have here is not a crisis of technology, or even the standard itself because the various layers of FIPS-140 are actually extremely important and worthy. Rather, it is a crisis of understanding, a problem that has afflicted encryption since the days when the WW2 German military believed that its Enigma machine communications were uncrackable.
Standards make statements about security that are defined and often narrow. They are a piece of psychological insurance designed to save assessment time when deciding what bits and pieces to buy. Where did the idea come from that FIPS-140 Level 2, 3 or 4 mean that a USB stick or external hard drive is secure?
Nobody knows, but I bet the salesmen who sold these devices to the public sector and large companies alike (often, ironically, for compliance reasons) weren’t going to point out the limitations of FIPS. Caveat emptor, as ever.