Update

Our Handler Arrigo Triulzi pointed out that the "fixed memory content" that was mentioned in the paper is actually the encryption key used internally in these devices. Due to ease of manufacturing, this key is the same for all devices manufactured.

----

Several ISC readers have written in regarding a security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim.

Vendor Information

SanDisk Update Information: http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
Verbatim Update Information: http://www.verbatim.com/security/security-update.cfm
Kingston Recall Information: http://www.kingston.com/driveupdate/

UPDATE: An ISC reader has contacted Kingston support and confirmed they will be releasing a firmware patch to fix the issue. They have described it as a randomization error and it will affect some of the drives. Thanks Tony.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org