On the 18th of December, the German security firm SySS published a paper saying that it had found a way to "bypass the entire protection of the [FIPS 140-2 certified] USB sticks. Independent from the password in use, respective encrypted data can be reconstructed within seconds."

SySS then reported - and vendors SanDisk, Verbatim and Kingston Technology reluctantly confirmed early last week - that a number of their cryptographic standard FIPS 140-2 certified flash drives including SanDisk Cruzer Enterprise FIPS Editions CZ32 and CZ46 in 1G, 2G, 4G and 8G; the Verbatim Corporate Secure FIPS Edition in 1G, 2G, 4G and 8G; and Kingston Technology's DataTraveler Secure, DataTraveler Elite and DataTraveler Blackbox were open to this bypass technique.

Kingston said that a number of their other models (DataTraveler Locker DataTraveler Locker+, DataTraveler Vault, DataTraveler Vault, Privacy Edition, DataTraveler Elite and the DataTraveler Secure) were not affected, however.

According to this story yesterday in Government Computing News (GCN), the National Institute of Standards and Technology (NIST) is now looking into the issue, and has said in a press release that, "From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability. Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue."

All three vendors have issued software updates to address the problem, GCN reports.

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less