The other day a public relation email was sent to the Certified Computer Examiner mail list. This email talked about a new secure USB flash drive. That is pretty brave to send such an announcement to forensics professionals. The drive is called the Flash Padlock from Corsair.
I will start with disclosing I have not seen this device in person. My opinions here are strictly based on the vendor documentation from their own web site materials. I did email back to the sender of the announcement that I wouldn’t mind reviewing the drive for the In the Trenches Podcast. Days later and I have yet to receive a reply. But I was still curious. I started reading the materials on the Corsair web site.
The device looks to be very interesting. It is using a combination lock with indicator leds showing the status of the drive. Since the combination is physically entered it is compatible with any computer (Windows, Mac etc) that can recognize flash drives. Corsair provides an online site where you can register the pin you set for your drive. Handy if you forget it. Any computer will let you look it up from their systems. The pin can be up to ten digits in length. No software component is required. This all makes it pretty much impossible to brute force the drive. At least until some enterprising hacker figures out a way to wire up the entry mechanism to a custom interface on a laptop. Another interesting feature is that it locks when the drive is removed from the computer automatically. This is a nice design idea. Makes it less likely anyone will get into the contained data.
They have an interesting PDF White Paper. I see a couple of interesting things in this paper.
- Page 4 – “A PIN…is not stored anywhere that is accessible from the computer.” Makes you wonder where the pin is stored. Is it hashed, plain text etc? Could someone pull it straight from the flash chips?
- Page 4 – Read the part about Two Factor Authentication. They claim it is two factor because you have to have the Flash Padlock and know the PIN. I find this debatable. This is like saying a bank vault is using two factor authentication. You have to have possession of the safe and know the combination. To me it is only two factor authentication if the two factors actually authenticate the proper user. Possessing the lock does not mean the lock requires two items of proof of valid access. In my opinion and this is my personal opinion only, this consists of one factor of authentication. So at this point I am starting to get skeptical on this device being the wonder affordable security flash drive.
- I found no reference of encryption in the white paper at all relating to the Padlock. In fact unless I am blind I find only encryption references in the comparison to other device protection types. So I began to wonder if this PIN is only protecting read access. If some clever security researcher could read the data straight from the flash memory and present it at Black Hat. At the bottom of page 4 there is a reference that the DataLock(tm) technology has been licensed from a company called ClevX. They even nicely provide a link to www.clevx.com.
Finally, I find the last thing that makes me nervous about this device. I needed only look at ClevX’s page on Datalock. http://www.clevx.com/datalock.html Do you see the words that make every security professional cringe? “Proprietary on-board encryption…” At least the data does not sound like it is in plain text.
So seems to me this device would make some skilled security researcher a wonderful paper for Black Hat. I would still love to play with one of these devices and compare it from a usability frame of reference to the Kingston DataTraveller Elite that comes fully encrypted using non-proprietary 256-bit hardware-based AES encryption.