SanDisk USB Password Encryption Cracked

The SanDisk USB Drives Password Encryption has been hacked by SySS, a Security Firm.

The crack relies on a weakness so astoundingly bone-headed that it’s almost hard to believe. While the data on the drive is indeed encrypted using 256-bit encryption, there’s a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used. What’s also staggering is that this character string is the same for Kingston, SanDisk and Verbatim USB flash drives.

Cracking the drives is therefore quite an easy process. The folks at SySS wrote an application that always sent the appropriate string to the drive, irrespective of the password entered, and therefore gained immediate access to all the data on the drive.

This is a big deal also from a point of certification. These drives are sold as meeting security standards making them suitable for use with sensitive US Government data (unclassified rating) and have a FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST).

Vendors have had a mixed reaction to the news. Kingston has done the right thing and issued a recall. Verbatim and SanDisk has issued a statement and have updates available, but the threat is downplayed


For those wanting the program, it hasn't been released, nor will it be. However I do have a cloned version I could release, but I'm not sure if it's illegal since apparently the government uses the USB drives to secure their data. It was pretty easy to create since all you do is get the string used... To do that you input the correct password and have a sniffer get the string. From there it's all done with ease.

It IS illegal, cracking into a USB drive is illegal, having the application to do so would probably be illegal too. A beginner progammer could probably make it, it doesn't seem too hard, just sending a string.

I know I found it funny that they "told" you how to do it.