Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Secure USB Flaw Exposed

Published: 2010-01-06
Last Updated: 2010-01-11 15:34:41 UTC
by Guy Bruneau (Version: 1)
1 comment(s)


Our Handler Arrigo Triulzi pointed out that the "fixed memory content" that was mentioned in the paper is actually the encryption key used internally in these devices. Due to ease of manufacturing, this key is the same for all devices manufactured.


Several ISC readers have written in regarding a security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim.

Vendor Information

SanDisk Update Information:
Verbatim Update Information:
Kingston Recall Information:


UPDATE: An ISC reader has contacted Kingston support and confirmed they will be releasing a firmware patch to fix the issue. They have described it as a randomization error and it will affect some of the drives. Thanks Tony.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

1 comment(s)
Diary Archives