Huge vulnerability in encrypted USB drives

NIST-certified USB Flash drives with hardware encryption cracked - The H Security: News and Features Security firm SySS announced (in German) that it has discovered a massive vulnerability in the hardware encryption for USB thumb drives by Kingston, SanDisk and Verbatim. From the article at The H Security it looks like the problem is that all drives share a single symmetric encryption key at the hardware level. The password interface seems to simply do some gymnastics to get access to that key. It does not really matter what it does because SySS was able to intercept the actual hardware key being sent in the clear to the device.

They then simply wrote a little program to just send that key without bothering with the password or anything else. Because all drives by the same maker use the same key, this program can instantly open any encrypted USB drive by that maker.

From the sound of it, this is a very easy attack for someone to duplicate. If you have one of these drives, I would suggest that you treat them as if they were normal un-encrypted thumb drives.

Kudos to Kingston for quickly providing details of which of their drives are affected, and recalling them. SanDisk and Verbatim have issues software fixes. If I understand the attack correctly, I am not sure how a software patch will solve it, so watch this space.