The security expert Matthias Deeg from SySS showed how easy it is to decrypt supposedly protected data from the Verbatim Keypad Secure USB stick.
Now Deeg also cracked the Lepin Crypto USB Flash Drive EP-KP001 USB stick, which is also equipped with a numeric keypad, and the Verbatim Executive Fingerprint Secure SSD USB SSD. In both cases, the investigation uncovered serious security gaps that are basically easily avoidable.
Chip replacement brings access
With the Lepin Crypto USB Flash Drive EP-KP001, it turned out that the data is in fact not protected with the promised “military 256-bit AES-XTS hardware encryption”. Instead, a controller only blocks access to the flash memory until you type in the correct PIN. If you swap the controller of a supposedly encrypted USB stick of this type for the desoldered controller of another stick of the same type whose PIN you know, the data can be read (CVE-2022-29948).
Poorly protected communication
As with the Keypad Secure from the same manufacturer, Matthias Deeg discovered several security gaps in the Verbatim Executive Fingerprint Secure SSD. In both cases, the firmware is not securely protected against manipulation, for example through cryptographic signatures.
The M.2 SATA storage of the Verbatim Executive Fingerprint Secure SSD can be removed.
AES-encrypted USB communication turned out to be the Achilles heel of the Executive Fingerprint Secure SSD, although the key secret is built into the associated Windows software and can be extracted from it. After extracting the key from the code, Deeg was able to decrypt the password from the USB communication (CVE-2022-28387).
Be careful when buying sticks!
Verbatim Executive Fingerprint Secure SSD with fingerprint sensor
Security gaps in external USB storage devices with hardware encryption have been known for many years, but apparently not to the developers of the devices now affected. Deeg therefore warns of the risks of these products, many of which only offer supposed security.
To home page
#USB #storage #devices #cracked #encryption