Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Response > CCIRC > Analytical releases 2010 > AV10-001: USB Flash Drive Password Validation Flaw Lets Local Users Bypass Access Controls

Institutional links

USB Flash Drive Password Validation Flaw Lets Local Users Bypass Access Controls

Number: AV10-001
Date: 07 January 2010

Purpose

The purpose of this advisory is to bring attention to a vulnerability which affects 'secure' USB flash drives, affecting multiple vendors.

Assessment

Local users can bypass access controls to access data on USB flash drives. A German security firm has declared that it is possible to modify the access control software to allow unauthorized access to local attackers.

The vulnerability affects certain models of USB flash drives produced by Kingston, Verbatim, and SanDisk:

SanDisk Cruzer® Enterprise FIPS Edition with McAfee USB flash drive, CZ46 – 1GB, SanDisk Cruzer® Enterprise FIPS Edition USB flash drive, CZ32 – 1GB, 2GB, 4GB, 8GB
SanDisk Cruzer® Enterprise with McAfee USB flash drive, CZ38 – 1GB, 2GB, 4GB, 8GB
SanDisk Cruzer® Enterprise USB flash drive, CZ22 – 1GB, 2GB, 4GB, 8GB
Kingston DataTraveler BlackBox (DTBB)
Kingston DataTraveler Secure – Privacy Edition (DTSP)
Kingston DataTraveler Elite – Privacy Edition (DTEP)
Verbatim Corporate Secure FIPS Edition USB Flash Drives 1GB, 2GB, 4GB, 8GB
Verbatim Corporate Secure USB Flash Drive 1GB, 2GB, 4GB, 8GB

CCIRC is not aware of any reports indicating that this vulnerability is being exploited, or that exploit code is available in the wild.

Suggested action

Kingston, Verbatim and SanDisk have all issued fixes for the problem:

http://www.kingston.com/driveupdate/
http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
http://www.verbatim.com/security/security-update.cfm

CCIRC recommends that administrators identify affected products, assess the need to update and identify potential dependencies regarding ‘secure’ USB flash drives.

References:

http://securitytracker.com/alerts/2010/Jan/1023410.html
http://securitytracker.com/alerts/2010/Jan/1023409.html
http://securitytracker.com/alerts/2010/Jan/1023408.html
http://www.sophos.com/blogs/gc/g/2010/01/05/flash-drive-manufacturers-warn-hackers-decrypt-secure-usb-sticks/

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-01-07
Top of Page
Top of Page
Important Notices