Hacked proprietary encryption devices

If you ever was wondering whether your proprietary encryption device or smart card is secure, you might have been right. History tells us that many vendors pay not enough attention to deliver a really secure product. The following gives an incomplete overview of security flaws which became public:

  • In 2011 RSA Inc was hacked and secret information about RSA’s securID token was stolen which allows to hack the tokens.

  • In 2010 it was revealed that AES-256 encrypted and FIPS 140-2 Level 2 certified USB storage devices of the following vendors could be easily accessed by using a default password: Kingston, SanDisk, Verbatim, MXI, PICO

Imagine how many security flaws still exist which haven't been published but are only known by criminals or intelligence services. This is why you shouldn't trust security technology unless it's source code is available for inspection. The Crypto Stick is the only security USB device with published hardware design and source code to ensure it's secure implementation.

If you want to learn more about physical insecurity of smart cards and crypto processors, I recommend you this interesting video from WIRED magazine which presents Chris Tarnovsky's excellent work in this area. Also you can find more in-depth presentations from him recorded at the Black Hat conference.

6.4.2014

Add new comment

Fill in the blank.