Hacked proprietary encryption devices
If you ever was wondering whether your proprietary encryption device or smart card is secure, you might have been right. History tells us that many vendors pay not enough attention to deliver a really secure product. The following gives an incomplete overview of security flaws which became public:
-
In 2011 RSA Inc was hacked and secret information about RSA’s securID token was stolen which allows to hack the tokens.
-
In 2010 it was revealed that AES-256 encrypted and FIPS 140-2 Level 2 certified USB storage devices of the following vendors could be easily accessed by using a default password: Kingston, SanDisk, Verbatim, MXI, PICO
-
Aladding eToken Pro (2010)
-
Corsair's Padlock 2 (2010)
-
Kobil smart card readers (2010)
-
Raidon‘s Staray-S-Serie (2009)
-
All USB storage devices from 9Pay, A-Data and Transcend which use fingerprint readers based on the USBest UT176 and UT169 from Afa Technology (2008)
-
Excelstor’s GStor Plus (2005)
-
Lexar JumpDrive (2004)
Imagine how many security flaws still exist which haven't been published but are only known by criminals or intelligence services. This is why you shouldn't trust security technology unless it's source code is available for inspection. The Crypto Stick is the only security USB device with published hardware design and source code to ensure it's secure implementation.
If you want to learn more about physical insecurity of smart cards and crypto processors, I recommend you this interesting video from WIRED magazine which presents Chris Tarnovsky's excellent work in this area. Also you can find more in-depth presentations from him recorded at the Black Hat conference.
Add new comment