In response to the reports that certain hardware-encrypted USB flash drives have
been hacked on Monday, Jan. 4, IronKey, maker of the world’s most secure flash
drive, today announced that its devices are not vulnerable to the serious
architectural flaw that has compromised many ‘secure’ USB storage devices.
IronKey customers remain safe.
Reports detailing the vulnerabilities, and how to hack these devices, have
been published by German security firm SySS. The vulnerability is a major flaw in the design of the
affected products. In short, the products use software that runs on the host PC
to verify the correctness of a user’s password. This is an inherent design
error, and is not secure. It is equivalent to a single shared backdoor password
for all of these devices. Security analysts were able to write a simple unlocker
tool patching the software and unlocking any of those devices instantaneously
without the user’s password.
"This security flaw means that data on the affected products is at risk of
disclosure," said Dr. Dan Boneh, a leading authority in the fields of
cryptography and computer science, and professor of computer science at Stanford
University in applied cryptography and computer security. "FIPS 140-2 security
validation is a useful tool in assessing the security of encryption products.
However, it is not a guarantee that a product is secure. Implementing an
encryption algorithm is only a part of a security implementation. Vendors
building encryption products need to be skilled at security architecture,
design, penetration testing and vulnerability analysis."
Designed to be the most secure portable storage devices in the world, IronKey
devices verify the correctness of a user’s password in hardware on the device.
The security of IronKey devices does not depend on software on the host PC,
which as this attack illustrates, can easily be tampered with. Additionally,
IronKey devices do not have unlock codes or backdoors. Every IronKey device has
unique random AES encryption keys that are generated on the device when a user
"The products that were hacked were made by storage companies that primarily
manufacture consumer memory products for cameras and MP3 players," David Jevans,
CEO at IronKey said. "IronKey is first and foremost a security company. This
incident illustrates that securing portable storage devices requires deep
architectural understanding, threat modeling, security review and attention to
detail in implementation."
Many years of security architecture and threat modeling have been applied to
the design and development of IronKey devices. IronKey S200 and D200 products
are validated to FIPS 140-2, Level 3, a far higher standard than FIPS 140-2,
level 2 for the products affected by this hack. Level 3 has much higher
requirements for encryption key management, authentication, design assurance and