How can you be sure the “secure” USB drive you’re using is really secure and the data you store on it can’t be extracted? That’s exactly the question Google’s security researchers Ellie Bursztein, Jean-Michel Picod, and Rémi Audebert addressed in their talk, “Attacking encrypted USB keys the hard(ware) way,” at the recent Black Hat USA 2017.
Not every possible attack vector is covered by FIPS 140 security standard. This article shows that some encrypted USB drives pass certification but are still vulnerable to attacks — sometimes hacking is even easy.
Attack vectors into several groups: design and manufacturing features of the whole drive, authentication factor, USB/crypto controller, encryption algorithm, and flash memory. They are all covered in this article.
The researchers invite everyone to contribute to making a great audit methodology for secure USB drives and testing as many drive models as possible.