Self-Destructing USB Stick 223
Hugh Pickens writes "PC World reports that Victorinox, maker of the legendary Swiss Army Knife, has launched a new super-secure memory stick that sounds like something out of Mission: Impossible. The Secure Pro USB comes in 8GB, 16GB, and 32GB sizes, and provides a variety of security measures including fingerprint identification, a thermal sensor, and even a self-destruct mechanism. Victorinox says the Secure is 'the most secure [device] of its kind available to the public.' The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.' While offering no explanation how the self-destruct mechanism works, Victorinox says that if someone tries to forcibly open the memory stick it triggers a self-destruct mechanism that 'irrevocably burns [the Secure's] CPU and memory chip.' At a contest held in London, Victorinox put its money where its mouth was and put the Secure Pro to the test offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."
Re:Two hours? (Score:3, Informative)
from TFA:
Victorinox says the device uses the Advanced Encryption Standard 256 to protect your data as well as its own proprietary security chip.
2 Hours? (Score:3, Informative)
Only 2 hours? What are they scared that this thing will be crackable in 3? Seriously, if you are buying one of these to keep something secret on, and you lose it. It will have to remain resistant to attacks for way longer than that.
This is (of course) just a cheap publicity stunt.
What if they just breathe at the sensor? (Score:3, Informative)
No detached fingers necessary. Many scanners can be fooled by "reactivating" the most recent fingerprint with the moisture in the exhaled air.
And _really_ professional fingerprint scanners don't check temperature, they check blood oxygen saturation and pulse. That makes cutting of any appendages pretty much a non-issue - it's easier to fool the thing with a dummy finger (or the actual finger that's still attached to the unconscious or otherwise compliant owner) than trying to simulate blood oxygen saturation and pulse with a detached finger.
Re:What if they just breathe at the sensor? (Score:4, Informative)
Not this one, it's a linear sensor, you have to swipe your finger over it, and it reads sequentially.
Re:Shame it has a knife on it (Score:5, Informative)
I doubt very seriously that it's incendiary. I would guess that it is electrical in nature. I built an anti tamper device before and used a 300v photo flash cap run down the ground rail. VERY effective. Actually blew some SMB components off of the board and set several tantalum capacitors on fire.
Although I guess that could be considered incendiary....
Re:You're naive. (Score:5, Informative)
Human life is worthless to criminals.
Human life is worthless to murderers. The term criminals covers a wide variety of law-breakers from litterers to mass-murderers.
Re:What if they just breathe at the sensor? (Score:3, Informative)
Exposing blood to air gives your pretty decent oxygen saturation.
Only if you create a _huge_ surface area. Exposing a drop of blood to air doesn't saturate it at all. There's a reason why the inside of your lungs have a surface area about the size of a tennis court.
Perhaps more practical, I wonder how difficult it would be to produce a variant of the classic "gelatin finger with correct fingerprint" that reads as having oxygen sat and a pulse?
Much, much easier than trying the same with a detached finger. That's why there's no reason for chopping off any appendages. Unless you're a really, really dumb criminal.
Re:No secure USB Stick (Score:4, Informative)
http://www.spyrus.com/ [spyrus.com] - Right now, about the only people I would trust are IronKey and these guys. IronKey has the benefit of working under Linux though.
Re:Two hours? (Score:2, Informative)
IIRC, it was reduced-key variations of AES-256 (such as using a 196-bit key with the AES-256 algorithm) that they were able to further reduce (to the effectiveness of a 112 bit key); as far as I know, no one yet has a feasible attack against plain-vanilla AES 128 or 256. Doesn't mean it won't happen eventually, but the crypto algorithm is almost never the problem. The problem with security for data-at-rest is always how the key is stored; and on a stand-alone device like a USB stick, it's quite possible that the key is stored on the device using a weaker form of encryption - most likely one that simply involves a simple pass phrase.
Re:What if they just breathe at the sensor? (Score:3, Informative)
Funny the story only says Fingerprint scanner and Thermal Sensor, but even thermal + pulse can be fooled by making the fake fingerprint very thin, and applying it to the end of your own finger, unless you don't have a body temperature and pulse.
Mythbusters did it on the Crimes and Mythdemeanors episode, and I consider the fingerprint overlay patch, and Jamie's Marks-a-lot fingerprint enhancement to be improvements over the original $20 Gummy Bear attack from a Japanese researcher in 2002 that they were copying.
The original researcher enhanced the fingerprint details in photoshop, Jamie blew up the image in a copier and connected broken lines with a marker and shrunk the image back down.
The rest of the details Photo Etched Circuit board, silicon/ballistics gel/gummi bears are pretty much unchanged.