Forgot your password?
typodupeerror
Security Hardware IT

Self-Destructing USB Stick 223

Posted by samzenpus
from the secure-the-bits dept.
Hugh Pickens writes "PC World reports that Victorinox, maker of the legendary Swiss Army Knife, has launched a new super-secure memory stick that sounds like something out of Mission: Impossible. The Secure Pro USB comes in 8GB, 16GB, and 32GB sizes, and provides a variety of security measures including fingerprint identification, a thermal sensor, and even a self-destruct mechanism. Victorinox says the Secure is 'the most secure [device] of its kind available to the public.' The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.' While offering no explanation how the self-destruct mechanism works, Victorinox says that if someone tries to forcibly open the memory stick it triggers a self-destruct mechanism that 'irrevocably burns [the Secure's] CPU and memory chip.' At a contest held in London, Victorinox put its money where its mouth was and put the Secure Pro to the test offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."
This discussion has been archived. No new comments can be posted.

Self-Destructing USB Stick

Comments Filter:
  • by unity100 (970058) on Tuesday March 30, 2010 @07:58AM (#31668664) Homepage Journal

    to 37 degrees celsius ?

  • Two hours? (Score:5, Insightful)

    by mog007 (677810) <Mog007.gmail@com> on Tuesday March 30, 2010 @07:58AM (#31668668)

    Presumably, if you had physical access to the drive, wouldn't you have more time to crack it than two hours?

  • by boef (452862) on Tuesday March 30, 2010 @08:00AM (#31668678)
    maybe next time they will have a team of professional cannibals have a go...
  • Re:Two hours? (Score:1, Insightful)

    by bcmm (768152) on Tuesday March 30, 2010 @08:00AM (#31668682)
    Thank you!

    Also, it seems inevitable that the actual data will not be encrypted. For some reason, people who claim to make secure USB sticks never, ever use real encryption on them.
  • by alexandre (53) * on Tuesday March 30, 2010 @08:01AM (#31668684) Homepage Journal

    I thought that we had stopped 10 years ago to consider such scam contest as serious security proof?

  • Thermal sensor? (Score:5, Insightful)

    by zmotula (663798) on Tuesday March 30, 2010 @08:01AM (#31668686) Homepage

    The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.'

    Surely if somebody can chop off your finger he can also warm it up?

  • Re:Two hours? (Score:2, Insightful)

    by stupid_is (716292) on Tuesday March 30, 2010 @08:03AM (#31668708) Homepage

    But then you wouldn't be able to have a snazzy Press Release stating that professional hackers couldn't get into it.

  • Re:Two hours? (Score:2, Insightful)

    by HungryHobo (1314109) on Tuesday March 30, 2010 @08:11AM (#31668760)

    it's because they want to be able to sell data recovery services.

    That and it's a genuine concern in business- apparently when they ask "what if I forget my password" the answer "then you try to remember it or your data is gone" isn't acceptable.

  • by jamesh (87723) on Tuesday March 30, 2010 @08:13AM (#31668772)

    Or alternatively, find someone the owner of the USB stick cares about and threaten to cut off that persons finger if the owner doesn't cooperate.

  • by Shadow of Eternity (795165) on Tuesday March 30, 2010 @08:25AM (#31668862)

    Mod parent up.

    In fantasy land people think that the reaction to biometric security and encryption is somebody giving up or resorting to hollywood methods of getting around it.

    In reality the reaction is to just start killing or maiming people until you cooperate.

  • Re:Two hours? (Score:3, Insightful)

    by jridley (9305) on Tuesday March 30, 2010 @08:31AM (#31668906)

    Yeah, but that could mean anything. Does it specifically say that your data is encrypted to AES 256, or just that AES 256 is "used to protect your data"? The latter could mean that the key is encrypted with AES 256, but then the key is just an XOR key for the data. Or that AES 256 is only used in the driver software it loads (if there is any, I don't know).

    There have been cases before of "secure" thumb drives that just had bits on the controller that had to be unlocked with keys to allow access to the data, and simply shorting/lifting those pins on the controller defeated the security.

    A 2 hour test is pointless. The real test would be to give the devices to some guys who had the ability to put logic analyzers and scopes on the pins, and reverse engineer the entire system over the course of weeks. THEN see if they could generate a relatively simple way to break into the data.

  • Re:Two hours? (Score:3, Insightful)

    by Jurily (900488) <jurily AT gmail DOT com> on Tuesday March 30, 2010 @08:37AM (#31668956)

    That and it's a genuine concern in business- apparently when they ask "what if I forget my password" the answer "then you try to remember it or your data is gone" isn't acceptable.

    Isn't that the whole point, that people without the password won't get the data? I know business can be retarded, but come on.

    I believe the proper procedure would be to ask the boss to open the vault and get the only written copy of said password out, followed by paperwork.

  • Re:Two hours? (Score:5, Insightful)

    by spacerog (692065) <spacerog AT spacerogue DOT net> on Tuesday March 30, 2010 @08:38AM (#31668966) Homepage Journal

    "At a contest held in London, Victorinox was offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."

    Umm, they weren't Pros. The contest was open to anyone who preregistered and you got to keep the knife after the contest. Not only that there were several restrictions on the contest. First you have to live in the UK, preregister and you only get two hours. Because ya know the bad guys always tell you who they are and always give up after two hours. Oh, and you have to be present to win, no Internet based attacks, you can only use Windows 64bit or whatever Linux flavor they are providing and of course you have to give up your exploit if you win. All that and more for a measly hundred thousand pounds? Yeah, no thanks, but hey it makes for great publicity and it is a cool knife.

    So called "Hacker Challenges" are not a valid security assessment.

    - Space Rogue

  • Re:Two hours? (Score:4, Insightful)

    by fuzzyfuzzyfungus (1223518) on Tuesday March 30, 2010 @08:44AM (#31669026) Journal
    Even if they aren't lying, the question is "did they use AES 256 correctly?"

    There are a number of ways, some of them non-obvious, to produce a system that does, in fact, use AES 256 in some capacity; but doesn't actually achieve reasonably security against anybody who wouldn't also be stopped by XOR and a scary looking autorun program(particularly since, as this is a small USB drive, the attacker can probably make some plausible assumptions about some of the plaintext, based on what is known about what fat32 volumes look like).
  • You're naive. (Score:4, Insightful)

    by Suzuran (163234) on Tuesday March 30, 2010 @08:49AM (#31669072)
    Last week in Texas, three men with assault rifles attempted to ambush and execute a family of four to steal the rims from their SUV. Human life is worthless to criminals.
  • I predict (Score:5, Insightful)

    by Anonymous Coward on Tuesday March 30, 2010 @08:50AM (#31669084)

    that within 1-2 months we will find out that:

    1) the finger print scanner is not actually linked to the encryption key, but is just to "power on" the device.

    2) the encryption key is processed in host (windoze) based software and that a usb control packet (the exact same packet for all devices) is simply sent to the onboard controller to tell it to "allow access".

    3) the encryption, while purporting to be aes256, is so poorly implimented that it in effect becomes a 16-bit key, thereby becoming brute-forcable on an old C-64 in only 2 days.

  • 2 hours? (Score:3, Insightful)

    by Lord Bitman (95493) on Tuesday March 30, 2010 @08:50AM (#31669086) Homepage

    Some mornings I can't get into my own e-mail account in under two hours, why so low? Why not.. three?

    Here's guessing a blogger will get into one by next month.

  • by John Hasler (414242) on Tuesday March 30, 2010 @09:00AM (#31669184) Homepage

    Some guy who finds your USB stick on the train isn't going to hunt you down and beat the password out of you. If he had motive and opportunity to do that he would already have done it.

  • by mcgrew (92797) * on Tuesday March 30, 2010 @09:11AM (#31669280) Homepage Journal

    But why bother with all that Rube Goldberg crap when you can put a gun to his head and a knife at his crotch? "Put your finger on the scanner or we cut your balls off" would pretty much do it for anybody.

  • by HungryHobo (1314109) on Tuesday March 30, 2010 @09:27AM (#31669470)

    Oh I didn't say it was useless.
    My point is that pen testing doesn't secure your system.
    It only provides feedback as to how secure your system really is within a reasonable margin of error.

    If you test a system and find a hundred holes and hand over a neat list and they diligently go away and fix all the holes you found then their system is only marginally more secure than it was before.
    The systematic failures that lead to the problems being there in the first place are still there making more problems.
    The same crappy code is still there with a few patches.

    On the other hand if you do a full pen test and find no security holes or only a few minor ones then that's a decent indication that there are very few there at all.

    Pen testing is a fine way to test and be able to say "this system probably has very few problems" or "this system is utterly riddled with faults" but pen testing is an awful way to actually secure your system.

    At best pen testing can show blinkered managers that they need to pay some attention to security and in that one case may help to actually improve security.

  • Re:You're naive. (Score:5, Insightful)

    by Ihmhi (1206036) <i_have_mental_health_issues@yahoo.com> on Tuesday March 30, 2010 @09:45AM (#31669668)

    With the insane amount of laws most industrialized nations have on the books, everyone is a criminal. They like it that way. They'll always have something to hold over your head to get you to cooperate.

    Take an afternoon, head to your local library, and just read up on your local laws - city, town, county, whatever the smallest area of government you can narrow it down to. Good luck figuring that stuff out, much less following every single one without breaking any.

  • Re:Thermal sensor? (Score:3, Insightful)

    by Asic Eng (193332) on Tuesday March 30, 2010 @09:57AM (#31669802)
    Yeah, but there'll be fingerprints of the owner all over the device.
  • by Anonymous Coward on Tuesday March 30, 2010 @01:10PM (#31673544)

    In Mythbusters they were trying to open some fingerprint based security lock which also had a heat sensor... They just copied the fingerprint to some type of plastic/gel/paper whatever and put it on their own finger. It worked flawlessly.

You can do this in a number of ways. IBM chose to do all of them. Why do you find that funny? -- D. Taylor, Computer Science 350

Working...