IronKey Unveils Self-Destructing USB Flash Drive

fysdt writes to share that IronKey has released a USB flash drive with self-destruct capability. Specializing in "secure flash drives," IronKey has launched the S200 aimed at government and enterprise customers, "featuring hardened physical security, the latest Cryptochip technology, active anti-malware and enhanced management capabilities. It's the 'first and only USB storage device to achieve FIPS 140-2, Level 3 validation' and delivers advanced Cryptochip featuring AES-256, tamper-resistance and self-destruction circuitry."

Encryption is just as good as self destruction

[basementman]

What's the point of having it self destruct? Encrypt any old flash drive with True Crypt and you have accomplished the same thing at a much lower price. Want to destroy the data? Hit yourself on the head with a crowbar, making you forget the password. Problem solved.

Re:Encryption is just as good as self destruction

[ocularDeathRay]

didn't you just read the slashdot front page news that they can hack your brain now? god... pay attention. This is an anti brain hacking device.

Re:

[Paracelcus]

Will my brain emit a puff of smoke if it self-destructs?

Re:

[CannonballHead]

Hit yourself on the head with a crowbar, making you forget the password. Problem solved.

Maybe the information-hiding-people don't want to potentially allow themselves to be subjected to information-gathering techniques (*ahem* torture) by knowing the password. It's easier to just have the data destroyed after a certain period of time. Once it's gone, you don't have to forget a password and you don't have any password to be persuaded to remember?

Re:Encryption is just as good as self destruction

[Cyberax]

Encryption can easily be beaten by thermorectal cryptoanalysis (http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis).

Re:

[Cyberax]

There are many different methods to 'brute force' a password :)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Encryption is just as good as self destruction

[Hurricane78]

So you think that will make the evil ones stop torturing the password out of you? They'll use that same crowbar to make you remember it! ^^

(Interlude: WTF. I have my adblocker disabled for the first time in months, and the first thing I see, is an Ironkey banner. Truly a slashvertisement.)

The point is, that the keyfile on your USB key is encrypted with your password. So if you destroy the keyfile, which would open your encrypted safe, your password gets useless. You could scream it to the whole world. It wouldn't matter. Nobody could open that thing now. Not even you.

And that is why you never let someone know that you want access to his system. ^^
Just use a keylogger, or a trojan horse, and be good. Become a cleaning person in that place. Or gain some trust otherwise.
If you need it: There are some internal CIA agent training manuals on the net, that can teach you this. Or if you can speak Russias, I recommend some Russian forums. ^^

Re:

[L4t3r4lu5]

WTF. I have my adblocker disabled for the first time in months, and the first thing I see, is an Ironkey banner. Truly a slashvertisement.

You're commenting on it. Didn't you realise?

Re:

[Hurricane78]

That is the very point of that sentence of mine. ^^
Didn't you realize?

Re:Encryption is just as good as self destruction

[mlts]

The advantage of having it drop access to the data after a certain amount of tries is the same reason people use cryptographic tokens -- brute forcing a passphrase becomes a non issue.

There is another feature of the IronKey that isn't mentioned -- encryption on a machine, say at a student computer lab, but without requiring administrative rights to access the data. A lot of schools disallow admin access, and this is required to mount virtual volumes (TrueCrypt, BestCrypt, PGP, etc.) Having software to allow access to the drive that never needs to leave user space is a good thing in these cases.

IronKey does have a market. Especially for students at larger universities where there are people who lurk in the 24 hour computer labs just looking for a USB flash drive to steal. With a stolen USB flash drive, they can either sell the done homework, or if someone has a paper for a popular class that isn't turned in, actually take the word processing document and call it theirs. The downside is that the distinctive metal case does lure thieves, but the user has to figure out a balance. To the user, is the data on the drive worth the price premium, especially if the data can be used by a thief or extortionist? This applies to faculty too. I'm sure there are those who would be more than happy to sell any test or quiz data that was gleaned from a USB flash drive swiped from a faculty lab.

Another use for these USB flash drives is delivering to a customer something extremely confidental (such as TrueCrypt keyfiles or one time pads) that will be used for future communication of large volumes of data. For example, the customer gets the passphase from a rep, while a secure courier drops off the IronKey. This way, the data never crosses the Internet.

Re:

[afabbro]

Especially for students at larger universities where there are people who lurk in the 24 hour computer labs just looking for a USB flash drive to steal. With a stolen USB flash drive, they can either sell the done homework, or if someone has a paper for a popular class that isn't turned in, actually take the word processing document and call it theirs.

Sorry, but I have to call nonsense on this. Sure, there are people who steal flash drives. They get the drive, and that's benefit enough - any electronic dividends are just icing.

But to posit that there are people who specifically look to steal USB drives so they can sell the done homework (do they take orders? is there a clearinghouse?) or by wild coincidence exploit the tiny window between a paper being due and a student writing it (which is no more than 24 hours most of the time!) coupled with the coi

Re:

[Maximum Prophet]

Back in the day, people would dumpster dive for printouts of other student's code. So yes, if someone happened across a flash drive with completed homework on it, they might try to use or sell the information.

Re:

[mgblst]

Oh yes, the huge multi-billion dollar industry of reselling average student work, and the resale of cheap and small USB drives. No doubt this is an organization run by terrorists.

Re:

[w0mprat]

You miss the obvious point. Keys can be stolen and copied, thus it's useful to destroy data, especially when it is no longer required buy still sensitive.

Keys have to be typed in by protein popsicles and they have to be stored in notoriously vulnerable meat-space neural processors which so far, nobody is interested in patching.

Re:

[SixGunMojo]

Not even close my friend. I've been using one for >18 months and I'll just hit the high points. First there are 2 chips in the Ironkey. The first is a hardware based encryption chip and the second is the actual flash drive. The data on the drive is always encrypted. Also the first won't even mount the second without the proper password (mine is 17 nums, chars, and letters long). You have 10 tries to guess that or the drive destroys all the data. In addition the epoxy they seal them with insures that any

Re:

[Maximum Prophet]

The identity manger also allows you to log into sensitive sites without worrying about keystroke loggers.

If there is a hardware keystroke manager on a machine that you plug the ironkey into, or even a USB data monitor, your IronKey password is their's.

If a machine is compromised, and you plug this into that machine, your data is compromised as soon as you unlock it.

Re:

[MillionthMonkey]

But not any old TrueCrypted flash drive has a brushed aluminum case. This is the kind of drive Jack Bauer would swing through the air to bludgeon a terrorist.

...for now

[Kabuthunk]

True Crypt will work -for now-. Can you tell me that it won't be broken 5 years from now? 20? 50? What guarantee do you have that the encryption used today won't be utterly worthless decades from now? Because after all, we've all seen that encryption methods in the past haven't been defeated by new technology and such.

So the thumb drive containing whatever extraordinarily sensitive information sits in someone's "to be unencrypted" pile for a dozen years or so. If I had ridiculously sensitive informati

Re:

[hesaigo999ca]

Maybe anyone not wanting that the data be legally maneuvered in terms of company usage, like a court order forcing you to reveal the password might be useless in this case, as for TrueCrypt, there is a known backdoor in that industry, and such is used for counter measures to pedophiles right now in court cases, which is a sort of bug if you will with the way the drive is encrypted and the hashed password is saved somewhere on that same drive, or so I have heard.

Rip-off

[Anonymous Coward]

why would i pay $199 for that when i could buy a cheap USB drive and a hammer to break it with for less than $10?

Re:Rip-off

[caerwyn]

If you can break it with a hammer remotely, you should really be selling that capability- pretty sure someone would want to buy it.

Until then, the self destruct does work remotely.

Re:Rip-off

[Chabo]

Here's my idea:

Sell a USB drive that's approximately 2 feet by 2 feet by 4 feet in size. The drive will consist of a radiation-shielded box. Inside, there's a flask filled with poison, and a hammer connected to a Geiger counter. There's also a cat with a heart monitor. If the flask breaks and the cat dies, then the drive will self-destruct.

Would you be willing to buy my product?

Re:

[RuBLed]

If you could assure its destruction in all dimensions, then Yes!...

Re:

[syousef]

You forgot the part about politely asking data thieves not to look at the cat.

Re:

[tmosley]

The answer is a definite maybe.

Re:Rip-off

[Starteck81]

I believe the self-destruct is triggered by unauthorized attempts to access. While your way is cheaper I suspect that rubber banding your usb drive to a hammer with a note that says "In case of theft please smash drive" is somewhat less effective due the lack of ethics most thieves posses.

Re:

[zippthorne]

No, the message should read, "no gold inside."

Where's the market?

[religious freak]

Funny, instead of paying extra, I'd just use a hammer, or a desk drawer, or if in a real pinch my two hands to break the thing apart. Unless you're James Bond, I don't see how most folks would need any more than this, and if they do need more, they already have it.

Re:

[hedwards]

But that's who this is geared towards. The people that are carrying around data that is incredibly sensitive. Why these people are carrying it around on a thumb drive is a much bigger question, really, if you don't want it cracked, you shouldn't be carrying it on a portable easily lost/stolen medium.

Re:Where's the market?

[LWATCDR]

How would you transport a few gigabytes to a new location?
FTP?
External HD.
DVD?
And very large number of floppies?
I take my source code home with me on a USB drive. I currently encrypt it but I could see this being even better.

Re:

[pjt33]

Maybe there's some straightforward* way to hack your USB drivers so that the only devices they support are self-destructing drives, but if not then I'd prefer any computer with data sensitive enough to need this drive not to have the ability to mount any USB drive. You just need to look at the British civil service to see what happens when it's possible to dump your database to an unencrypted physical medium and then leave it on the train / lose it in the post.

For security-conscious home users it's great. F

Re:

[mlts]

The closest solution for this on an enterprise basis would be Windows 7 and BitLocker To Go. Set a policy that USB flash drives are either not accessible, or read-only until they are encrypted with a passphrase. PGP Universal also has this functionality.

You're on to something!

[SCPaPaJoe]

I vote for the floppies. How about 5.25" 360k. 3 to 9 thousand of them!
How many people can read those nowadays?

Re:

[imamac]

I have a working Apple ][GS...

Re:

[Abreu]

How would you transport a few gigabytes to a new location?
FTP?
External HD.
DVD?
And very large number of floppies?
I take my source code home with me on a USB drive. I currently encrypt it but I could see this being even better.

I am partial to the classic solution: Microfilm in a hollow tooth

Re:

[zoloto]

you kids. we used to take slaves and tattoo information on their shaven heads, then let the hair grow out over 4-5 months and sent them on their way across the country on foot. when they arrived, they were shaved and when they were done - killed and the bodies burned to keep the information secret!

Re:

[mlts]

This falls under the "never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" category. With a lot of WAN Internet connections, it is a lot faster to carry a flash drive with your 8GB of data on it, than to download it from remote, especially if someone is often using different machines (student computer lab, for example.)

Re:

[zoloto]

upload it to ftp and let the world mirror it for you

Re:

[0100010001010011]

SVN and do an update anytime you get to a new location. It's how I work on code across 6 computers. Why didn't someone teach me about this subversion stuff earlier?

Re:

[shentino]

But I use git you insensitive clod!

Re:

[LWATCDR]

I use the USB flash as backup. I like having it on my at all times to take home just in case. I work on the idea that you can never have too many backups.

Re:

[CannonballHead]

Maybe if they lost it and thus can't reach it with a hammer? :)

Re:

[LWATCDR]

Actually a hammer may not be good enough. There are some very strict rules for medical records and financial data that this could be useful for.

The Market

[NotQuiteReal]

Like most things, if you have to ask "who needs this?", the answer is not you.

Personally, there are a great number of wildly popular products for which I am not in the market.

Re:

[WuphonsReach]

Like most things, if you have to ask "who needs this?", the answer is not you.

The question is more "is this snakeoil" and "what attacks does it work against". In this particular case, the product does nothing to prevent key-logging attacks, and once the attacker has the password, your data is at their fingertips.

I would be much more interested to see an external product requiring the entry of a PIN before you could access the data. It would be a lot harder to hack the unit to intercept the PIN witho

Re:

[DragonWriter]

Unless you're James Bond, I don't see how most folks would need any more than this

There are all kinds of legal environments, outside of national security, where you need better certainty of destruction of data than "it looked broken to me" (e.g., HIPAA).

and if they do need more, they already have it.

Maybe, maybe not. Places that are subject to rules that would require additional security sometimes simply don't do particular things that might be useful from an operational convenience perspective since the to

Re:

[TarrVetus]

Funny, instead of paying extra, I'd just use a hammer, or a desk drawer, or if in a real pinch my two hands to break the thing apart. Unless you're James Bond, I don't see how most folks would need any more than this, and if they do need more, they already have it.

I think using brute force to get into the IronKey drive would be a very bad idea. ThinkGeek sells an older version [thinkgeek.com] of the product the article covers, and even it had some pretty effective measures against breaking it apart.

Passwords can be hacked, but not the IronKey. It's built to withstand attacks both virtual and physical. 10 incorrect password attempts, and the encryption chip self-destructs, making the contents of the flash drive totally unreadable. The contents of the drive are filled with epoxy, s

What a bad idea

[Reason58]

Flash drives are a big no-no in the federal government and military. If something is so sensitive that it needs this kind of encryption wrapped in dynamite, then it should not be walking around on a USB drive. Dumb dumb dumb.

Re:What a bad idea

[NecroPuppy]

Correct.

In many branches, they are currently banned, largely because of the viral vector issue.

Re:

[ChaoticCoyote]

Flash drives are a big no-no in the federal government and military. If something is so sensitive that it needs this kind of encryption wrapped in dynamite, then it should not be walking around on a USB drive. Dumb dumb dumb.

True... but not everyone who requires security is a government spook. For most of us non-spooks, this thing has merit.

Re:

[NecroPuppy]

We don't have a compromise where I work.

USB key drives are banned. There is even software loaded onto the machines, by default, that detects if you've inserted a key drive (and can tell the difference from a USB hard drive) and reports you to the IS guys.

If you do this, you get yelled at, your computer gets scanned and scrubbed, and it can even affect your clearance.

Re:

[merreborn]

USB key drives are banned. There is even software loaded onto the machines, by default, that detects if you've inserted a key drive (and can tell the difference from a USB hard drive) and reports you to the IS guys.

Why is this important?

Aren't a USB harddrive, USB key drive, and iPod all just as good for bringing in/taking home bad stuff?

Re:

[Proudrooster]

Yes you are correct.. for the virus vector, there is no difference. The best thing to do is turn off autorun on USB devices and run truecrypt to secure your data in the event of loss.

Why?

[brunes69]

Why wouldn't they just disable support for them in the OS? You can even do this in windows without much trouble/

Because they enjoy the power trip they get by yelling at you and "scrubbing" your machine?

Re:

[gmhowell]

No. We hate scrubbing a machine. The paperwork is a hassle, and it's usually done for no reason other than CYA. The problem is, several levels above us are people who just can't quite understand why they can't plug in the USB picture frame they got for Father's Day. Or their iPod/iPhone. And those of us in the dungeon get tired of explaining things. So we give up and waste time reading slashdot until it's time to cleanup someone else's mess.

Again.

Re:

[mgblst]

So where the fuck do you work, Apple?

So secret that you can't even hint at the industry...

What!?!

[Starteck81]

No retina scan authentication? LAME

Re:

[auric_dude]

No, I think you will find it relies upon a self anal reader.

Re:

[kamochan]

A much better option is a palm vein scanner. It needs a live hand for a 3-d image of warm veins.

Re:

[Abreu]

a torniqueted, recently severed hand wouldn't work?

Re:

[camperdave]

Bah! Just pump warm water through the thing. Same diff.

Smoke

[wjousts]

This better emit a puff of smoke when it self-destructs or I'm not buying it. It doesn't matter if the smoke is only for show.

Re:

[Hurricane78]

Bonus points when you can either
A) kill an attacker because it also is a nerve gas
B) use it as an antidote against a truth serum
C) kill yourself when in risk of being captured
D) all of the above.

.
.
.

Sadly, in reality, a good attack would mean, that you did not even notice that your system is compromised, and never would.

Ironkey also supports Linux!

[AMuse]

I'm using an Ironkey at work (have been for about 2 years now) and the thing has been rock solid. However, the main reason I selected it is that it's the only key that I've had the opportunity to trial which is both FIPS 140-2l2 compliant *AND* supports Linux.

I use it with WinXP and MacOSX daily and yes, they do ship with "alpha" Linux drivers. Not full support like Win* but enough to read and write the encrypted data, which is all I really use.

Although the company claims that you can now "initialize" a key on MacOS, all the versions I've used required an initial bootstrapping under Windows before being cross-platform usable.

Re:

[CuriHP]

I bought one a couple months ago and was able to initialize it just fine on a Mac.

Re:

[AMuse]

It practically doubles the cost of the drive if you're a standalone user with no job involving computers; for me, it was very easy to go over to my officemates' desk and initialize it on his Windows machine.

Also, I did a pretty good amount of work using the IronKey inside a VM. Using VMWare Fusion in MacOSX Leopard and a Windows XP VMWare image, I was able to mount the key inside the Windows image and do an initialization successfully. One thing I did notice was that when doing so, it would always unmount

Re:

[Eternauta3k]

Since I don't have any copies of that software, it pretty much doubles the cost of the drive

Go to a cybercafe?

Re:

[AMuse]

It's been a while since I spoke to their techies during my product evals, but as I understand it the drivers are loading and then encrypting the USB channel between the OS and the actual IronKey. They then accept your password and pass it to the key's cryptochip, which holds the keys that were generated during initialization, and decrypts/encrypts the data as it's leaving/entering the key (on the fly).

The drivers also, of course, have to power the key generation process since you can always nuke a key and

unvi

[kaoshin]

I understand thinkgeek and slashdot are sister companies, so this post is more of an ad, but is the only thing different here the revision or level of certification, or is there something else newsworthy on this from a tech standpoint? Ironkey has been on thinkgeek for like a year, and the self destruct and other features have all been in this product for a long time.

Re:

[adona1]

That was my first thought when I saw this story on my RSS feed. Maybe this is a small update to the product, but still, unless it also gives electric shocks or sexual favours, hardly worth a /. story.

Wow

[webheaded]

This is such old news that it's ridiculous. Furthermore, this is a ridiculously overpriced toy that breaks itself. No thanks...if I have data that someone wants to hack by opening up my thumb drive, then I shouldn't be carrying it on a thumb drive in the first place. Everything else this is just ridiculous and expensive overkill.

Mission Impossible

[Neanderthal Ninny]

The new version of the Mission Impossible self-destructing tape player.
However, how many spoofs has been made to this "self-destruction" capability so I wonder what if your USB key self-destructs accidentally in your pants pocket will it fry your gonads.

Thermite

[Dr_Barnowl]

I keep wanting to build a flash drive with a thermite filler and some kind of rip-strip fuse that you could just yank on hard to set it off.

No offence to IronKey, but how do you know that it's really, really, destroyed your data beyond recovery? Maybe it just locks out the disk controller. A small heap of smouldering slag is much more definitive.

Now, if you could combine the thermite with their remote wipe protocols......

Re:

[L4t3r4lu5]

Not possible.

The thermite reaction has an activation energy of 145 kJ/mol for 8Al-3Fe2O3 thermite. USB2 device charging spec (highest power output) provides a maximum 9 J/s

You might get it working with a series of exothermic reactions but it would become bulky, and with that low an energy input to work with you're more likely setting it off leaving it in a car on a hot day.

Re:

[freedom_india]

Maybe it just locks out the disk controller.

This is a FLASH drive. There are NO movable parts in a Flash Drive.
All IronKey needs to do is to draw a sudden more power from USB port to fry the circuits. Of course a surge would cause a system reboot or probably crash a non-CoolerMaster PC.

A hacker challenge

[RobertLTux]

what iron key should do is go to DEFCON with a bunch of these drives and then run a contest

If you can crack the drive you get some obscenely large amount of money
how to run the contest fairly

have the contents of the drive detail how to get to an offshore account with the prize money

So Ironkey how much you want to bet this key is "secure"

Strictly speaking, it doesn't self-destruct

[e9th]

From IronKey's blurb:

- Secure key management -encryption keys are born on the device in the Cryptochip and bound to the device
- Hard-wired encryption key self-destruct defenses and electromagnetic shielding of the Cryptochip

which I interpret as saying that only the key is wiped, while the actual data remains on the drive. If you've somehow managed to snarf the key before it was wiped, or if you're really cool and can break AES-256, you're good to go.

self destruct

[confused one]

if it doesn't burn like a magnesium flare and leave nothing behind but ash, then I'm not happy : )

So

[Jamamala]

This thing can nuke itself from orbit?

Impressive.

Old news

[PPH]

Wondows has had self destruct technology for years.

Re:

[freedom_india]

True. But the technology is still in BETA.
That's why my Windows XP self-destructed on the day i was leaving for my vacation and [Win7] self-destructed once again just so to make my Kaspersky licenses quota fulfilled and i had to spend days waiting for kaspersky to reactivate them.

I thought it was Zune

[freedom_india]

...isn't it Zune?

Re:Nerdgasm

[afidel]

You're impressed that they coated the circuit board with black epoxy? The only impressive thing about that is they use so little power that heat transfer isn't an issue.

Re:

[idontgno]

Whadday mean, "heat transfer isn't an issue"? Of course it's an issue. How do you think they achieve "self-destruct"?

Re:Nerdgasm

[Jah-Wren Ryel]

You're impressed that they coated the circuit board with black epoxy? The only impressive thing about that is they use so little power that heat transfer isn't an issue.

Indeed. Get back to us when they have a Level 4 product - that's what all the big boys use.

Re:Nerdgasm

[TooMuchToDo]

Is that where my USB key is embedded in a stick of dynamite for quick data wiping?

They call this the "suicide stick" ?

[freaker_TuC]

These might get popular for suicide bombers in any starbucks now...

Re:

[bill_mcgonigle]

"The only USB key to be banned by the TSA" -- product advertisement

Come now, the Swiss Army Flash Knife [thinkgeek.com] is most certainly considered a WMD by the goon squad.

Re:

[ciderVisor]

I suspect that particular gizmo would be illegal to carry in the UK.

Re:

[MarkvW]

Man! That reminds me of the scene from "This is Spinal Tap" where the musician is discussing why his amplifier is better because you can turn it up to level 11!

Re:

[mrsteveman1]

Only Chuck Norris can do that, you can only try.

Re:

[afabbro]

The lamest sig. ever? Really? Is this your first day on Slashdot?

by afabbro (33948)

Apparently not.

Re:

[Malevolyn]

Er, why is this news? This exact item [thinkgeek.com] has been on sale at ThinkGeek for a couple years, now. Self-destruct capabilities and everything.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[shentino]

It's still encrypted.

Re:

[Anonymous Coward]

Call IT support and tell them that you were not doing anything in particular when the computer did it by itself.

Then tell everyone else that IT support failed to fix the problem costing the company thousands of dollars of spreadsheets.

Re:

[Joe U]

I've been administering and deploying "self-destructing" USB drives for several years!

After about a year, the drive stops working and all the data is gone. It's always the one the boss was using and it's always some important file that he didn't have a copy of somewhere else, so it is very consistant in that one regard.

Re:

[L4t3r4lu5]

You'd think that after one year that your boss would learn.

Oh, wait... He's a boss.

Re:

[PPH]

No! NO!! The blue wire!!!!