Some secure memory sticks may not be all that secure...

Sometimes, I like to use my USB memory stick to hold data because it's incredibly convenient and it has a large enough data storage capacity for most things. Naturally, security becomes a concern when I'm storing sensitive data on the stick. I don't want the bad guy to take the stick I may lose and examine the sensitive data. Typically, secure memory sticks use data security controls like encryption to protect the data. The algorithm requires a password to decrypt the contents. A user that is authorized to view the data will know this password and be able to successfully decrypt the data and examine the stick's contents.

Some manufacturers of secure USB memory sticks have forgotten to encrypt the contents using the user-supplied password. Instead, they use a hardcoded password to decrypt the contents. They use the user-supplied password as an authorization check. Upon successful authorization, the stick uses its hardcoded password to decrypt the contents.

If you know the hardcoded password and you can bypass the authorization check, you can decrypt the contents without knowing the user's password.

The folks at the security firm SySS have done just that... check it out here.

Technorati Tags: data security memory stick encryption authorization authorisation USB