It will likely come as no surprise to regular readers of ESET's Threat Blog that we are somewhat gadget aficionados here in the Research Department. Our focus, however, is usually on issues such as malware, spam and privacy so we do not spend a lot of time discussing gadgetry. Every once in a while, though, an interesting device comes along which allows us to stretch the boundaries of our normal topics a little bit.
Swiss knife and multi-tool maker Victorinox recently announced the Victorinox Secure, a key-chain sized Swiss Army knife containing, amongst the usual blade and scissors accoutrements, an "unhackable" 32GB USB flash drive with biometrics and encryption to securely store files. This is not Victorinox's first Swiss Army knife with a USB flash drive; they have several older models with integrated USB flash drives sans fingerprint readers and hardware encryption; and I can attest that the 1GB SwissBit model works fine as both a pocket knife and a conventional USB flash drive, however, it is the security features in the new model that are of interest.
This is, of course, not the first USB flash drive to couple a fingerprint reader and AES encryption with each other: Kanguru has had such devices for a while, and companies like AcomData and LaCie even offer hard disk enclosures with fingerprint readers and AES encryption.
Victorinox's "unhackable" claim is supplemented by the following security features:
Victorinox has held several hacking "contests" to retrieve information from the device, with rewards of £100,000 ($150,000) and $100,000. So far, no one has succeeded in collecting the prize, however, I am not convinced of the claims of the Victorinox Secure's "unhackability" for two reasons:
USB flash drives are now a ubiquitous technology, and the amount of data they can hold in such a small form factor is just staggering; you can fit millions of medical or tax records on such devices, not to mention corporate or military secrets. I think it is a great idea to start promoting the use of encryption and biometric authentication on such devices, but I think Victorinox's approach declaring their device "unhackable" after what sounds like very limited testing in the real world disappoints me.
Given the right resources and knowledge, it seems that determined individuals can "hack the unhackable" and I think that announcing a device is unhackable after a couple of hours of probing is not right. The question should not be how safe the Victorinox Security is now; the question is how safe will it be a year from now.
Aryeh Goretsky, MVP, ZCSE