Deus ex machina

It will likely come as no surprise to regular readers of ESET's Threat Blog that we are somewhat gadget aficionados here in the Research Department. Our focus, however, is usually on issues such as malware, spam and privacy so we do not spend a lot of time discussing gadgetry.  Every once in a while, though, an interesting device comes along which allows us to stretch the boundaries of our normal topics a little bit.

Swiss knife and multi-tool maker Victorinox recently announced the Victorinox Secure, a key-chain sized Swiss Army knife containing, amongst the usual blade and scissors accoutrements, an "unhackable" 32GB USB flash drive with biometrics and encryption to securely store files.  This is not Victorinox's first Swiss Army knife with a USB flash drive; they have several older models with integrated USB flash drives sans fingerprint readers and hardware encryption; and I can attest that the 1GB SwissBit model works fine as both a pocket knife and a conventional USB flash drive, however, it is the security features in the new model that are of interest.

This is, of course, not the first USB flash drive to couple a fingerprint reader and AES encryption with each other:  Kanguru has had such devices for a while, and companies like AcomData and LaCie even offer hard disk enclosures with fingerprint readers and AES encryption.

Victorinox's "unhackable" claim is supplemented by the following security features:

• 256-bit AES encryption (it is not clear of whether this functionality is handled solely by the flash drive’s on-board CPU or the CPU of the computer into which it is plugged).
• A fingerprint reader with oxygen and thermal sensors to verify whether the finger swiping it is still attached to the hand of its owner or a replica.
• A self destruct mechanism to burn out the CPU and flash RAM on the device if the number of unsuccessful password login attempts is exceeded.
• From reading this article in InfoWorld, it would appear the flash drive’s hardware is also implemented largely as a vertically stacked design, to make it more difficult to place logic probes on signal lines for monitoring the operation of the device.

Victorinox has held several hacking "contests" to retrieve information from the device, with rewards of £100,000 ($150,000) and $100,000.  So far, no one has succeeded in collecting the prize, however, I am not convinced of the claims of the Victorinox Secure's "unhackability" for two reasons:

1. The two "hacking contests" Victorinox ran had a time limit of one device and two hours per contestant.  A dedicated attacker might purchase dozens of drives and spend days, weeks or even longer reverse-engineering them.  Many years ago when I worked at McAfee Associates, a colleague from Bulgaria told me how they used to reverse-engineer the processors in DEC VAX minicomputers at his university by removing them, placing them in a frame and then shaving off a few micrometers each time, stopping to take microphotographs after each pass.  As the packaging was ablated they eventually they began slicing into—and photographing—the actual silicon.  Those microphotographs were then used to make duplicates of the CPUs through photolithography. That was twenty years ago, and reverse-engineering has become much more sophisticated in the past two decades:  Hardware engineer Bunnie Huang performed similar a similar autopsy when investigating a run of bad memory cards from Kingston.  There are even companies like iSuppli who specialize in teardowns of products, although that is for market intelligence such as determining the manufacturing cost of a device as opposed to state-sponsored technology theft. 
2. In December 2009, security consultancy SySS was able to attack the security on AES 256-bit encrypted USB flash drives from Kingston and SanDisk and expose a flaw that allows them to bypass the encryption (encrypted USB flash drives from Verbatim were also vulnerable to the same attack).

USB flash drives are now a ubiquitous technology, and the amount of data they can hold in such a small form factor is just staggering; you can fit millions of medical or tax records on such devices, not to mention corporate or military secrets.  I think it is a great idea to start promoting the use of encryption and biometric authentication on such devices, but I think Victorinox's approach declaring their device "unhackable" after what sounds like very limited testing in the real world disappoints me.

Given the right resources and knowledge, it seems that determined individuals can "hack the unhackable" and I think that announcing a device is unhackable after a couple of hours of probing is not right.  The question should not be how safe the Victorinox Security is now; the question is how safe will it be a year from now.

Regards,

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher