Hardware Authentication

Unlike other drives that are reliant upon software authentication, LOK-IT does not require entering the password with a keyboard or mouse attached to the host computer.

On the LOK-IT drive, authentication is securely managed through entry of a user PIN via a PIN-pad residing on the device itself. There is no software at all, so there’s no need for an unlocked partition to contain that software. Therefore LOK-IT drives have a significant advantage in security; the host computer never sees – and absolutely cannot see – the user’s PIN.

Research

In recent years, several leading manufacturers of secure flash drives received negative press surrounding the discovery that the software-based authentication used for access to their secure flash drives was easily hacked.  The manufacturers of drives with these security flaws had stated that these drives were FIPS 140-2 Level 2 certified. Obviously, such certification shouldn’t be taken to mean that data on a certified drive is safe from attackers. FIPS warrants implementation, not suitability to any particular security use case, and provides further evidence that there is more to security than implementing hardware encryption.

To test the difficulty of writing software to steal passwords from the authentication systems of various FIPS 140-2 Level 2 and Level 3 certified flash drives, drives from various manufacturers were provided to a software development company (Nerve Net) to gauge the security within their authentication processes. 

Their testing found that several different methods could be employed by a hacker or rogue employee to gain knowledge of a password

To demonstrate these findings, an executable program was created that runs on a host computer and silently detects insertion of these drives, waits for the user to enter a password, and then after authentication completes pops-up a message displaying the password that the user had typed. The program runs on host PCs with commercial antivirus software installed, and was not judged to be malware by the antivirus systems. In fact the developer demonstrated several independent approaches to intercepting input meant for the drives’ authentication software, including input from a virtual keyboard.

The video below from Nerve Net briefly demonstrates the simplicity of password theft from software authenticated USB flash drives.

Running a password-interception program does not necessarily even require administrative privileges, so there are a number of means by which a password-interceptor might end up on a victim’s computer. A rogue employee could physically copy such malware to an associate’s computer when he stepped away from his desk. An employee can also inadvertently download and run such malware on the employee’s home or office computer. History has shown that malware is very hard to defend against, regardless of user education, policy, and enterprise measures. Once a flash drive’s password has been compromised, a rogue employee merely needs to steal the drive. This is made more likely by the fact that such devices, assumed by their owner to be secure against unwanted reads, consider an unattended drive to be harmless.

It has been stated by a secure flash drive manufacturer that it assumes the computer to be untrustworthy. If this is the case, then one should also assume that any password(s) used in conjunction with that computer can be compromised.  If one’s password(s) can be compromised, then a correlative assumption is that USB flash drives dependent upon software authentication via password entry are not secure.