ICT Security

An full disclosure article on Transcend's JetFlash 210.

This year many reports were made on stolen laptops and lost USB memory sticks, usually with sensitive information. Countless laptops, PDA's and mobile phones are forgotten in public transportation and slowly we begin to realize we need some serious precautions to restrict impact on lost devices. To prevent data loss, several government services have introduced USB memory sticks with fingerprint recognition as a simple though affordable means of protecting data. This article is not about fingerprinting being secure enough for identification or authorization - enough is being written about that- this article is about one such a device commercially available and the way fingerprinting is implemented.

A couple of weeks ago, I received a Transcend JetFlash 210 USB memory stick with fingerprint feature. Technology addict as I am, I checked it out that same evening. Although I'm getting used to devices refusing to properly work on Linux, I was still rather disappointed to find out I only had access to the 10MB public partition and no Linux drivers were available.
Every once in a while I would now use this device just on my Windows based laptop, obiediently entering fingerprints every time I wanted to access its 950MB private space. Until last week when I accidentily discoverd that all fingerprint information was contained on my laptop, and after a quick search on the memory stick I wasn't able to find any fingerprint data on it. I was instantly puzzled. Would it be possible that this device could be unlocked on another computer by initially setting up the device with new fingerprints? or even toeprints? Over the weekend decided to digg into the exact workings of the device.

For the sake of this article I'll leave out the technicallities, although sniffing and analyzing USB traffic isn't exactly rocket science.

The Device Under Test is a Transcend JetFlash 210 with a 10MB public partition, visible after inserting it in a free USB slot; and a 940MB private partition only visible after fingerprinting the device.
The test environment is a Gentoo Linux box of which all software is publicly available on the Internet. Notice that the required software is also available for Windows, but I did no investigations on the Windows versions.

In essence the JetFlash210 can be opened by a simple replay attack as shown in this demo.

The demo shows a 10MB partition appearing right after insertion of the device. Then after executing three commands http://members.aol.com/plscsi/ , all of a sudden a 940MB unencrypted partition appears.

From this demonstration it can be concluded that this particular device has a fully implemented variation of so called Security By Obscurity. The whole security is implemented at device driver level and therefore just for show. Nothing more.

This device is a gadget. A gadget nothing more. Use it as such. Use it as a showcase for how easy it is to circumvent some device's security features. My advice is to grab the CD that came with the device and use the tool on it to repartion the public partition into 940MB or so and 10MB as private space.

Surely there are better devices on the market. If you want to buy such a device you'll need to do some serious research on which device you want to buy, because little knowledge is publicly available at the moment.