USB Vulnerability

Some folks over at [noparse]bobnalice.com[/noparse] claim to have uncovered a trojan vulnerability in the Stealth MXP secure flash drive made by MXI Security. It seems like it might allow the drive to be used as an entry point to an otherwise secure network if an attacker actively planted malware in a lost or stolen drive, or compromised the supply chain.

I'm curious if anyone here knows where MXI does their manufacturing, if they have any overseas facilities (specifically in China). I can't find anything about this on their website.

Also, I'd love to hear from anyone that uses this brand of secure flash drive and how seriously a threat of this kind should be taken.

Thanks.

 

Manufactured in California.

(3 days later) Sorry it took me a while to get back here...

I took a look at the bob n Alice website, they seem to pick up on a few valid points such as the ECB vs CBC encryption differences (vendors have shown me the Linux penguin comparison before) but then they seem to swim way out into the murky lake of HUGE blanket generalisations for other issues, biometrics for example, they suggest that all biometric authentication solutions are weak:

"While we’re looking at the Stealth MXP, it is interesting to note that it uses another security technology that has been hacked on numerous occasions - biometric fingerprint scanners. Probably the best known case was when the folks at the popular TV show MythBusters hacked a fingerprint scanner, though there have been many others. While biometric scanners are often positioned as an additional layer of security, they are clearly an additional layer of false security, and as such are best avoided."

...Any actual proof to add to that Alice?

Based on that kind of generalisation Im taking the sensationalized trojan vulnerability story with a pinch of salt; it would take a lot of bribary or blackmail at the manufacturing, shipping, reseller end to achieve something like that...

 

Hi Jazzmon,

I found this on their site - http://www.mxisecurity.com/mxi/categories/display/2. Looks like they are manufactured in the USA at their location in Santa Ana, CA.

I read over their security policies on the NIST website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and it seems as though they have gone trhough a pretty rigorous process to get tested, in fact, it seems as though they are one of the few vendors that have a FIPS 140-2 validation for the drive as a whole and not just the encryption algorithm.

 

Thanks s3curityguru. My requirements dictate that I look only at FIPS 140-2 Level 2 validated portable storage devices with scalable centralized management. There are a handful of vendors that meet this criteria and so I am now looking at them for the solution that is going to cause me and my organization the least headaches.

In particular I need a solution that is secure against active attackers, not just passive threats. The solution has to safeguard my network and the overall digital environment, not just the data on the stick. Anything that could be loaded with autorun malware fails to meet this criteria. As such I am conducting searches for "<vendor/product> crack", "<vendor/product> hack", "<vendor/product> vulnerability", etc. on the major engines and gathering this data.

If you or anyone reading this knows of any sites that maintain this sort of information, I would appreciate a link. Or, if anyone would like to know the results of my research, feel free to PM me and I'll share it once it has all been pulled together.

Thanks.

 

I believe the Mythbusters' test was for the 'push' biometric sensor instead of the 'swipe'

 

I would be interested in these results, please PM me them as soon as you have them compiled.

Wouldn't an antivirus on your host machine solve your anxieties towards malware? I have heard horror stories of digital photo frames manufactured in China which came preloaded with malware.. should they have some type of active virus scan as well?

To me, when an enterprise is looking at a secure usb storage solution, they need something that they know is SECURE, often manageable and will keep their data and keys safe. In no way will a usb drive accomplish a full security solution and other measures must always be taken into place in addition to secure portable storage.

 

Maybe this is something !?! http://ask-leo.com/

It stop anything from autorun.

 

PM isn't working.. i would like to see your results.. have you finished your evaluation?

 

UPDATE:

Jazzmon has still not replied to any of the forum messages or updated me with an overview of the market.. it seems as though he is just out to speak poorly about MXI.

 

I am an MXI Security employee.

I'll offer the following facts regarding the bobnalice website and related comments in this thread:

- It is simply not possible to alter the contents of the application partition without knowing the device's management code.

- The management code can be extremely complex, even exceeding 256 bits in length, making it effectively impossible to brute-force.

- Customers can order devices with preset management codes for in-transit protection, if desired. Most consider this overkill, however.

- In any case, the unique application customization offered by our products means that most customers replace the on-device software prior to deployment. During this process, anything that was there is eradicated.

I'll also offer these facts regarding MXI Security manufacturing:

- All products are manufactured in our factory in Santa Ana, California, USA.

- Our supply chain is secure, actively monitored, and processes here are reviewed regularly.

- All products undergo an automated malware scanning procedure at the factory. This procedure has been reviewed by a third party with world-class malware expertise.

- All products leave the factory in tamper-evident packaging.

I'll stop there -- I can address other items in this thread if someone wishes to re-raise them, but I don't want this to be a sales pitch.