XOR story RELOADED

Security firm Syss reports what allegedly seems to me another case of XOR story, speaking of a false sense of security.

In an article from H-Security, the reports a serious weakness in some Secure-pendrive certified with the FIPS 140-2 Level 2 certificate:

During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.

The response from the affected vendors was mixed: some recalled the affected products, some issued a security bulletin.
I wonder how many final user will hear about that bulletin. What’s worst is that the weakness didn’t involve any cryptography at all, thus putting these super-secure drives on the reach of a trivial attach./

I wonder also how long this will go on: hurrying a product to the market with an allegedly known or poorly designed security scheme, boasting about super-secure-powers and super-secure algorithms (which will, eventually be rendered useless by the poor design), hoping that no one will notice, have a quiet response when someone discovers the flaw, and as a last measure, eventually threaten legally who discovered the flaw in the firm place.

That is, I repeated a lot of times, security thru obscurity DOES NOT work, does not help anyone except the vendor who can go away for a while with a poor designed product.

Advertisements