Mostly, attackers at this level are interested in gathering large amounts of information Professional: Available to attackers with resources, albeit limited ones.Serendipitous: Open to an opportunistic attacker with minimal resources - basically, at this level you find a person who may have found or stolen a drive and is eager to get their hands on the information it (possibly) contains.Therefore, danger level can be expressed in three categories: Some of the issues can be of use even for an unskilled attacker, and some of them require a lot of resources available mostly for state-sponsored hackers. In addition, the exploitation of certain vulnerabilities requires specific skills and resources.
#Usb security flaw full#
Full break: Vulnerabilities that can get an attacker access to information on any drive of the same model.Single-drive break: Vulnerabilities that allow an attacker to hack just one particular drive.Weaknesses: Issues that make further hacking process easier.For a start, researchers divide security issues into three categories: That’s why researchers are proposing developing new audit methodology specifically for evaluating the security of encrypted USB drives. And as you can see below, some encrypted USB drives pass certification but are still vulnerable to attacks - sometimes even the easy ones. But it’s not enough not every possible attack vector is covered by FIPS 140. The certification involves a cryptographic security disclosure and validation process.Īs the researchers put it, keeping certification current is important because disclosed information helps them figure out possible issues. Researchers say that at present, secure USB drive manufacturers are following the FIPS 140 certification standard, which was developed by NIST (the National Institute of Standards and Technology) for all kinds of cryptography modules, both hardware and software. How can you be sure the “secure” USB drive you’re using is really secure and the data you store on it can’t be extracted? That’s exactly the question Google’s security researchers Ellie Bursztein, Jean-Michel Picod, and Rémi Audebert addressed in their talk, “ Attacking encrypted USB keys the hard(ware) way,” at the recent Black Hat USA 2017.
0 kommentar(er)
