Think Your USB Drive Is Encrypted? Not So Fast

We always recommend that our clients use secure measures for their data, including encrypting data on USB Flash drives. That way, if they get lost or stolen, no harm done, right?

Not anymore. Certain Kingston, SanDisk and Verbatim drives using AES-256 encryption are no longer safe, and the reason is so stupid as to be unbelievable.

Here’s how it works. You enter your password, a signal is sent to the encryption program which then encrypts or decrypts the file(s).

AES Encryption

The problem is, no matter what your password is, if it’s valid the same signal is sent to the encryption/decryption process. All three manufacturers have USB drives with the same problem!

A hacker with the proper software just sends the signal, without using a password, and all of your confidential data is exposed. These drives are supposed to meet NIST security standards.

If you have a USB drive from one of these manufacturers check the links below to see if your drive is affected and how to fix the software.

The drives themselves (the hardware) are fine, you just need a fix to the security software.

Kingston has a list of affected USB drives and contact information to fix the problem.

Verbatim has a list of affected drives and a software fix with instructions here.

Supposedly, only the SanDisk Cruzer Enterprise USB Flash drives are affected and you can download a patch here after filling out a form.