Schneier on Security
A blog covering security and security technology.
October 1, 2004
The Doghouse: Lexar JumpDrives
If you read Lexar's documentation, their JumpDrive Secure product is secure. "If lost or stolen, you can rest assured that what you've saved there remains there with 256-bit AES encryption." Sounds good, but security professionals are an untrusting sort. @Stake decided to check. They found that "the password can be observed in memory or read directly from the device, without evidence of tampering." Even worse: the password "is stored in an XOR encrypted form and can be read directly from the device without any authentication."
The moral of the story: don't trust magic security words like "256-bit AES." The devil is in the details, and it's easy to screw up security.
Although screwing it up this badly is impressive.
Comments on this entry have been closed.
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.