Schneier on Security

A blog covering security and security technology.

« The Doghouse: Vadium Technology | Main | Hacking Faxes »

November 5, 2004

Letter: Lexar JumpDrives

Recently I talked about a security vulnerability in Lexar's JumpDrives. I received this e-mail from the company:

From: Diane Carlini
Subject: Lexar's JumpDrive
@stake's findings revealed a slight security exposure in scenarios where an experienced hacker could potentially monitor and gain access to the secure area. This was only the case in version 1.0 which included SafeGuard. Lexar's JumpDrive Secure 2.0 device now includes software based on 256-bit AES Encryption Technology. With this new product, JumpDrive Secure 2.0 offers the highest level of data protection that is commonly available today.

Registered JumpDrive Secure customers will be contacted to inform them of this Security Advisory found in version 1.

I have no technical information, either from Lexar or @Stake, that verifies or refutes this claim.

Posted on November 5, 2004 at 9:53 AM • 54 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Diane's attempted downplay in the letter by explaining "...findings revealed a slight security exposure in scenarios where an experienced hacker could potentially monitor and gain access to the secure area." is enough to know that there "potentially" may be more "slight" exposures in the future that will be handled with the same ignorance as they did in their initial non-response.

Fool me once, shame on you... Fool me twice shame on me...

Israel Torres

Posted by: Israel Torres at November 5, 2004 10:22 AM

Maybe one should not trust the software that comes with the device at all. I am of the inclination to use a device's software for OS driver interaction only, and then to put my trust in something more proven, like PGP/GPG.

For those of you interested in the ease of use with a USB drive like Lexar's, perhaps you should review open source TrueCrypt [http://truecrypt.sourceforge.net/], which not only uses common implementations of AES256 and Blowfish, but also adds the simplicity of mounting a drive with drag and drop. Add on the fact that there's plausible deniability (great lengths are taken to ensure that your lost drive looks like it had random, corrupted data on it), and you're probably in a much better situation than trusting the closed source OEM code.

-malcomvetter

Posted by: malcomvetter at November 5, 2004 10:34 AM

"now includes software based on 256-bit AES Encryption Technology"? Isn't the first version already based on AES-256 (just horribly, horribly implemented)?

Our organisation's HQ has this drive as their only "approved USB drive" because It Has Built-In Security(tm). And yes, I've told them :-)

Posted by: davee at November 5, 2004 10:50 AM

Lexar's comments are typical backpedaling
done by a company to deflect the fact that they messed up.

I have one of these JumpDrives and the first thing I did was delete the software that came with it and created a PGP Drive on it. I lose some convenience by reqiring PGP to mount the encrypted drive, but I don't worry about having a drive with sensitive data in the clear. I can always encypt something as a self-decrypting archive if I need easier access to it.

Posted by: Michael A. Plumlee at November 5, 2004 4:32 PM

Same as Mr. Plumlee: I used PGP Disk to create a secure area on the Lexar. No big deal.

Posted by: Bruce Arnold at November 6, 2004 7:47 AM

it was sexy,good orgasims

Posted by: john warlock at November 15, 2004 1:20 PM

How can I get into the Lexar Jumpdrive Secure. My friend forgot his password and needs to get in (hack, crack, anything) and erase the password. All the websites I find, say it it easy to find the password on the JumpDrive. Am I missing it completely.

Posted by: Andrew at November 27, 2004 5:55 PM

....just format it.

Posted by: kyser at November 22, 2005 10:53 PM

same prob. here, i let my nephew borrow my jumpdrive, he changed password of the secure partition til such time he forgot. almost 75% of it was totally useless. even formatting it wont help..u can only format the unsecured one..pls help!

Posted by: guy from philippines at November 26, 2005 9:31 AM

i need help!! i purchased my jumpdrive a while ago, set a password, didnt use my jumpdrive for a while, and when i needed it i couldnt get in because i had forgotten my password, please help!

Posted by: Tay at December 29, 2005 10:35 PM

same problem here--but I'm more of an idiot--I mistyped the same password twice! Ugh. any help would be great!

Posted by: Benrito at January 1, 2006 9:30 PM

y isnt anyone answering these questions, sam happened with me tht i forgot the password for the srcure are on my jumpdrive and cannot get in now. is suks, any solutions???????

Posted by: uneeb at January 1, 2006 10:27 PM

I forgot my password and the clue has left me clue-less, to add to the problem I read the above emails and have no idea how to format it. New with techno stuff. please help

Posted by: Donna at January 10, 2006 5:47 PM

to anyone and everyone that has a problem with a lexar jumpdrive secure and forgotten passwords, i had the same problem, lexar sent a utility (did not work), offered to rma (takes a cpl weeks) here is the solution using a usb to xbox adapter insert jumpdrive into xbox, let it format it then put it back into the computer, reformat it fat 32 and all is back to normal.

Posted by: kevin at January 11, 2006 7:00 PM

USB to Xbox adapter? So it would plug into the controller port?

Posted by: Dave at January 12, 2006 1:16 AM

yes it is an adapter for the controller port, i can provide unlocking service to anyone who needs it my email is kwright_420@hotmail.com

Posted by: kevin at January 12, 2006 10:04 AM

Solution:
Ok, I did it too... Lost the password to my lexar jumpdrive. Man it's frustrating but what can you do... Pick up the lockpick and get going...

So here is how I did it on my xp-pro system:

1. Get with the chat support at lexarmedia.com

2. Get them to send you the unlock program.

3. Run it. (it takes of the write protection on the partitions)

4. Back up the jdsecure program to your desktop computer from the public partition.

5. I'm serious, back it up!

6. Open up the diskmanager. (from my computer, manage, diskmanager)

7. Delete the public and the private partition.

8. Create a new partition that you call PUBLIC

9. Run the jdsecure program that you backed up.

10. Now you can reconfigure your drive as if it was new.

Back in business, chers!

-trash

Posted by: Trash at January 12, 2006 7:05 PM

I just purchased a JumpDrive Secure II
When I encrypt a file I get a Generic Icon, with No ability to Double Click and then open that file. It should show an Icon with a lock on it & then when you double click it should ask you for the password. I have tried this on 4 separate computers all running Windows XP or XP Professional, all with the same result. I thought that perhaps there was a problem with the JumpDrive itself, then I bought a 2nd one to test and see if I had the same issue, I did.
Anyone having this same issue. Tech Support has been unable to give me an answer as to why or how to correct this. Any help would be appreciated.

Posted by: Martin at February 11, 2006 11:55 AM

I have no clue about this website, all I did was search on how to reset my jumpdrive password. I followed the instructions that "Trash" left us. It worked. I chatted with Live Support, gave them my email, they sent me my program (Resets Hardware/Erases All Data-Use Caution). After that I was back in action. Thanks Random Website! Google Too!

Posted by: Edwin at February 12, 2006 1:17 AM

HOw about sharing that software "unlock program"?

Posted by: Anonymous at February 27, 2006 1:04 PM

How about sharing that software, "unlock program"?

Posted by: Grebo at February 27, 2006 1:05 PM

Hi Mr/Ms.

I’m a network analysis technician in Telecommunication Company. Doing by myself, the password of my lexar secure drive has been changed when I tried to configure my secure partition. I have several important informations on it. Pleased your help is granted to recover my password.

Thanks to you

Edrice Thomas
Telecommunication Tech
edricet@excite.com

Posted by: Edrice at March 11, 2006 1:05 PM

tengo una memoria lexar de 256mb y esta bloqueada y deseo saber si existe un software para el desbloqueo de la memoria.
es secure digital 256 y perdi el jumper de bloqueo y desbloqueo

Posted by: harold mauricio at March 14, 2006 12:16 PM

This started happening out of the blue. When I try to log into my Lexar secure drive the following message pops up after entering my password:
"Could not mount the secure drive.
Please restart application."
It recognizes my password but won't open the application. Any ideas?

Posted by: franklau53 at April 24, 2006 11:56 AM

BUMP ... me too

Posted by: averon99 at May 16, 2006 4:04 PM

On this issue:
>>> This started happening out of the blue. When I try to log into my Lexar secure drive the following message pops up after entering my password:
"Could not mount the secure drive.
Please restart application."
It recognizes my password but won't open the application. Any ideas?

Spoke with a Lexar Tech Support and suggest to reformat the Jump Drive, repartition and install back the secure software

Posted by: Sarah at August 17, 2006 10:01 AM

I had it happen on my new Xp MCE computer. I tried it on my old laptop and it worked just fine. As a result I changed it to all public and it still worked fine.

Posted by: Gary at October 2, 2006 4:37 AM

I spoke to Lexar about this message:

"Could not mount the secure drive.
Please restart application."

I explained that my NEW computer was a XP MCE (media center edition). The memory stick (JD Secure 1 Gb) works still in ALL my other computers.

I was advised that this error message was caused by an incompatibility with XP MCE and that there was no plan to issue a fix at present. It will work as a PUBLIC memory Stick with XP MCE, but not as a Secure Memory Stick.

Nice work LEXAR!!!!!

Posted by: Gary at October 2, 2006 4:56 AM

Thanks,I Contacted Lexar support and they help me to format drive

Thanks

Posted by: Hitesh at October 2, 2006 2:15 PM

Qoute:

I explained that my NEW computer was a XP MCE (media center edition). The memory stick (JD Secure 1 Gb) works still in ALL my other computers.

My question still remains,how can this be fixed?Does anybody know of a patch or program that will fix issue.....Much Thanks

Wild

Posted by: Wild at November 5, 2006 8:33 AM

Same problem..."Cannot...Please restart..."
Works fine on other computers.
Lexars tech fix ?
"Go to one of the computers it works on, back up the info..reformat the drive."
ok this is just stupid, but JUST to say I followed their directions I did, at LEAST I was able to retrieve my data.
Any guesses on what happened after that ?
"Cannot...Please restart..."
Now we all know there has to a be a registry key that needs to be nuked somewhere, I've nuked the "normal" USB keys to no avail.
So maybe Lexars phone guys should give one of the Dev guys a call ?

Posted by: Charlie at December 28, 2006 4:51 PM

Same problem. I did the original format on xp pro. It still works on that system. When I plug it into xp home it won't mount. Think I'll try another vendor stick.

Posted by: Unhappy at January 20, 2007 1:25 PM

Ran into the problem of forgetting the password on the Lexar Jumpdrive Secure
and found a workaround :

you can reformat the " secure " partition using truecrypt , so you can reuse that
space as an encrypted volume on the USB instead of having it wasted .

Posted by: ace at February 1, 2007 3:40 AM

I have XP Pro at work AND at home. My Lexar JumpDrive started giving me this problem ("Could not mount the secure drive. Please restart application.") at home but still works fine at work. I don't see how re-formatting it would do any good, it is obviously something wrong with this PC, a corrupt file somewhere or a registry key that needs to be deleted like Charlie said.

Posted by: LouInAL at April 28, 2007 2:09 PM

i can create vaults on my securell but can't open them. password enters ok but dialogue box continues to say vault not mounted. i'm using a mac 10.4.7. lexar support sent me a software update that didn't fix the prob. anyone got a solution please? the stick's other functions work normally (but i bought it for the security, of course).

Posted by: geofor at May 17, 2007 2:25 AM

My drive was stolen recently and now i cant use the lexar software. I need to extract files from a backup of a vault. i used live chat but they said to buy a new one! is there any way to get my files?

Posted by: Veitch at May 20, 2007 3:02 AM

I have same problem as geofor, and I am also using the Lexar jumpdrive on Tiger (new Intel iMac). I can create a vault but no way to open it. It asks for the password, but then NOTHING. Very frustrating. They have to be aware of this problem! If so, it's a fraudulent product. Security is essential for most people who by these bloody things.

Posted by: george at July 20, 2007 10:27 AM

You can get the secure II software in the PowerToGo package on the Lexar download site.

Posted by: beojan at August 31, 2007 1:37 PM

I really need to keep my files on my jumpdrive. I have forgotten the password and cant afford to do the above formats etc, as this will erase the data. I want to retain the data! - is there any way I can get by the password or is there a patch or something?

Someone please help I dont want to lose the files.

Posted by: kev at September 8, 2007 6:02 PM

Lexar Secure II software have back door. Good luck finding the answer from Lexar support. The only support they have is base in India. The whole tech support team in USA was CANNED 2 month ago. There is a lots of Lexar new issue with no solution, except for replacing the product. Only supports that you have are the over in India or crucial….…Good luck.

Lexar OG

Posted by: Lexar OG at September 27, 2007 12:37 AM

I've had the same trouble with Lexar Secure II not letting me decrypt a file because it had the error "invalid password". I did not use the wrong password but no matter what I do, it won't decrypt. The support techs are worthless. Any information they give you can be read on the help page of the software. Now that I know that Lexar canned the USA tech support, I won't be purchasing ANYTHING from them in the future!!

Posted by: peeweepunch at December 2, 2007 5:02 PM

hey,
i put a password on sum pics i had on a memory card and now i cant remember what it is!! its really anoying!!!
can anyone help me???? thnx, Z x

Posted by: Zizi at December 26, 2007 3:42 PM

same problem as above!!!!

made a secure vault with some pics, but have now misplaced my password!! im running windows vista, does anyone have any help they can provide?

Posted by: Anonymous at January 10, 2008 12:17 PM

I have my password but can't find or open the secure drive...?? I divided in half, but secure side doesn't show and or when prompted, I get following message: "[-20028] Could not mount the secure device. Please restart application." Can you HELP me...??

Posted by: Anonymous at April 12, 2008 9:57 AM

I've forgotten my password for my Lexar II drive. The clue it is giving me is nothing I use. Can I remove the password.

Posted by: Bob at June 5, 2008 1:01 PM

I see a number of comments about losing the password. Mine is different, twice now the Vault itself disappeared from the daxhboard of my lexar II secure drive. No help from lexar, and the lost one still takes up space. Any idea how I can restore the vault.

Posted by: Andrew at August 8, 2008 9:41 AM

hi i have the jump drive put need the safegfuard for my files please just need to download it i lost mycd please thank u

Posted by: Anonymous at September 8, 2008 10:21 AM

hi i have the jump drive put need the safegfuard for my files please just need to download it i lost mycd please thank u

Posted by: James at September 8, 2008 10:23 AM

Is there anyone out there who can hack into the lexar jump drive secure- without deleting the info. I have important pictures that i dont want to delete. but dont know the password.. willing to pay for help!!!

Posted by: kate at December 2, 2008 8:28 PM

At least I feel less of an idiot after reading many of the above posts. I took forgot my password. I too have the drive split and I have important documents on the password protected portion. I took contacted tech support and "chatted" online with someone from India. I too was given information as to how to reformat but would lose all of my data. Come on, there must be a way to override it somehow. The data is there!
Help, help, help!

Posted by: Melody at March 1, 2009 2:06 PM

Safeguard simply doesn't work if you have MCE (I just installed the MCE feature and now I can't access my secure area.) I plugged my Jumpdrive into another computer NOT configured for MCE and I entered a bad password when prompted. BUT THIS TIME MY HINT WAS DISPLAYED!! This allowed me to remember my password and I entered it and access the secure drive!!

Posted by: puzzler at April 5, 2009 1:16 PM

i have a jumpdrive Secure II and mac osx 10.6.2. i can create a vault, mount it and put files on it but when i re-mount the vault all the files are corrupted. can anyone help me??

Posted by: optik at February 27, 2010 1:33 PM

Oh Man this company, support sucks.
Mr Harry Lexar Support Tech doesn't know what he is talking.
Advised to contact a data recovery company for lost password. What a joke.

Sales Lady has no clue
Sales Supervisor has no clue

Only advise to format and look for software on Lexar site which has none.

Oh man they don't know what they have or not.

God Bless Lexar
God Bless Lexar product buyers

Posted by: Lexar Secure II at March 2, 2010 4:15 PM

ftp://myftp.crucial.com/lexar/files/JDSUnlock.zip

Posted by: Lexar Support at November 29, 2010 10:52 PM

Subscribe to comments on this entry