The Doghouse: Lexar JumpDrives

If you read Lexar's documentation, their JumpDrive Secure product is secure. "If lost or stolen, you can rest assured that what you've saved there remains there with 256-bit AES encryption." Sounds good, but security professionals are an untrusting sort. @Stake decided to check. They found that "the password can be observed in memory or read directly from the device, without evidence of tampering." Even worse: the password "is stored in an XOR encrypted form and can be read directly from the device without any authentication."

The moral of the story: don't trust magic security words like "256-bit AES." The devil is in the details, and it's easy to screw up security.

Although screwing it up this badly is impressive.

Lexar's product

@Stake's analysis

Posted on October 1, 2004 at 9:45 PM

Comments

JTMarch 3, 2006 4:34 PM

I forgot the password to my Lexar Jumpdrive. I've read the comments about being able to hack into my Jumpdrive, but; don't see an explanation on how to do it. I would appreciate any help in this matter.

Elvis is a numbskullApril 7, 2006 8:50 AM

Sure - AES is more secure than DES. That doesn't help though, if the password for decrypting the AES-encrypted stuff is easily available.

Duh.

JackedAugust 17, 2006 3:54 PM

@Stakes comment was about an older product called "SafeGuard" that used to come with JumpDrive Secure drives. But Lexar replaced it with a new security software called "JumpDrive Secure" with AES 256 bit encryption and it is really secure. For some reason (?), the writer quotes documentation from a new product and analysis of an old product.

RJBApril 8, 2007 7:34 PM

Security is only a dream. Lexar and many other drives on the market can have all of the information including the parent programs simply deleted before you enter the secure areas. OK no one can see your info but if you loose your drive or have a less than scrupulous co-worker secret it away from you, all you have stored on it can be dumped in a few seconds without any passwords and on any computer available.

NitroFebruary 16, 2008 11:51 AM

I forgot my password that goes to my Jumpdrive and I read the part in the help file about not being able to recover it 9data or password). I am not interrested in finding the password i just want to be able able to reset the password and erase the data that is currently on there. Can anyone help me? Or is this an old blog-thingy.

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..