USB Combination Lock

Here's a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contact are still accessible.

Maybe it should be given away by companies that sell security theater.

Posted on March 15, 2010 at 1:59 PM • 58 Comments

Comments

jgrecoMarch 15, 2010 2:14 PM

Only 100 combinations? I don't even know why you'd bother trying to make contact with it when it wasn't extended, that would take you less than a minute to get 'unlocked'.

Team AmericaMarch 15, 2010 2:21 PM

There is no problem:

People who are stupid enough to buy this sort of thing won't have anything important enough to store anyway.

HJohnMarch 15, 2010 2:28 PM

The only value this sort of thing provides is an annoying first step that serves to deter casual snoops (co-workers, for example). It will do little against a real threat.

And the logo is a dumb idea... broadcasting what company's data is on the poorly secured device.

If it used in conjuction with good software encryption, then it may cause someone to waste a few minutes trying to get the data. Keyword is minutes... someone would have to be highly unfortunate to have to try all 100 combinations before getting to the data.

Since it is slightly better than an unprotected device, I would have to say that the biggest risk would be the false sense of security. Someone may think they are safe without encryption because of the combination.

mcbMarch 15, 2010 2:30 PM

@ Team American

"People who are stupid enough to buy this sort of thing won't have anything important enough to store anyway."

...and they'll never get around to changing the combination from the factory default 00.

GreenSquirrelMarch 15, 2010 2:33 PM

I just love this part of the advert:

"A great gift for technology companies, these logoed flash drives show potential customers how seriously your company takes its security. "

Indeed, it does show potential customers how seriously your company takes security...........................

EdMarch 15, 2010 2:34 PM

"A great gift for technology companies, these logoed flash drives show potential customers how seriously your company takes its security."

And for quantity 400, these 1GB units are $11 each. There are many manufacturers that will sell you quantity 2GB units in single quantity for well under $10.

Michael BaconMarch 15, 2010 2:35 PM

An effective form of endpoint security I have used previously (in an offshore operation processing personal data) was ... epoxy cement.

HJohnMarch 15, 2010 2:35 PM

If something like this had 3 or 4 digits, I'd consider it useful, particuarly if cracking the code lead you to another layer (encryption). 2 is just a waste.

Deron MerandaMarch 15, 2010 2:39 PM

With this type of combo lock, the security also depends on how the user scrambles the code between uses. Rarely will people reset it to "00". Instead they'll quickly thumb the digits, probably moving both wheels simultaneously and by the same amount (encouraged by the small physical layout). Thus the guesses needed is probably closer to just 10 rather than 100.

AndrewMarch 15, 2010 2:40 PM

If it locked you out for an hour after an incorrect code, it wouldn't be completely horrible. Somehow I don't think it does that.

KarenMarch 15, 2010 2:44 PM

My old employer got everyone in the company these, with our names engraved on them. Among its many flaws, every time I fly with it in my purse I get searched because it looks like a lighter to the TSA x-ray machine!

ThomasMarch 15, 2010 3:20 PM

@ Team American
"People who are stupid enough to buy this sort of thing won't have anything important enough to store anyway."

Being (marketed as) 'secure' this sort of thing might just be used by some govt dept. or online store to carry your personal info around.

'they' have plenty of important information, namely yours!

Javier KohenMarch 15, 2010 3:57 PM

People, you're doing it wrong, don't take it so seriously. This product is just supposed to make you stand out and look cool.

People aren't this naive, and everybody understands two-digit locks as a joke. If this company wanted to make it seem secure they would have added one or two more digits, at least, but as it is now, no doubts no sensible person will take this seriously.

You are experts in this field, so be sensible, sit back and have a good laugh.

RHMarch 15, 2010 4:04 PM

Wow, I didn't mind the 5 digit pin cypher thinggy... but 2 wheels... that's hillarious.

Two wheel combination locks... thats what my 'safe' used when I was 7 years old guarding 47 cents and a couple of random baseball cards. I didn't even keep my journal in there!

RanMarch 15, 2010 4:15 PM

What, has everyone forgotten about risk management?

Like every other solution, this one has its flaws. And like every other solution, this one will find its appropriate usest.

Clive RobinsonMarch 15, 2010 4:52 PM

@ Ran,

"What, has everyone forgotten about risk management?"

More importantly why has nobody asked about "key managment" ;)

uk visaMarch 15, 2010 4:59 PM

Oh dear - now we know why Gordon Brown is convinced he can turn around the government's woeful record on data loses.

BrianettaMarch 15, 2010 5:28 PM

Surely it should be used as a promotional give-away to show how much the vendor cares about lock-in? I'd simply love to have one with a Microsoft logo.

John HardinMarch 15, 2010 5:40 PM

@javier:

Yes, people _are_ that naive, especially when technology is involved. Putting the combination lock on a USB stick will somehow coat it with magic digital pixie dust that will make people think it's more secure than, say, a two-dial combination lock on their six-year-old daughter's diary.

ScottMarch 15, 2010 9:51 PM

"People who are stupid enough to buy this sort of thing won't have anything important enough to store anyway."

Sounds like a bulk order from the fed is on its way...

MarcoMarch 15, 2010 10:33 PM

I will buy some of these devices, with the TSA logo engraved. Perfect match! :-)

WooMarch 16, 2010 3:27 AM

If this stick was significantly larger (say 8 or 16 GB) I'd buy some, just for the geek value.
I don't think anyone out there really assumes a two-dial lock to be secure.

larsMarch 16, 2010 3:52 AM

It's simple to bash a thing that has been bashed (rightfully) by the mighty owner of this blog. But then again the interesting part is whether the combination lock could be used to secure USB-Sticks at all?

Two flaw are pointed out by Bruce, no comment goes beyond that, and only one comment is at least constructive enough to discuss general, proper handling of combination locks.

Flaw 1: not enough combinations. We could get around this by just adding a few wheels more. Is there a minimum number of wheels that can be deemed sufficient? (Probably depends on the protection mechanism.)

Flaw 2: insufficient protection mechanism (retracted connectors). Well, that's the interesting point. Assuming that we do want a combination lock for protection, what protection mechanism would be sufficient?

Retraction of connectors (if done properly) is some physical protection which can be circumvented by sheer force, which might be mitigated by using some very heavy casing.

Another idea for using combination locks for protection would be to directly use the tumblers' positions as input to the sticks logic circuits. That way either a simple check for the correct position might be implemented (unless the positions are correct all operations fail). This measure though has the disadvantage, that the USB-stick could be disassembled and the input simulated by an logic device (which allows for bruteforcing much faster, thus creating a need for more possible combinations).

Well, I am not going to build it, but I do like to think more in a constructive way. (And I do use combination locks on my bicycle and rather like it, that I don't have to carry a key and my friends can borrow the bike easily.)

PKMarch 16, 2010 4:43 AM

What's the story here? I got one of those drives as a gift and liked it immensely because it was sturdy and it's metal body felt heavier than the plastic chippies we usually get from sales stands. Plus, the contacts were retractable which made a good stress toy for flipping the contacts in and out like a ballpoint pen. The gift was simply cool, nice and shiny. I gave it to my mom and she prefers it like a promotional lipstick.

No one really expects 100 combinations to be secure. Not even my grandmom. So please don't make a story out of it.

A bad choice for article Bruce, sorry!

BF SkinnerMarch 16, 2010 6:33 AM

@Javier "People aren't this naive"
Yeah they are. Javier get out into the open air and talk to people.

@Marco "TSA Logo"
Ooooo Put the new TSA logo contest winner logo on it and leave them around airports. See how many end up in TSA machines.

I'm gonna get one of these for the girl. Maybe put a My Little Pony or Strawberry Shortcake on it... She's always losing the key for her diary.

MarkMarch 16, 2010 8:46 AM

@HJohn
If something like this had 3 or 4 digits, I'd consider it useful, particuarly if cracking the code lead you to another layer (encryption). 2 is just a waste.

Only if the combination electrically disconnected the USB device and the device was not able to be disassembled/forced.
A blinking LED might be more of an actual deterrent :)

LarsMarch 16, 2010 8:53 AM

Ok, people. Everyone is so sure that a two digit combo is silly (btw, I think so also): I just wrote a two digit number on a sticky and put it by my keyboard. How many tries to guess it?

mcbMarch 16, 2010 9:35 AM

@ RH

"Two wheel combination locks... thats what my 'safe' used when I was 7 years old guarding 47 cents and a couple of random baseball cards. I didn't even keep my journal in there!"

We know.

GreenSquirrelMarch 16, 2010 9:47 AM

@ PK (and others)

This is far from a silly story and certainly no worse than most of the others.

Also, its far from reasonable to say "No one thinks this is secure." This is sold as a "security" product and it can only be assumed people think it is "more" secure than other options. It is actually slightly more secure than nothing, but this is where the problem lies.

There is potential for this device as part of a defence in depth approach, but how many users will bother with that?

I suspect most will fall into the trap of assuming that the fact it is a bit more secure than nothing counts. Then they will relax a little bit more in other areas.

If you dont have anything important to put on the disk why go through the trouble of entering a 2 digit pin and scrambling it again after use, every time you use it?

If you have something important to put on the disk, why not encrypt it....

Also - lars I reckon no more than 99 guesses.

In the context of this device, even if you could only do 1 combination a second you would crack it in under two minutes - more likely under a minute.

LarsMarch 16, 2010 10:06 AM

@ GreenSquirrel: I know that it's 99 guesses...but I want to see how many guesses it actually takes.

...I'm staring at that paper...thinking of the number very hard...

JoeMarch 16, 2010 10:24 AM

Interestingly, because of the location of the wheels, the unlock code is clearly visible the whole time when the device is active (you can tell from the photograph by the orientation of the USB connector shield). This is not the most common way that wheel-type combination locks are employed. The mechanical design here subverts the mathematical security of the lock.

TSMarch 16, 2010 11:24 AM

20 minutes for a three wheel lock. Three hours for a four wheel lock. Five tight wheels would take a couple of months.

That's assuming everything is high quality. If it's cheap, and the wheels turn when pressure applied, then it's *much* faster. If you can sense when one wheel is open, then it's just a matter of minutes.

annie nomousMarch 16, 2010 11:33 AM

@Lars, others who think this offers any physical security

Inexpensive bike locks have 4 wheels like this. I can open one in about 30 seconds.

EliMarch 16, 2010 11:51 AM

@lars: If the positions of the (larger number of) wheels could be read by the device instead of retracting the connector, then that could be used as an encryption key. Further, the "correct" position wouldn't have as many physical clues, and there would be fewer moving parts. If the drive worked regardless of the wheel position, but just ran all operations through the crypto layer with the current wheel position as the key, I think that would also open up a lot of interesting possibilities. (It would also make mistakes more likely to cause data loss.)

annie nomousMarch 16, 2010 12:07 PM

@TS: I once bought a locked 4 digit padlock in a thrift store. It was the type that locks the wheels when you pull on it. It took about 30 minutes to open. Nice lock too. Solid brass and turned out the combination was changeable once I had it open.

D0RMarch 16, 2010 12:08 PM

@javier: I'd agree with you if the wheels were just a prop -- useless and intended as a "security" joke.
The fact that they have a function and the producer advertises the USB stick as supposed to somewhat provide security makes it a candidate for the Doghouse.

ScaredMarch 16, 2010 1:07 PM

If it's made in China, the lock will wear out after you've tried about 6 combinations....

AmbroseBierceMarch 16, 2010 4:00 PM

@Scared: and if it's made in the USA it'll break after you've tried about 4 combinations.

HJohnMarch 16, 2010 4:07 PM

@Scared and AmbroseBierce: and if its made in Nigeria, no combination will work after financial or sensitive data is saved on it, unless you return it or log into their site and let them unlock it for yyou.

edMarch 16, 2010 9:16 PM

@ BF Skinner "Put the new TSA logo contest winner logo on it and leave them around airports. See how many end up in TSA machines."

With an autorun or autoplay configuration on it. Yup, that could be fun.

jgrecoMarch 17, 2010 8:39 AM

@Lars:

At this exact moment in time, you are not thinking of a number. You are thinking of the words: "At this exact moment in time, you are not thinking of a number. You are thinking of the words: ".......""

There, I have you stuck in infinite recursion now!

jgrecoMarch 18, 2010 10:31 AM

@fit-flops @Cheap Holidays To Florida

I sure _hope_ you guys are just spambots...

DerekMarch 18, 2010 11:26 AM

Security theater, indeed, just like credit cards. On that note, perhaps my Minum Data Redaction product (http://writestreams.com/?p=239) could *cover* this device's flaws. There's a duct tape solution for everything.

Clive RobinsonMarch 18, 2010 11:33 AM

@ jgreco,

"I sure _hope_ you guys are just spambots..."

So do I but they could by their stilted use contain "stego" in which case...

By now their mesages will be in Googles cache...

So any secret is compleatly disconnected from the originator.

Thus those TLA's cannot trace the recipients (unless Google has compleatly sold out on the rumored NSA deal).

I tend to use the "100 new comments page" a lot and it is obvious that the times selected by the spamers are those that would be early in the morning where the server is connected. It is also equaly obvious from some of the spam style that they follow a "house style". So may just be used to push up the ratings.

Ho hum such is life. I wonder how long it will be before Bruce has a good long think about alowing linking any more...

Further I wonder how much longer legislators will alow people to run "open post" blogs...

jgrecoMarch 18, 2010 11:53 AM

@Clive Robinson

Similar to this concept, I've wondered why people don't 'vandalize' sites like wikipedia to hide messages. The edits would be nearly immediately reverted, but would remain in the article's history, indexed by time. Seems like it'd be very easy to do, perhaps wikipedia has some sort of filters to complicate this that I don't know about, or maybe people do indeed do this.

Clive RobinsonMarch 18, 2010 3:16 PM

@ jgreco,

"... sites like wikipedia to hide messages. The edits would be nearly immediately reverted, but would remain in the article's history, indexed by time."

I'm not sure that part of wikipedia gets indexed by search engines.

The original concept I had was how to control a covert botnet with a control channel that is well neigh impossible to stop. Becuase it uses a search engine like Google to "disconect" the bot from the control message which gets posted on any one of several million open blogs that get searched and indexed by Google.

What I came up with turns out to also be a TLA's nightmare as it stops traffic analysis showing up unknow parties.

It revolves around the idea of "time dependent single use strings" (TD/SUS). So you could have a list of christian names and a list of surnames hidden in Malware by an appropriate mechanisum that along with random letters builds time dependant names linked to a randomly generated URL made the same way.

Although not gaurenteed to be unique it certainly would be close in most cases especialy as it's generated by time.

So here's how it works.

1, The botnet operator knows how the time based algorithm works so can generate the TD/SUS

2, They go to a Big Mac or other establishment with Open WiFi and use a laptop they can change the network card MAC on.

3, They randomly select an open blog that allows URL's and post a message that's thread relevant with the appropriate TD/SUS and embeded in the message is a low bandwidth control message hidden by stego.

4, The blog operator will probably think it's a relevant message and not delete it. However even if they do as long as it's posted at a time of day the blog operator is asleep the chances are it will stay up for 8-12hours.

5, Google or some other search engine pulls the page into it's cache.

6, At an appointed time or a short while there after the botnet zombie makes a google search for the TD/SUS and if it finds it it pulls the message out of googles cache and decodes the stego message.

Now if you think about it a google search is not unexpected traffic and thus is likley to be below the grass on the radar.

Even if google become aware they are being used this way how do they stop it.

Provided the TD/SUS is generated in a way that is difficult if not impossible to predict (see Adam Young and Moti Yungs cryptovirology pages about crypto counters etc for ideas on how to do this) then they cannot "look for TD/SUS messages".

Now instead of a bot net control channel think about a covert operative getting control messages...

As long as one of the parties is unknown the problem is how to tie on party to another.

The hard part for the TLA's even if they know one of the parties is finding out who has searched for the message and when.

Because if it's a popular blog it's going to get hit by all the sarch engines and the chances are it's going to get syndicated so after a couple of days it's going to be found not just on one page but ten or twenty.

If the person uses a non specific search for bit's of the TD/SUS and gets a couple of hundred hits they can easily do the rest of the search on their own machine then they can see how many URL's link to the message and randomly select one.

And they don't even have to do this directly. There are any number of tricks to get the page into an open "web proxie cache" which they can then get the message from.

The vast number of sites that this can be done through makes the messages so disconected from the originating to the receiving party that it makes it well neigh impossible to link a known and unknown party together.

It kind of goes back to the Victorian "Personal Columns" in newspapers but way way more anonymous with so many sites etc.

And all without the likes of TOR or other anonymity networks...

Mark M McMillanAugust 25, 2010 1:18 PM

USB Key lock makes sense.
Tell me,
why does my bank only allow 4, numeral PIN #'s ?
I am responsible for my my PIN personally, then why cant I use a simple 20 numeral code?
Why dont we have USB/PC/interface with thumb print pad/retina/signature pad all in one?
Just pondering...

Mark M McMillan

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..