Flash Drive Lock

This device is clever: it's a three-digit combination lock that prevents a USB drive from being read. It's not going to keep out anyone serious, but is a great solution for the sort of casual security that most people need.

EDITED TO ADD (11/15): Similar products.

Posted on October 29, 2015 at 1:38 PM • 42 Comments

Comments

BillOctober 29, 2015 2:16 PM

Bet those will be as easy to pick and the three digit bicycle cable locks. Spend the 8 bucks on an overpriced coffee and use an open source encryption tool to protect your data.

FredOctober 29, 2015 2:27 PM

it could be fun for office pranking and (teasing) ransomware?

But it could be a good way to make sure that nobody added something bad to your partially encrypted USB drive when you weren't looking?

JohnOctober 29, 2015 2:42 PM

Something that's easy to hack while making my property look more valuable? No thanks =)

QnJ1Y2UOctober 29, 2015 2:54 PM

For some situations, it could be used as a 'write lock'. It'll work better at keeping others from accidentally over-writing your data than the sliding tab on an SD card.

MartinOctober 29, 2015 3:19 PM

As usual, reading comments on this blog is like touching someone's shit. It's like sticking your hands in a bucket of puss.

DanielOctober 29, 2015 3:24 PM

but is a great solution for the sort of casual security that most people need.

What is casual security? Is that security that one uses on casual Friday?


J. PetersonOctober 29, 2015 3:35 PM

I could imagine an electronic version. Plug it in, push a button, and it makes the USB drive unreadable (e.g., scramble the directory or partition block). Set the combination, plug it in again, and it unscrambles the block making the thumb drive readable again.

Allan EwingOctober 29, 2015 3:43 PM

@Bill & John: Have to agree with you. I just know that in Scotland, policemen can open combination locks. Gives you a false security plus it is clumsy. Reminds me a bit of IronKey. Take a £3 memory stick and make a container using whatever encryption software you like.

AnuraOctober 29, 2015 4:35 PM

@Daniel

You can store your tax returns/naked pictures of yourself/whatever on a USB drive, making it inaccessible to any malware you get on your computer, and the lock keeps your roommates drunk asshole friend from looking at it while you are at work?

rgaffOctober 29, 2015 5:18 PM

@Anura

There's an easier way to keep your naked pictures of yourself safe... don't take any.

AnuraOctober 29, 2015 5:28 PM

@rgaff

There's an easy way to keep people from stealing your bank info: Don't keep your money in a bank.
There's an easy way to keep people from stealing your credit card: Don't have a credit card.
There's an easy way to keep people from stealing your cash: Don't keep cash.
There's an easy way to keep people from hacking your computer: Don't have a computer.
There's an easy way to keep people from breaking into your home: Don't live in a home.
There's an easy way to keep people from murdering you: Don't be born.

Man, it's all so simple!

HulioOctober 29, 2015 5:34 PM

Stay tuned for the link to my nearly completed, rootkit-installing 3 Digits Combination USB Flash Drive Security Lock.

DavidFMMOctober 29, 2015 5:43 PM

It's cute but truthfully worthless. If I have access to the USB drive with the lock installed, I'm just going to take it with me and then find a way to remove the lock at my leisure.

albertOctober 29, 2015 5:56 PM

Any thoughts on how long it'll take to hack this?

Winner must provide a bit of code to crack the drive. Extra kudos if the option for permanently resetting the code is provided.

What fun!

. .. . .. _ _ _

Normal PersonOctober 29, 2015 7:51 PM

Hey senseless masses,

The product is to protect someone (like a friend/colleague) from quickly sticking your USB drive into their computer while you go for a coffee or to the bathroom.

It's not meant to protect yourself against nation states....

Slme Mold wth MustardOctober 29, 2015 8:11 PM

@ Martin

"As usual, reading comments on this blog is like touching someone's shit. It's like sticking your hands in a bucket of puss."

Could you please explain? I find some of the comments here more informative than Bruce's original post. Admittedly, some others are useless. Those are the minority.

I seek enlightenment.

Luv,

Slime

rOctober 29, 2015 11:07 PM

What would be reasonably useful is a male one of these for reversibly blocking your ports (think hot glue) or literally preventing removal like a Kensington but a sdhc storage adapter.

The board side female receptacles have slots in the metal already don't they? Could be a selling factor too harden the ports themselves in such a fashion imb.

Abnormal, apparentlyOctober 30, 2015 1:06 AM

@Normal Person:

A cheap wafer lock like that can be opened in under thirty seconds, without even looking at it (I do it behind my back as a party trick), simply by supplying mechanical tension to the wafers - trivial with a bike lock design, easy with this design so long as you don't mind a little stress on the USB plug. It is no security at all against anyone with knowledge you can get on YouTube.

It is barely any security against someone with the time to try combinations by hand; if you can average just one try per hour it will take 25 work days, if you average five tries an hour it will take one work week. That's for the dumbest possible attack. The second-dumbest attack will take about 5-10 minutes: a hacksaw.

Who?October 30, 2015 5:22 AM

@Abnormal, apparently

I certainly prefer my encrypted ThinkPad USB 3.0 Secure Hard Drive or the SSD/HDD drives on my laptops and workstations (with OpenBSD's softraid crypto (AES-XTS 256)), but this device does not sound bad at all. Considering the quality of current USB flash drives any mechanical tension applied to the lock will probably destroy the flash drive itself.

Peter A.October 30, 2015 5:28 AM

It'll protect against a quick grab-copy-return attack, or a sneak peek, obviously it won't protect against theft. A thieve would have plenty of time to defeat it and read the data.

So yes, this is good enough protection against your kid sister peeking at your (un)cool pics, in the same way a cheap combination lock would protect your diary - or your piggybank. In my opinion it thus fits the definition of 'casual security'.

Most people realize that putting a cheap combination lock on your bike's wheel or chain alone, without chaining it to a fixed object is poor security since someone can carry away your bike and get rid of the lock later. So they'll realize that with such a small and light object as a pendrive it is still worse protection against physical theft. On the other hand, adding a cable to this gizmo is useless - instead of chaining your pendrive to your desk you could just put it in your pocket when you walk away.


ianfOctober 30, 2015 8:26 AM


@ Andrew - what happened to that hardened-access encrypted USB container Kickstarter project, I can't find any info not for backers other than that in 2014 they were making refunds via Amazon Payments (I have not watched the video, life's too short for that).

Instinctively I'd say that the concept of physically securing a pocketable device inside a bit bigger pocketable device is badly flawed already at the logic level. But that's me, who's stopped being invited to judge submissions at Amateur Inventor conventions, because I was too honest and not enough supportive of the paying participants' endeavors. That I may have prevented them from wasting more time and money on future dead-end projects by pointing out basic, sanity-defying flaws in their current ones, was not enough of a mitigating factor.

Perhaps that's also why I do not think this "3 Digits Combination USB Flash Drive Security Lock" anywhere near Bruce's "clever"… more like a disaster waiting to happen. Either it gets stolen because it advertises "I'm locked, I must contain IMPORTANT ZECRETS," and then opened up with nail clippers/ etc at liberty; or the USB connector gets destroyed by someone physically twisting off the lock (which looks like a repurposed unit for hand luggage that one otherwise would never leave unattended). There, now you have the cause to uninvite me to opine in these pages.

Clive RobinsonOctober 30, 2015 8:33 AM

I can think of three uses for this device.

The first is to act as a replacment "dust cap". Like the caps to ordinary pens they have a habit of going missing, so it would help reduce "pocket fluff in the connector" issues.

Secondly, if you have a number of identical USB drives you use one at a time, giving each one a different combination clearly identifies to you which is which without it being easily recognised by others. Which has a secondary advantage that with a little discipline on your behalf helps significantly reduce the posability of puting the wrong drive in the wrong computers (think malware, document theft by the OS, and even air-gaps).

Thirdly, if you can securely anchor the combination cap to you via say a key chain, it makes theft / swap of the pen drive by adversaries much much harder.

So yes it can increase your security a lot, you just have to think what it is you are securing against and why.

latsotOctober 30, 2015 10:04 AM

Just carrying your usb drive with you instead of leaving it lying around is a far better security measure. I suspect a pin would be enough to defeat the physical security on this thing. But why even bother with a pin? If someone leaves the lock part lying around, that reduces the time needed to break the security from 30 seconds to 20. If they don't leave it lying around, why don't they just take the drive with them too?

I'm having difficulty believing this device really exists because it is so obviously completely stupid. I don't know why Bruce thinks it's clever, it really isn't.

XelandreOctober 30, 2015 10:16 AM

Sounds like Kubrick's famed CRM-114, which is designed "not to receive at all", unless the correct "three letter code prefix" is provided.

What's this compulsion with electronic chastity belts?

Our beloved NSA is already interested plugs to prevent the opposite sex connector from mating.

AJWMOctober 30, 2015 12:16 PM

It occurs to me that this lock would work fine on the connector of cable-attached USB devices too (printers, external drives, etc). Problem is that other than trivial devices like hubs, I can't think of any such devices where you couldn't just swap out another USB A-B cable...

JasonOctober 31, 2015 11:44 PM

"a great solution for the sort of casual security that most people need."

Is it though? Combo locks are effective when the thief is short on time -- for instance, if he's trying to steal a bike or break into a locker in public. But this is small enough that a casual thief can slip it into a pocket and take it home with him. Even if he doesn't know a thing about picking locks, and he's just idly curious friend or suspicious coworker, he can try all 1000 combinations while watching an episode of Breaking Bad.

GrumpfNovember 1, 2015 1:56 AM

"Casual security"? Is Mr. Schneier being mischievous, sarcastic, or merely ironic?

John ThompsonNovember 1, 2015 8:35 PM

I see at least a couple barriers that stand in the way of any casual attacker: first, the attacker must recognize that the device is protected by this specific combination lock, second, the attacker must invest $8 to acquire the combination device and then spend the time working through the admittedly finite combinations, or code their own utility to emulate the lock device and work through the combinations automatically. Feasible? Certainly. Likely that a casual person who happens on an unattended flash device will be willing to go through the effort to determine that it is locked by this device, and then go through the additional effort to defeat it? Not so much. As noted above, this isn't intended to protect national security secrets, but rather simple, personal data.

HJohnNovember 2, 2015 9:41 AM

It's just one more layer in security.

One benefit is it makes it tougher to copy the device and return it. Say you leave for lunch and a coworker grabs your device. They could copy and return it, so you don't know the data has been obtained, and then have no limit to how much time they could spend trying to get past security. This offers some of a deterrent to where they would have to steal the device (unless they accomplished the unlikely feat of guessing the combination before you noticed it was missing).

Plus, it really is best to put some level of protection on everything, not just what's valuable. Otherwise, attackers will know what is valuable and what to attack.

nycmanNovember 3, 2015 10:22 AM

This could be used for some limited use cases. First, it's not a bad tamper evident seal, depending on how well it's manufactured, whether it can just be pulled off with moderate force without damaging anything.

If your adversaries have limited time, say under 10 minutes, and are not experienced lock pickers, they would have to damage the lock or device, steal it, or manage to get it off and put it back on in the locked state. You would likely know if someone tried to read the drive.

Since it's 3 digits, I believe there are 1000 combinations, so depending on how much time your adversaries have physical access and how fast you think they can flip through combinations, you'd have to change your combination in half the expected time to crack, on average.

For those knowledgeable about full disk USB encryption, tell me if there is one that will work across various OS types. Also, if some of the computers will only run white-listed executables, and your decryption program is not whitelisted. And is your FDE tamper evident? Somebody with 1 minute of access to your USB can image it and start attacking it without your knowledge. They'll also have some metadata (it's likely they'll know the last time you wrote to it, perhaps more).

Paul BNovember 4, 2015 2:36 PM

It's obviously too crytographically and mechanically complex for "casual" security, a two-digit code with less digits per wheel should suffice.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.