U3 hacking on encrypted flash drives

[johnemiller at gmail.com (John)]

I would check to see where the autorun software is stored on the drive.
If it truly is read-only, then you arrive at two possible scenarios.
They might have a mass produced security hardware device that is not
able to be updated. It becomes a sitting target. The only way around
this is to call executable code from the read-write partition. This
would make the drive vulnerable to overwriting the autorun application.

This is a technique that is used by the Downadup worm. It writes itself
into autorun.inf files on removable media and network shares. I also use
the stock autorun.inf on U3 drives and replace the contents of
LaunchU3.exe with a malicious agent. I've had antivirus catch suspicious
autorun files, but I figure they will always accept a stock U3 drive.  
 
On Tue, 2009-03-17 at 23:29 -0400, Michael Salmon wrote:
> I posted this comment/question on the PaulDotCom forum, but I'm
> wondering what you guys think.  First, let me start saying the
> PaulDotCom podcasts are awesome and Irongeek is a big influence on my
> interest in computer security (his video's are great!).  Feels like
> I'm talking to moviestars, lol ...
>
> I hope I'm not beating a dead horse.  I know U3 hacking has been
> around for years and so has the UniversalCustomizer tool.  My company
> purchased back in 2007 the Kingston DTSP (DataTraveler Secure Privacy
> Edition) USB keys for their hardware encryption.  Last year Kingston
> replaced the drives with DTVP (DataTraveler Vault Privacy Edtion) and
> my manager asked me to find out if it was possible for a virus to
> install on the CD-Rom partition.  I called Kingston to discuss the
> matter and ask other detailed questions about their product.  I was a
> bit surprised when the engineer told me it uses U3 technology... I
> shouldn't have been, but because U3 didn't seem very secure to me I
> assumed they developed their own CD-Rom emulation software.  I tested
> the UniversalCustomizer tool against the older DTSP driver first and
> it recognized it as a U3 drive and overwrote their CD-Rom partition,
> although the data on the key was gone and even with data recovery
> tools (used PhotoRec) I couldn't retrieve anything, it really
> concerned me that a virus could overwrite the CD-Rom area and
> Antivirus wouldn't be able to delete the infection.  The tool failed
> to recongnize the newer DTVP drive as a U3 enabled key, but that
> doesn't mean someone else won't figure out a way to overwrite it.
> Kingston didn't have an answer when I asked what kind of security is
> in place to protect against this (I'm still in talks with them,
> hopefully someone will give me an answer).  So now I'm interested in
> Ironkey, but on a recent PaulDotCom eposides it was said that also
> uses U3 technology.  I'm going to contact Ironkey soon, but i have
> very little trust in what vendors say, has anyone else researched
> this?  Company's put a lot of faith on hardware encrypted keys and
> believe it's a secure mediam, allowing their "secure drives" access
> through device blocking products.  Kingston was confident that CD-Rom
> partition is READ-ONLY, thus creating a false sense of security (at
> least for their DTSP).  Sounds like a big security hole to me.
>
> Your comments are appreciated.
>
>
> ______________________________________________________________________
> Windows Live?: Keep your life in sync. Check it out.
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com