NIST-Validated Flash Drives HackedAgency Investigating, Suggests Validation Isn't the Problem The National Institute of Standards and Technology said Friday it's taking seriously recent reports of vulnerabilities to NIST-validated USB flash drives, and is in the process of reviewing the information on the vulnerability.
The German security testing firm Syss has exploited a flaw in a Windows-based password entry program to allow hackers access to data stored on AES 256 USB flash drives produced by several manufacturers and used by governments and businesses, according to several reports this week.
NIST said it suspects its certification isn't likely the culprit. "From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability," NIST said in a statement. "Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue."
FIPS 140-2 certification covers cryptographic modules, which scramble data into an encrypted format that is indecipherable. The data is only decrypted and retrieved by entering the correct password, key or other means of authentication that is processed by the module.