If this isn’t a head-slapping coding-moment I don’t know what is…
The crack relies on a weakness so astoundingly bone-headed that it’s almost hard to believe. While the data on the drive is indeed encrypted using 256-bit crypto, there’s a huge failure in the authentication program. When the correct password is supplied by the user, the authentication program always send the same character string to the drive to decrypt the data no matter what the password used. What’s also staggering is that this character string is the same for Kingston, SanDisk and Verbatim USB flash drives.
I can’t imagine the security firm SySS’s reaction when they found this:
Analyst 1: “Ah Houston, we have a problem here. Dudes, this thing isn’t secure at all. It doesn’t even use my password for the encryption!”
Analyst 2: “Get the #$@!# out!! I’ve got 4 weeks scheduled to look at this thing. It’s day 2. No @$%!@# way.”
Analyst 1: “Seriously. It data is always encrypted with the same string.”
Analyst 2: “Cool, I get the next 4 weeks off.”