December 29, 2022

Crypto Charade: Software Encryption of Portable Drives Is a Bad Joke with Terrible Consequences

For organizations, using software encryption to protect data on USB flash drives and portable hard drives is a practice that introduces massive compliance and data leak risks.

6 REASONS WHY SOFTWARE ENCRYPTION OF USBs IS UNACCEPTABLY WEAK

SOFTWARE ENCRYPTION WEAKNESS – 1. Regular USB drives offer no protection for the stored software-encrypted data

Anyone with physical access to a regular unsecure USB flash drive can do whatever they want with the stored data, even if it is software encrypted. They can swap out the encrypted data and erase or manipulate it; it is directly accessible if you plug it into a PC. A security expert would say that these devices lack integrity.

WITH DATALOCKER SECURE USBs all data is automatically password protected and hardware encrypted, the data encryption key never leaves the device and cannot be exported. This means that the hardware encrypted data is inaccessible to an attacker and that the security posture of the device is always upheld. No password, no data access. The hardware enforced security can only be ON and there is no OFF-switch.

SOFTWARE ENCRYPTION-WEAKNESS – 2. Swapping data for ransomware/malware

When a software-encrypted USB is plugged into a PC that the organization does not manage, it can immediately be infected and then carry malware and ransomware onto the corporate network or other customers later on.

DATALOCKER SECURE USBs can be unlocked in read-only mode and they can be protected by their own antimalware engine. These measures block both ransomware and malware. Unless the correct password is entered nothing can be written to the device.

SOFTWARE ENCRYPTION WEAKNESS  – 3. Open to “harvest now, decrypt later” attacks (it won’t be long before they access the data)

An attacker can copy the software-encrypted data or the in memory exposed data encryption key without the user noticing it. This could be an insider, cleaning staff, or anyone with access to the software-encrypted USB. They can return the device, and there will be no sign that the data has been siphoned. This attack can be ongoing, and there is no way of noticing it.

For example, Elcom offers distributed password cracking that can,in the case of Windows BitLocker To Go, fire away 30 000 password attempts per second/computer scaling to a 10 000 machine cloud-accelerated attack. Once the password is recovered, the attack can continue as the user will most likely keep not keep notnotkeepnot change the password of the software-encrypted USB for some time. 

If the software-encrypted USB is unlocked on an unmanaged PC, it should be assumed that the encryption key has been exposed, as it will be accessible in RAM (memory) on the host computer and can be captured easily.

DATALOCKER SECURE USB drives only offer access if the correct password is entered. There is a maximum number of attempts enforced in the hardware that make brute force attacks non starters. When the device is managed there can also be a full audit trail of device and file activity. The data encryption key never leaves the security of the hardware device. To aid the user it is possible activate a challenge response password reset (that is enforced in the hardware).

SOFTWARE ENCRYPTION WEAKNESS – 4. User error: Erasing the security and exposing new data

On managed PCs, the software encryption can be enforced. Still, as, but as soon as an software encrypted USB is allowed onto a system, not under the organization’s control, the user can, for example, erase the encrypted data to make space for new data. If you try to copy data to a software encrypted device outside of its prompt, Windows will tell you it is full as there will be virtual container filling it, this makes it a logic conclusion to try to make space by deleting data in Windows Explorer. After that deletion it is just a regular USB drive with NO SECURITY. The user will then transport the new data unencrypted, breaking compliance requirements, risking a data leak, and will most likely blame IT for the assumption that the “security” was always on. The false sense of security could even make the user take bigger risks. When the user is mishandling the software, encrypted USB, data corruption and data loss will also be commonplace and should be accounted for.

DATALOCKER SECURE USB are always secure. If you copied data onto the drive it is always password protected and hardware encrypted with no room for user error.

SOFTWARE ENCRYPTION WEAKNESS – 5. The regular USB drive will need to be scrubbed or shredded

Before using a regular flash drive for software encryption, it needs will need to be sanitized using a media sanitizing solution if it has been in use before. Otherwise, there might be unencrypted data outside the encrypted data that can be recovered. AsThe process will take hours to conclude as the sanitization software overwrites and confirms the medium, the process will take hours to conclude. Without sanitization traces of old data will persist on the device and can cause data breaches. Using free software like Recuva allows you to recover data that is not visible in the regular file system but is still present on the device. “The index of the book is deleted, but the chapters are still there” Recuva easily recreates the index, making the old data accessible to the attcker. Once the user is done using the software-encrypted device and it is decommissioned the media will need to be sanitized again (there is no guarantee that nothing has been stored unencrypted on the device, remember number 4 on this list.)

DATALOCKER SECURE USBs can be reissued in minutes as they feature NIST-compliant cryptographic erasure. The erasure is done in milli seconds and the data is permanently gone. The device can be reissued as if it just came out of the box. Over and over again. 

In summary, avoid software encryption of portable storage as there are much better and cost efficient options available. Managed hardware encrypted USB drives are the answer to your portable data compliance.

DataLocker hardware encrypted devices are the perfect solution for organization that requires encryption of portable data for compliance and data protection.

  1. All data is automatically hardware encrypted, the data encryption key never the device and cannot be exported
  2. All data is always password protected 
  3. The password is brute–force protected with a maximum of 10-20 attempts which is enforced in the hardware (like a TPM)
  4. The user cannot misunderstand or disable the robust security, if you unplug without warning and the disk will still be operational and protected.
  5. No data available before unlock (no “harvest now, attack later” attacks possible)
  6. Portable antivirus can protect the data on unmanaged hosts, read-only unlocks are also possible.
  7. The media is sanitized with cryptographic erasure which takes a millisecond vs the hours that it takes to sanitize a regular USB drive with a commercial media sanitization solution.
  8. Centrally manage the secure USB drives for full command, control and compliance with SafeConsole. The SafeConsole management server enables remote password resets, remote kills and full device/file auditing for the organization.