Secure USB Drive

SanDisk has recently identified a potential vulnerability in the access control mechanism and has provided a product update to address the issue. SanDisk customers were pro-actively notified and have been given the support required for updating their Cruzer® Enterprise drives.

In the past few days several news sites have reported on this incident. Most coverage addressed the issue at hand and referred to the SanDisk web site for the resolution. Some reporters and bloggers even approached SanDisk for a response.

However, some of the coverage was simply wrong and has caused confusion in the market.

To reassure SanDisk customers that their existing and future Cruzer Enterprise devices are safe and secure, the following inaccurate claims need to be addressed:

1. “There is an architecture flaw in the Cruzer Enterprise security design which generates  a static unlock code”
There is no architecture flaw in the Cruzer Enterprise security design. As mentioned in previous communications, there was an error in one of the host application algorithms used to generate a random key that is then verified against a derivation of the user password stored in hardware. A fix for this has been made available to customers, and new drives incorporate the updated application.
 
2. “The Cruzer Enterprise relies on a host-side software for verifying the correctness of the user’s password”
Key verification for unlocking the device is done in hardware and not by a software application on the host. The Cruzer Enterprise secure USB drive uses unique random AES encryption keys that are generated on the device during device initialization. These encryption keys are stored in hardware and cannot be extracted from the device.

3. “The Cruzer Enterprise has no measures against Brute Force attacks”
The Cruzer Enterprise secure USB drive is designed to prevent brute-force attacks (“password replay attacks”) by storing the brute-force counter in the hardware cryptographic chip.

Preserving customer security and product reliability continues to be a top priority at SanDisk and SanDisk will continue to work diligently with customers to perform the product update in a timely manner. SanDisk now offers its central management and control system (CMC) free-of-charge for a period of three months to support the updating process in large organizations (for more information please contact ent.support@sandisk.com)

SanDisk is a vertically integrated designer and manufacturer of flash products and has a long standing security practice. This ensures that its security products utilize best-of-breed technologies and hardware as we are not a mere integrator of third-party components.

With offices and manufacturing facilities around the world, SanDisk customers have access to a global distribution and support infrastructure and can be reassured that they are working with the global leader in flash memory cards.