USB flash drive security

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially.^[1] As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage.

An increasing number of portable devices are used in business, such as laptops, notebooks, universal serial bus (USB) flash drives, personal digital assistants (PDAs), advanced mobile phones and other mobile devices.

Companies in particular are at risk when sensitive data are stored on unsecured USB flash drives by employees, who use the devices to transport data outside the office. The consequences of losing drives loaded with such information can be significant, and include the loss of customer data, financial information, business plans and other confidential information, with the associated risk of reputation damage.

Major dangers of USB drives

The uncontrolled use of USB drives is a major danger since it represents a significant threat to information security and confidentiality.

Therefore the following should be taken into consideration for securing USB drives assets:

• Storage: USB flash drives are usually put in bags, backpacks, laptop cases, jackets, trouser pockets, or are left at unattended workstations.
• Usage: tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving. Many enterprises have strict management policies toward USB drives, and some companies ban them outright to minimize risk.

The average cost of a data breach from any source (not necessarily a flash drive) ranges from less than $100,000 to about $2.5 million.^[1]

A SanDisk survey ^[2] characterized the data corporate end users most frequently copy:

1. customer data (25 %)
2. financial information (17 %)
3. business plans (15 %)
4. employee data (13 %)
5. marketing plans (13 %)
6. intellectual property (6 %)
7. source code (6 %)

Examples of security breaches resulting from USB drives include:

• In the UK:
  • HM Revenue & Customs lost personal details of 6,500 private pension holders

• In the United States:
  • a USB drive was stolen with names, grades, and social security numbers of 6,500 former students ^[3]
  • USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan^[4]

Solutions

Since the security of the physical drive cannot be guaranteed without compromising the benefits of portability, security measures are primarily devoted to making the data on a compromised drive inaccessible. One common approach is to encrypt the data for storage, although other methods are possible.

Software

Software solutions such as FreeOTFE and TrueCrypt allow the contents of a USB drive to be encrypted automatically and transparently. Also, Windows 7 Enterprise and Ultimate Editions and Windows Server 2008 R2 provide USB drive encryption using BitLocker to Go. The Apple Computer Mac OS X operating system has provided software for disc data encryption since Mac OS X Panther was issued in 2003 (see also: Disk Utility).^[5]

Additional software on company computers may help track and minimize risk by recording the interactions between any USB drive and the computer and storing them in a centralized database.

Hardware

Some USB drives offer embedded hardware encryption, although these cost significantly more. Microchips within the USB drive carry out automatic transparent encryption.

Hardware systems may offer additional features, such as the ability to automatically overwrite the contents of the drive if the wrong password is entered more than a certain number of times. This type of functionality cannot be provided by a software system since the encrypted data can simply be copied from the drive. However, this form of hardware security can result in data loss if activated accidentally by legitimate users, and strong encryption algorithms essentially make such functionality redundant.

As the encryption keys used in hardware encryption are typically never stored in the computer's memory, technically hardware solutions are less subject to "cold boot" attacks than software-based systems. In reality however, "cold boot" attacks pose little (if any) threat, assuming basic, rudimentary, security precautions are taken with software-based systems^[6].

Compromised systems

The security of encrypted flash drives is constantly tested by individual hackers as well as professional security firms. At times (as in January 2010) data on flash drives that have been positioned as secure were found^[7] to have a bug that potentially could give access to data without knowledge of the correct password.

A few noteworthy solutions that could have been compromised in this way - though all subsequently fixed - include:

• SanDisk Cruzer Enterprise^[8]
• Kingston DataTraveler BlackBox^[9]
• Verbatim Corporate Secure USB Flash Drive^[10]
• Trek Technology ThumbDrive CRYPTO^[11]

The manufacturers of these products reacted immediately and a patch was made available by three of the four companies (Kingston offered a replacement drive using a different security architecture to affected users) before the above became public, and their customers were not at risk if the customer had applied the patch before their device was attacked.

Management

In commercial environments, where most secure USB drives are used^[1], a central management system may provide IT organizations with an additional level of IT asset control. This can include initial user deployment and ongoing management, password recovery, data backup, and termination of any issued secure USB drive. Such management systems are available as software as a service (where Internet connectivity is allowed) or as behind-the-firewall solutions.

See also

• Health Insurance Portability and Accountability Act (HIPAA) (Moving confidential data requires encryption.)
• Aloaha
• Cruzer Enterprise
• Data remanence
• IronKey
• MXI Security
• Kingston Technology

References

1. ^ ENISA, June 2006.
2. SanDisk Survey, April 2008.
3. Swartz, Jon (16 August 2006). "Small drives cause big problems". USA Today. http://www.usatoday.com/tech/news/computersecurity/2006-08-15-thumbdrives-stolen_x.htm. 
4. ‘Afghan market sells US military flash drives’, Paul Watson, Los Angeles Times, 18 April 2006
5. "How to create a password-protected (encrypted) disk image in Mac OS X 10.3 or later". Accessed 2 May 2010.
6. http://www.freeotfe.org/docs/Main/FAQ.htm#de
7. http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_Cracks_Kingston_USB_Flash_Drive.pdf
8. http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
9. http://www.kingston.com/driveupdate/
10. http://www.verbatim.com/security/security-update.cfm
11. http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_Cracks_Yet_Another_USB_Flash_Drive.pdf

External links

• ‘Analysis of USB flash drives in a virtual environment’, Derek Bem and Ewa Huebner, Small Scale Digital Device Forensics Journal, Vol. 1, No 1, June 2007.
• Dataquest insight: USB flash drive market trends, worldwide, 2001–2010, Joseph Unsworth, Gartner, 20 November 2006.
• 'Computerworld Review: 7 Secure USB Drives, Bill O'Brien, Rich Ericson and Lucas Mearian, March 2008