Attacking Encrypted USB Keys the Hard(ware) Way
Vložit
- čas přidán 26. 08. 2024
- Ever wondered if your new shiny AES hardware-encrypted USB device really encrypts your data - or is just a fluke? If you have, come to our talk to find out if those products live up to the hype and hear about the results of the audit we conducted on multiples USB keys and hard drives that claim to securely encrypt data.
By Elie Bursztein, Jean-Michel Picod & Rémi Audebert
Full Abstract & Presentation Materials:
www.blackhat.c...
When I want to secure data on a USB drive, I use Veracrypt or similar software. I always assumed the "encrypted" USB keys you can buy out there are largely garbage.
issue is that veracrypt do not run well on all platform. On my fedora27 it does not in gui making end user usage not likely as you need command line foo to make it work.
That makes sense. I assume the market for these "encrypted USB drives" are largely Windows users which is why I mentioned Veracrypt.
I assume Linux users would use something like cryptsetup/LUKS.
Why not do both, use Veracrypt on an encrypted USB drive so they must crack the key and then the encrypted vault??
@@hmm8hql739 Please make it simple. What's the best way to encrypt my SSD?
All that nerdy ways to attack secure chipsets, and everyone just ignores that they used a freaking fingerprint sensor. Imagine if you left you computer password written on tables, drinking glasses, smartphones screens, shop catalogs, doors, handles, police database depending on your history, your smartphone manufacturer, etc. And of course depending on threat model a goverment can use physical violence to obtain a fingerprint. Fingerprint is like the dumbest of the dumbest ideas for key input.
I'm sorry watching and I totally agree
I recommend using an an encrypted USB that you then encrypt a second time with Veracrpyt or LUKS with a very strong 30 plus multi character password (without using any actual words in any language so it can’t be dictionary cracked) so even if they crack the outer hardware based key 🔑 , they then have to brute force the second veracrpyt key making it much, much more difficult to crack.
Then how do you acces your data? Having to type a random 30 character combination sucks if you want to acces your data.
Archangel Tyrael stop posting stupid comments
@@arabicfoot It’s not stupid. How are you supposed to remember 30 random characters for every site? Write them down and someone can find them. Password manager and they are all in one place. Hackers that get in can now log in to all your accounts. If the manager doesn't work or is unreachable you are locked out of everything.
@@ArchangelTyrael you have to rely on a hand-written note.....you can also remember the password tho, I use a 27 digit password and I can easily remember it
I'm very impressed. In short the "laymen" term would be that it is very difficult, but possible. And in fact it is currently possible in many instances. So in short, It "Sucks" but needs work.
Does anyone know a drive that will encrypt the data on it like a normal drive, but have a sort of "fail safe" mode? IE: If someone pries the case open, will destroy the data (either by consecutively writing zeros, or electric shock to the chip(s)).
over00lord Unknown tom cruise got one
@@mohamedfouad2304 It burns
IIRC there's a separate certification for that, and yes, these exist. No need to overwrite data or shock the chips too: it's sufficient to erase the encryption key and the data will be just unrecoverable random garbage.
5:51 Ough! I *LOVE* tree categories! :D (I can't speak French, so who am I to make jokes about him? :/)
Are the results from each drive they tested published anywhere?
this data is invaluable to consumers and high profile users that need the FIPS usb keys.. we need the brands and models
i would love that too :)
are there any subs available for Pépé LePeu here?
could someone please help me with the latest CEH exam dumps?
I'm glad people develop skillz from all over the world and come to BlackHat to share them, but I have a hard time understanding half of the speakers because of their thick accents. I'm sure a slight case of nerves being in front of a bunch of people lends itself to them slipping into the thickest of their tongue while speaking - distracting them from making it a point to articulate as they focus on the material intently. Video subtitles aren't much help if they don't read as what the speaker means either, and mostly just make it harder to understand what's being said :(
You listen to enough talks and you start to have an ear for the accents.
Blackhat is clearly the superior technology because they find all the stupid mistakes tech companies make just to put a component to market as fast as possible. So in short, Technology component developers are only interested in profit, whereas blackhat is all about making things secure. I would assume that Blackhat technology is more expensive. But the one element that no one can ever eliminate is a "mole programmer." And of course state sponsored attacks that have millions if not billions behind the attack.
Is this guy from vupen?
They're from Google
arent vupen a bunch of dbags that don't release their exploits and only sell to oppressive regimes and tyrannical govts?
Baigle1:
1. These guys are not Vupen
2. Vupen no longer exists
3. While it is true that Vupen did not disclose the vulnerabilities they discovered for pwn2own 2012, they did disclose them for pwn2own 2014.
4. While their full customer-list has not been revealed, it is known that it included the US (NSA) and Germany BND) - neither of which are generally recognized as oppressive nor tyrannical. You might be thinking of Hacking Team, which was one of their customers.
Yep it was hacking team, thanks.
So basically there is no safe way to encrypt your drive and everything can be hacked? O.o
you will always be able to bruteforce a encrypted thing. If you can prevent hardware vulnerabilities, you can use strong encryption that would take 1000s of years to calculate. But in encryption USB, there are many hardware loopholes. So instead, get just a normal usb stick but store everything encrypted and decrypt it on your pc with a key. There is software that does this, I forgot its name tho... Ill follow up on this
Veracrypt is one of those softwares. You can ofc use it on an encryption USB stick so it adds a (very thin) extra layer of security
Also don't underestimate the power of a big bald guy with a 5$ wrench
Use encryption strong enought that all matter in the universe converted to energy would be unsuficcient to do the brute force work.
@@dukesoft7211 that's why you use the "double bottom" option in VeraCrypt - hidden partition
Yes, that sucks, :)
Podem me ajudar? Para área de segurança da informação, devemos ter conhecimentos mais profundos em redes de computadores e infra, ou em programação? Desde já agradeço. Obrigado.
This means that someone can decrypt a USB Key without the password!!!???
It takes time to get used to French people speaking English, that's a given.
hard to understand what he said.. but i got the point tho.
dexter Heo auto gen captions are pretty good
Yeah he said ahfjsdbhfbkajsd
All your data are belong to us.
🥖