A new take on securing USB flash drives
John Tate with a
Once upon a time, USB flash drives were so cheap and so convenient they were passed out free of charge at trade shows and every professional seemed to gather a collection of them in their desk drawers. These handy devices allowed you to download data from one computer (perhaps your office PC) and conveniently carry that data to another computer (perhaps your laptop) or to a remote location (perhaps another desktop in a branch office overseas.) They offered a convenient and cost-effective way to move and use data.
Unfortunately, the USB stick became so convenient to use and transport that it soon became a tool to surreptitiously download mountains of data and walk out the door with it, unseen and unnoticed.
The humble USB stick -- perhaps containing extremely vital data -- was also easy to lose. (Taxi drivers find thousands of lost drives in their cabs each month, and dry cleaners fill cardboard boxes with flash drives they’ve discovered in their customers’ pants pockets.)
To counteract these worrisome trends, customers began demanding -- and manufacturers began developing and supplying -- USB flash drives that supposedly could safeguard all of the data they stored by encrypting it. In order to gain access to any of that data, a person carrying such an encrypted USB stick typically would need to insert it into a computer’s USB port, type his or her User Name and Password on the computer’s keyboard, authenticate themselves, and thereby allow for the decryption of the protected data.
This seemed to some people to represent a significant step forward in safeguarding data residing on USB flash drives, but others disagreed. They argued that any encryption/decryption system that relied on software that interacts with a host computer was, by definition, susceptible to hackers who could break into that host computer and load on their own malware. That malware, in turn, could intercept the communications between the inserted, encrypted USB stick and the host computer -- and easily capture the User Name and Password being entered via the computer’s keyboard. Having secretly grabbed the User Name and Password, the hacker could then swiftly and easily gain access to the supposedly protected data which was sitting on the USB flash drive.
To counteract this possibility, some vendors of USB flash drives introduced the notion a central management system, requiring users of encrypted USB sticks to authenticate themselves both using a computer and then, additionally, via the Internet, by connecting to a database of authorized users sitting in The Cloud. This approach slowed down the authentication process and it required an Internet connection in order to use the USB stick.
In other words, the humble USB flash drive, which had begun life as a simple and convenient tool to transport digital data, had morphed into a much more complicated component of a system that was significantly more cumbersome to use.
That’s where a small business called Systematic Development Group, of Deerfield Beach, FL, entered the picture, with a device it calls the LOK-IT Secure Flash Drive. As John Tate, the executive vice president of this company, told it to GSN on Nov. 3, the LOK-IT flash drive encrypts data with FIPS-certified 256-bit AES encryption, but allows the user to fully authenticate himself or herself without relying on any software that interacts with the host computer. Instead, the LOK-IT secure flash drive has a small PIN pad mounted directly on the stick itself, which requires the user to tap in a PIN number ranging from seven to 15 digits. If the PIN is correct, the user will have 30 seconds in which to insert the stick into a host computer and begin accessing the protected data. If the PIN is incorrect, no data on the stick will be accessible by the host computer. In fact, said Tate, the computer will not even recognize that a USB stick has been inserted into the USB port until -- and unless -- the correct PIN has been entered onto LOK-IT’s PIN pad.
In Tate’s view, this restores the USB stick to its original mission. It can be used conveniently by carrying it in one’s pocket, with no fear that its encrypted data can be accessed if it were to be lost or stolen. Its PIN can be entered without relying on software that interacts with the host computer (and, thus, could be vulnerable to hacking), and the firmware within the security controller that is embedded on the LOK-IT stick itself is completely encased in an epoxy that would prevent anyone from attempting to break into it, without destroying the security controller in the process.
Tate said the LOK-IT flash drive has begun to capture the attention of several government agencies. For example, U.S. Customs and Border Protection (CBP) has purchased the devices, he said, for use aboard Black Hawk helicopters that are capturing vast amounts of border surveillance imagery on high definition video systems. CBP wants to download that video data to easily-transportable flash drives, so the imagery can be carried back to command centers and other CBP locations. Normally, CBP would need to request a “waiver,” so it could use a flash drive that was not deemed to be “secure,” but with the LOK-IT drive, CBP would not need such a waiver, Tate explained to GSN. The LOK-IT device has undergone more than a year of testing by CBP, said Tate, and won the agency’s approval about three months ago.
The company has sold its flash drives to the U.S. Department of Agriculture, Government Printing Office, U.S. Supreme Court, Smithsonian Institution, Congressional Budget Office and a host of city governments, he added.
The LOK-IT comes in three different sizes: a 4 GB version that sells for $70 to $80 apiece; an 8 GB model that sells for about $100 each and a 16 GB version that sells for $170. The company has negotiated GSA pricing for government purchases that are about 25 percent below those figures, said Tate. He noted that while CBP bought the 16 GB version, a lot of government IT managers don’t want their employees walking around with that much storage capacity. “Four gig is very popular,” said Tate.
With the explosion of computer tablets and smart phones in the global marketplace, Tate sees a huge opportunity to sell his LOK-IT device to people using those specific Android-driven tablets and smart phones manufactured by Samsung, Lenovo and Cisco which contain host USB ports or utilize USB On-The-Go. “Apple devices don’t allow USB connections,” noted Tate, “and that could be the differentiator.”
Of course, not everyone will agree with Systematic Development Group’s view of USB flash drive security. Many leading vendors continue to sell USB devices that rely on software to authenticate their users. Others are actively exploring the use of The Cloud to verify use of the USB drive.
But the LOK-IT device seems to be catching on. That may not be surprising, given the way the focus in IT Security has shifted in recent years. The battleground today is often perceived to be the security of data itself, Tate told GSN.
“We not only have to protect our networks,” he concluded, “but we must also protect our peripherals.”