BadUSB vs. DataLocker Encrypted Flash Drives (Sentry FIPS, Sentry 3.0, Sentry 3 FIPS)

How BadUSB can infect a USB device and options to defend against it.

White Paper by Lauren Vaughn, DataLocker


Background

First announced at the 2014 Black Hat security conference, a dangerous security flaw called BadUSB allows attackers to turn a USB device against the user and their computer. Essentially, hackers are able to transform a USB into a keyboard, which can be used to type malicious commands harming the victim's computer. BadUSB poses a threat not only to the casual USB user but as well to many companies, organizations, and businesses that transport sensitive data using USB drives.


The way BadUSB works revolves around the fact that many different devices plug into USB ports. By hacking code in the USB firmware, the attacker is capable of reworking the device into something far more dangerous; executing commands and even running malicious programs without the owner ever knowing. Since BadUSB resides in the firmware of the device, the attack code can go unnoticed long after the device’s memory appears to be deleted. 


“These problems can’t be patched. We’re exploiting the very way the USB is designed,” Karsten Nohl, the security researcher who first detailed BadUSB, told Wired in July. 


USBs are commonplace in the workspace, so how can they be protected? Adam Caudill and Brandon Wilson, the two hackers who publicly released the attack code, have now released a partial fix: an epoxy coating.


“Just coat the entire device in a thick hard material that’s nearly impossible to get off without destroying the drive in the process. If you want to hand a USB drive to a stranger and know you can trust it later, this is what it’s come to,” says Caudill. Caudill and Wilson have also released a firmware patch meant to prevent firmware changes altogether, but it is far from universal and not guaranteed.


Solution

It would seem with an unreliable firmware patch and a messy physical fix, the solution is not currently available. Fortunately, there are already products that protect and are unaffected by the attack. One such product is the DataLocker encrypted flash drive. DataLocker encrypted flash drives combine DataLocker-certified and proven technology, including 100% hardware encryption with the ability to connect to a remote management system.


But how does this defend against BadUSB? As mentioned previously, BadUSB infects the firmware of the USB device to manipulate the drive into something harmful. The DataLocker encrypted flash drive firmware is designed in a completely different way from the firmware that the attacking code preys on. The firmware is enforced with controllers designed explicitly to support digital signature authorization. By way of this digital signature authorization, it is able to protect the device from unauthorized firmware changes. Therefore, the attacking code virtually has no way of hacking into the DataLocker encrypted flash drives.


As well, the DataLocker encrypted flash drives design is tamper-proof. The epoxy coating for the chip and flash (also mentioned above as a layer of protection), protects the drive from physical intrusion including water, dirt, and thieves. Add this to the many features and speed of the DataLocker’s onboard zero-footprint software, and users can rest assured of never having to suffer the devastating consequences of a data breach. 


DataLocker encrypted flash drives are a proven and secure way to protect any and all data on a USB device from BadUSB. Secure USB flash drives are an essential component of a comprehensive data loss prevention strategy. Security must be implemented in the hardware in order to combat the evolving threat landscape. With data stored on the hardware-encrypted DataLocker encrypted flash drives, it is always protected from unauthorized access.