So MXI Security produce a line of 'secure' USB Memory sticks, such as the Stealth MXP they seemed pretty hot given they boast AES encryption in specially designed and developed hardware. Have undertaken and passed FIPS-140-2 certification, so they are considered by the US National Institute of Standards and Technology (NIST) safe for use within the Federal Government.

 

Problem is it seems that those people at MXI Security have been listening to their customers, in doing so they have introduced a 'feature' that has introduced a bus sized hole in the protection offered by the Stealth MXP USB memory stick. 

Researchers at Objectif Sécurité undertook a review of the security of the device and after almost throwing in the towel as it where noticed something that well threw the whole security of the device into question.

It seems that developers had implemented a feature to allow the device and associated software to control if a user ever used the same password for protecting the contents twice, this feature is an 'Enterprise' feature that when a user is forced to change the password by the policy configured on the device they cannot use the same password as one they have used before. Similar features exist for instance within Windows Domain Policy to 'help' improve the security of the passwords used by a user.

In doing so they created a significant security problem by having the 'saved' password history checked on the PC, in facilitating this the password history is copied into memory from the stick and placed into RAM on the PC where it can be accessed using a debugger. They even made it easy to find in memory by labelling the location with a text string of 'PwdHashes'. To compound this, they used SHA-1 password hashes that where unsalted so that they could easily be recovered using Rainbow tables.

The 'feature' is something enabled and controlled by MXI Security's MXI ACCESS security management software and is not normally enabled by default. However, MXI have released a fix for their MXI ACCESS software that attempts to redress the problem be introducing a salt into the SHA-1 hash of the password.

This just happens to be the latest installment in a long line of supposedly secure USB devices that have had their security undermined by dumb programming mistakes driven by adding 'cool' features.