Click here to close now.

SYS-CON MEDIA Authors: Mike Kavis, Elizabeth White, John Treadway, SmartBear Blog, Liz McMillan

News Feed Item

SPYRUS(R) Announces Its Encrypting and Bootable Windows To Go Drives Are Invulnerable to "BadUSB" Attacks

Proven SPYRUS Design and Manufacturing Solution to Signed Firmware Update Process Has Been Successfully Implemented for Decades

SAN JOSE, CA -- (Marketwired) -- 08/13/14 -- SPYRUS today announced that all SPYRUS bootable Windows To Go and Encrypting Storage Drives, including the Secured by SPYRUS™ Kingston® DT5000, DT6000, and PNY "Secured by SPYRUS™" drives are invulnerable to "BadUSB" attacks.

BadUSB attacks were publicized at the recent presentation from the 2014 Black Hat Conference entitled "BadUSB: On accessories that turn evil," by Karsten Nohl and Jacob Lell of the SRLabs, Berlin. This lab study publicizes a latent, but understood vulnerability, that potentially could affect any unprotected USB or microcontroller network connected device on the market today.

"This is not a previously unknown vulnerability. SPYRUS has been protecting our encrypted drives since our first product design that was used to protect the DoD Defense Message System with a cryptographically secure design that integrates signed firmware updates into the manufacturing process along with selective hardware disabling of update processes," said Tom Dickens, COO, SPYRUS. "This completely defeats USB hack attacks. If the firmware is somehow tampered with after signing, signature verification will fail and the unauthenticated update terminates. Contrary to the presentation's description of the 'limitations' or difficulty of applying the use of code-signing for firmware updates to microcontrollers as an effective deterrent because of the difficulty of implementation, SPYRUS has implemented cryptographic code signing in all our security products as a core competency since the release of our first product."

In essence, this attack can convert benign, normally secure USB peripherals or any vulnerable device controllers into "BadUSBs" or "bad controllers" for purposes determined by an attacker. Conventional malware scanners and antivirus programs cannot detect the tampering after-the-fact. By the time it's detected, it may be too late to reverse the results because of device or system operational failures. The only way to prevent this attack is to understand how to prevent it in the initial design and implementation of the firmware architecture.

The firmware hack attack described in the Nohl-Lell presentation can change, in whole or in part, original unprotected controller firmware code and replace it with new code, indistinguishable from a vendor firmware update. However, unlike a legitimate firmware update from a device vendor, it morphs the controller into whatever new behavior and set of characteristics the attacker desires. This is true whether the memory controller is a USB storage device, automated CNC machine, medical device, energy grid component, or any device controller connected to the "Internet of Things." And from there, these controllers can act as covert vehicles of attack that extract sensitive information, distribute viruses or take over the control of devices and machines even on protected networks.

The SPYRUS manufacturing process embeds cryptographic parameters into the device controller and protects the private digital signing key from theft or cloning. The critical aspects of using digital signatures to verify the authenticity and integrity of a firmware update and its source demand quality creation of a public key pair and private signing key and secure storage and key access. At SPYRUS, these functions are carried out in a U.S. secure facility by U.S. personnel and an access policy that requires two or more authenticated personnel to access the key in a physically locked vaulted room. These standards and procedures are audited regularly and must be maintained continuously, a product lifetime investment that many other controller and device manufacturers are hesitant to make.

The use of code-signed firmware updates, as properly implemented by SPYRUS, has and will continue to mitigate the dangers from these attacks while enabling our devices to be feature enhanced to meet new customer requirements and prolong the lifetime of the device. Other industry-leading security features of SPYRUS encrypting storage and bootable drives include:

  • XTS-AES hardware encrypted compartments
  • Read-Only settings that can be enabled to prevent permanent writes to memory compartments
  • Advanced Elliptic Curve Cryptography support in addition to the older RSA cryptographic algorithm support
  • FIPS 140-2 Level 3 SPYCOS® hardware security module
  • Made In USA security technology
  • Passwords that are never stored on the device in any form
  • Optional use of secure secondary/tertiary DataVault compartments
  • Embedded smartcard capabilities for two-factor authentication
  • New ruggedized tamper-evident water-resistant aluminum case design with tethered end-cap
  • SPYRUS Enterprise Management System to centrally manage access to devices and destroy, enable/disable and audit devices

For a full list of product specific features and for more information regarding the advantages of using SPYRUS products, please visit our website at www.spyrus.com or contact us at [email protected].

Related Links
Windows To Go Video http://technet.microsoft.com/en-us/windows/jj737992
Windows 8.1 Enterprise http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8-1/enterprise-edition.aspx

About SPYRUS, Inc.

SPYRUS delivers innovative encryption solutions that offer the strongest protection for data in motion, data at rest and data at work. For over 20 years, SPYRUS has delivered leading hardware-based encryption, authentication, and digital content security products to government, financial, and health care enterprises. To prevent the insertion of untrusted components, patented Secured by SPYRUS™ security technology is proudly designed, engineered, and manufactured in the USA to meet FIPS 140-2 Level 3 standards. SPYRUS has collaborated closely with Microsoft to deliver the first certified hardware encrypted portable platform for Windows 7, Windows 8 and Window 8.1. SPYRUS is headquartered in San Jose, California. See www.spyruswtg.com for more information.

SPYRUS, the SPYRUS logo, Secured by SPYRUS, and SPYCOS are either registered trademarks or trademarks of SPYRUS, Inc., in the U.S. and/or other jurisdictions. All other company, organization, and product names are trademarks of their respective organizations.

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

Latest Stories
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
What exactly is a cognitive application? In her session at 16th Cloud Expo, Ashley Hathaway, Product Manager at IBM Watson, will look at the services being offered by the IBM Watson Developer Cloud and what that means for developers and Big Data. She'll explore how IBM Watson and its partnerships will continue to grow and help define what it means to be a cognitive service, as well as take a look at the offerings on Bluemix. She will also check out how Watson and the Alchemy API team up to off...
The IoT Bootcamp is coming to Cloud Expo | @ThingsExpo on June 9-10 at the Javits Center in New York. Instructor. Registration is now available at http://iotbootcamp.sys-con.com/ Instructor Janakiram MSV previously taught the famously successful Multi-Cloud Bootcamp at Cloud Expo | @ThingsExpo in November in Santa Clara. Now he is expanding the focus to Janakiram is the founder and CTO of Get Cloud Ready Consulting, a niche Cloud Migration and Cloud Operations firm that recently got acquir...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
How do you securely enable access to your applications in AWS without exposing any attack surfaces? The answer is usually very complicated because application environments morph over time in response to growing requirements from your employee base, your partners and your customers. In his session at 16th Cloud Expo, Haseeb Budhani, CEO and Co-founder of Soha, will share five common approaches that DevOps teams follow to secure access to applications deployed in AWS, Azure, etc., and the frict...
SYS-CON Media announced today that John Treadway’s blog has exceeded 475,000 page views. John Treadway, Vice President at Cloud Technology Partners, has surpassed 475,000 page views on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, Microservices Journal, and several others. His blog home page at SYS-CON can be found at JohnTreadway.SYS-CON.com.
SYS-CON Events announced today that Column Technologies, a global technology solutions company, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Established in 1998, Column Technologies is a leader in application performance and infrastructure management for commercial and federal markets. The company is headquartered in the United States, with a diverse and talented team of more than 350 employees around th...
ProfitBricks has launched its new DevOps Central and REST API, along with support for three multi-cloud libraries and a Python SDK. This, combined with its already existing SOAP API and its new RESTful API, moves ProfitBricks into a position to better serve the DevOps community and provide the ability to automate cloud infrastructure in a multi-cloud world. Following this momentum, ProfitBricks has also introduced several libraries that enable developers to use their favorite language to code ...
SYS-CON Events announced today that Blue Box has been named “Bronze Sponsor” of SYS-CON's DevOps Summit New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Blue Box delivers Private Cloud as a Service (PCaaS) to a worldwide customer base. Built on a technology platform leveraging decades of operational expertise in cloud and distributed systems, Blue Box Cloud is a managed private cloud product available in both hosted and on-prem versions. Each Blue Box ...
SYS-CON Events announced today Sematext Group, Inc., a Brooklyn-based Performance Monitoring and Log Management solution provider, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), search analytics (S...
SYS-CON Events announced today Isomorphic Software, the global leader in high-end, web-based business applications, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Isomorphic Software is the global leader in high-end, web-based business applications. We develop, market, and support the SmartClient & Smart GWT HTML5/Ajax platform, combining the productivity and performance of traditional desktop software ...
SYS-CON Events announced today Arista Networks will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Arista Networks was founded to deliver software-driven cloud networking solutions for large data center and computing environments. Arista’s award-winning 10/40/100GbE switches redefine scalability, robustness, and price-performance, with over 3,000 customers and more than three million cloud networking ports depl...
SYS-CON Events announced today that SoftLayer, an IBM company, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place June 9-11, 2015 at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place November 3–5, 2015 at the Santa Clara Convention Center in Santa Clara, CA. SoftLayer operates a global cloud infrastructure platform built for Internet scale. With a global footprint of data centers and network points...
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborat...
SYS-CON Events announced today that Liaison Technologies, a leading provider of data management and integration cloud services and solutions, has been named "Silver Sponsor" of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York, NY. Liaison Technologies is a recognized market leader in providing cloud-enabled data integration and data management solutions to break down complex information barriers, enabling enterprises to make sm...