Tricked again: Key combination opens Corsair's Padlock 2 flash drive without authorisation

Corsair's Padlock 2 USB drive.
Source: Corsair Corsair have pointed out a vulnerability in their USB flash drives with Padlock 2 access protection. The hole allows stored data to be accessed without authorisation. The flash drives have a mini keyboard for users to key in their PIN in order to access the drive. This allows the drives to work independently of drivers and platforms.

However, the password can be deleted via a special key combination, while the stored data remains intact. As a consequence, the data can reportedly be accessed without having to enter a PIN. Corsair have released instructions for solving the problem, but recommend backing up the data beforehand; instructions for securing the drive are available here.

The vendor didn't comment on what caused the (design) flaw. It also remains unclear whether and why the (plain text) data can be read. After all, Corsair advertises "256-bit hardware data encryption". The vendor's previous model also had a critical vulnerability, as reported by The H in mid 2008: entering the correct PIN only caused the motherboard to be powered up. A bridge between the motherboard's power supply controller and the power supply at the USB connector allowed the drive's PIN control to be bypassed, causing the Padlock to disclose its data without further effort.

(crve)