Ironkey security review (part 2).

We go on with tests with IronKey. And in this part we’d like to tell you more about the features and functionality of the drive.  The new S200 IronKey model is now compatible with Windows 7. The IronKey S200 1GB is high end and its price reflects that – 79$ USD. Our verdict for this part: screwed-on device and features that makes USB flash drive the most secure and user life a bit complicated.



Security Features that are worth to be mentioned:

  • Self-Destruct Sequence
    We believe it will self-destruct if any hardware reverse-engineer will try to hack it (or even disassemble it). Similarly, after 10 consecutive incorrect password attempts your IronKey will self-destruct using flash-trash technology.
    We didn’t test this feature 🙂
  • Anti-Malware and Autorun Protection
    IronKey has 2 useful options to protect your information against viruses and unauthorized access: 1) It detects and prevents autorun.inf execution from IronKey.  2) User can unlock IronKey partition in a Read-Only Mode. 3) IronKey is automatically locked after inactivity period.
  • Portable Cross-Platform Data Access
    We have used IronKey on Windows and Mac OS X and certainly confirm easy file access on both of these platforms. But  we have noticed that ‘Lost and Found‘ text was lost. Somehow it gets erased and disappear. Maybe this is the S200 issue.
  • Secure Data Backup and Recovery
    It has several levels of back-up that makes IronKey’s user life a bit complicated. In all cases user should remember additional passwords and keep in mind some rules, the main is – you do not get your data from backup till you buy new Ironkey.
  • Self-Learning Password Management
    Securely store and back up all your on-line passwords as well as Applications passwords (Windows Only) as you go with the IronKey Identity Manager.
    If you already use Password Manager you can place it on IronKey and use it.
  • IronKey forces you to keep in mind (or paper) one more Password
    During IronKey setup it prompts you to create an Online Security Vault account for backup purposes. Users could not ignore this invitation – and here you are, there is one more account/password in your mind. And there is no sense to store this password in IK.
  • If you lost your IronKey device IronKey Inc. would force you to buy another one in order to get your backup data back.
  • IronKey Forum!
    We saw people ask IronKey team about new feature or improvements and they implement it.  On the forum you may also have a discussion with IronKey developers. This is cool.
  • Virtual Keyboard.
    It designed to be universal for all Applications and Web forms thus it doesn’t save from Password steal, it just saves your password from being transformed into Key – Strokes that are generated by the keyboard (and then recorded by keyloggers).
  • Lost & Found text.
    We discovered that it may disappear time from time, as you connect IronKey for the 1st time to a guest PC (bug or feature?).
  • PKCS11module
    It is half implemented that is why it cannot be used in Rohos Logon Key as PKCS11 token.

To see this kind of features list and say that this flash drive is highly secure is an understatement – neurotically secure is probably closer to the truth.

Here is our IronKey info before upgrade:

After upgrade:

IronKey Preferences:

IronKey S200: Security Notes.

Though you might be impressed by the features but even such uncrackable USB flash drive has its glitches. And we have come across several ones.

There are many Ironkey reviews across the web resembling each other, listing IK features, and you can easily find one of them. We would like to discuss a few issues that we have noticed.

Big software part

This is the most “software preloaded” USB flash drive we have ever seen. It has many Windows, Linux and Mac OS modules and files. It has also firmware upgrade feature. Most of the files are for Windows. What does it mean for us: As it extensively uses software part it means there is a chance that the solution could be vulnerable. At least the probability of vulnerability could be the same as for software based encryption solutions.

Backup is complicated

IronKey has 3 levels of backup.

  1. Personal account on my.ironkey.com. You need it if you don’t have any other place to write down your IronKey password. This will also allow you to keep IronKey Identity Manager backup (that keep your passwords from web sites and other apps).
  2. Backup your User Name and password for my.ironkey.com. Write down this information somewhere but not on IronKey or my.ironkey.com. You must remember User Name from this account, don’t rely on your email because Password-Reset works by user name and not by email.
  3. Secure backup of your IronKey files on your PC. It has some issues and main issue – you should remember or write down your current IronKey password. Because later if you change IK password then you will not be able to restore files. my.ironkey.com doesn’t keep your IronKey passwords history (but it would be nice to have it).
  4. In order to access your IronKey back that you have from step 3. you need to have IronKey device. So if you lost it, you will not get access to your back up immediately! (You will need to order new ironkey).

IronKey has a secure Files BackUp tool that copies selected files from IronKey into a Windows folder:

  • During backup only the file content is encrypted. Each file/folder name is open
  • Encryption is performed by using current IronKey password.
  • IronKey backup can be easily identified on your PC by the special files inside the Backup folder.
  • It is possible to perform brute force attack to IronKey BackUp to find real password (BackUp Encryption key is encrypted by the current Ironkey password)
  • Warning: If you lose your Ironkey you will not be able to access backup files without new IronKey device.

IronKey hardware has a brute force attack prevention by limited number of password entry attempts (only 10). Thus making users think they could use short and easy-to-remember password for it. Read IronKey CEO interview where this feature is discussed. So if you are using not a very strong password it could be easily recovered using brute-force attack to IronKey Secure Backup stored on your PC (unlimited number of attempts for password guessing is possible).

The possible solution for these issues:

  • my.ironkey.com account could be easily replaced with your .gmail account where you can also securely store IK password backup. + a few most important files in case IK is lost.
  • Any disk encryption software can be used to backup IK files on your notebook. You will be able to access them immediately in case of IronKey lost or failure.

Virtual Keyboard

IronKey has a virtual Keyboard, its primary goal is to avoid Key Loggers steal your passwords (from IronKey, web forms, Windows Apps). But this is a myth.

How it works:

  • You can run it for any window where there is a password field
  • When you click on any button on Virtual Keyboard it sends a EM_REPLACESEL message to EDIT control.

This looks good because no Keystokes are generated (WM_CHAR, or WM_KEYDOWN messages). Ok, let’s  look further – how application get this password

  • Application (IronKey including) sends WM_GETTEXT to this EDIT control and copies Plain Password text into its memory.

Many Trojans, Viruses and RootKits injects into processes and steal your password by sending WM_GETTEXT to the password based EDIT controls.

Look at Inside the Password-Stealing Business report by McAfee , they told: “…  Passwords, TANs, or PINs are then retrieved by sending the dialog a WM_GETTEXT window message. That works with the password character (asterisk) being set, since the Trojan disables this kind of visual obfuscation before reading the password and then re-enabling it using WM_SETPASSWORDCHAR…”.

IronKey reports that their Virtual Keyboard  prevents even from Screen Loggers (screen capture logger) by special features:

  • It allows to randomize buttons
  • It allows to hide button text when you press it.

Ok suppose you have keylogger that also captures screen, this is what you see:


And now guess my password. 🙂

In Rohos products we designed Virtual Keyboard that works only for Rohos, it transfers password directly to Rohos internals without storing it in EDIT control. It will save your password from any malware, but it will not save from detailed screen capture application.

So IronKey Virtual Keyboard saves you from keystroke loggers but doesn’t save from password stealers that are mentioned in McAfee report.

Essencial security features

IronKey protects your data against malware and unauthorized access with additional features:

1) It Prevents modifying Autorun.inf on IronKey. So the USB flash drive virus will be able to store its body on IronKey but it will never be executed. Look at the screenshot:

2) User can unlock and use IronKey in read-only mode. This option can be used on untrusted computer/Mac if you need to access your files, but without worries that a kind of Malware will affect your data.

3) You can set up IronKey to lock automatically after inactivity period.

4) IronKey hardware requires user to re-insert IronKey into USB port after 3 unsuccessful password entry. I think this feature will prevent any malware from password guessing.

Lost & Found text

IronKey has a beautiful feature that allows to set a text notice that will be visible to everyone who connects IronKey to USB port. We think users may relay on this feature also to set a password reminder here.

However we discovered that this Text Notice could unexpectedly disappear, the most obvious reason of this bug or feature – you connect IronKey to a fresh PC (where you connect IK for the 1st time). This is one of supposed behavior of IronKey – portable device. It means there is hardware or software bug. For some reason IronKey internals can be changed without authorization first.

We were able to reproduce this bug many times.

Summary:

  • If you are an average user and are not paranoid about you data security 90% of the IK’s “software”  features are  useless and time consuming for you – this flash drive is definitely not your everyday “buddy”.
  • On the other hand if you are worried about data protection, IronKey is very secure but you have to do many moves and remember some info&rules to “become friends” with the drive.
  • IronKey Backup and Restore is complicated: the main issue – you need to buy another IronKey device in order to get your BackUp back.
  • Bugs: Please note “Lost & Found” message may disappear from time to time.

Take a look at our comparison matrix of Encrypted USB flash drives.