IronKey USB Flash Drive – Hacks – $235M of BitCoin

IronKey is considered a bellwether for encrypted USB flash drives. The company, owned by Kingston Digital (a Southern California–based private company), uses dedicated hardware encryption chips to deliver one of the highest levels of security available in mass storage devices.

GetUSB.info came across an interesting story from Wired Magazine in which one of their authors sent an IronKey device to a Seattle-based security firm called Unciphered to see whether the drive could be accessed. They succeeded.

This is not an easy task to accomplish. IronKey devices use strong protections including FIPS 140-2 Level 3 certification, FIPS 197 compliance, and XTS-AES 256-bit encryption. The design allows only 10 password attempts before the controller permanently wipes the device, which creates a high risk if the password is forgotten.

Unciphered reportedly developed a method that allows for more than the standard 10 password attempts. The exact number of attempts is not publicly known, but it is clearly more than the built-in limit.

Why does this matter, beyond the fact that IronKey may have a security issue to address? In early 2021, it was widely reported that over 7,000 Bitcoin were locked inside an IronKey device because the owner forgot the password. The owner, programmer Stefan Thomas, did not use the Enterprise Management Service that could have enabled recovery. As of October 2023, those 7,000 Bitcoin were valued at more than $235 million.

Credit to Wired Magazine for the original reporting. You can read the full story by Andy Greenberg.