IronKey is the bell-weather for encrypted flash drives. The company, owned by Kingston Digital, a Southern California based private company, uses hardware encryption chips with their USB flash drives which provide the highest level of security known to mass storage devices.
GetUSB.info came across an amazing story by Wired Magazine about how one of the authors at Wired sent an IronKey to a hacking company called Unciphered in Seattle Washington to see if they could access the drive. The did.
This is not an easy task to accomplish. IronKey uses encryption to safeguard important data with FIPS 140-2 Level 3 certified, FIPS 197 certified and XTS-AES 256-bit encryption. The solution allows for 10 tries before the USB controller wipes the device clean of any data. So there is a big risk-reward for using the device and losing the password to the device.
However, Unciphered developed a method to allow more attempts than just 10. It is not entirely clear how many attempts Unciphered is able to apply, but it’s more than 10.
Why is this significant, other than the fact IronKey may now have a security issue on their hands? It is well known in early 2021, a report of just over 7,000 Bitcoin were stranded in an IronKey flash drive due to a forgotten password. The owner, Programmer Stefan Thomas, did not utilize the Enterprise Management Service for password recovery. The 7000 bitcoin is currently (as of Oct 2023) worth over $235 million dollars.
To give Wired Magazine their due credit, read the full story by Andy Greenberg.