Written by Simon and Judy

A strong case for hardware USB encryption and an analysis of the weaknesses of software USB encryption.

We have all lost a USB at one point or another. Millions of USBs are lost per year and the potential fallout from lost confidential data can be costly. So it is important to have some sort of security on your USBs so that if they get lost, the data is unrecoverable.

When looking for USB encryption options, it can be difficult deciding which type of encryption mechanism you should use. Between the two types of USB encryption methods, software and hardware encryption, there is a clear winner. Hardware. Though software encryption in general has come a long way in a PC environment, in the end, it is still software, and like all software, it is crackable.

Software Encryption is still Software
Though the process is not easy, hacking of even well-made software encryption is possible by skilled programmers. The way software USB encryption functions is by using the user’s password to encrypt the master key, which encrypts the data. In order to access the data within the USB, the hacker only needs to find the password, which will then give him the master key to access the data. In order to find the password, hackers can use a brute-force attack, which is a cryptanalytic attack that checks all possible password combinations until the correct one is found. A relatively secure password such as “F7*eTi!9” can be cracked in minutes or hours depending on the encryption used (64-bit, 128-bit or 256-bit). Once they find the password, they will have access to the encryption key and have complete access to all stored USB data.

Hardware’s Defense
On the other hand, hardware encryption uses an onboard security chip, such as the AES 256-bit Crypto Chip, to perform all encryption and decryption of data along with key generation and handling. Due to software encryption’s dependence of the host PC, it enables a hacker to be able to alter the software programming, for example, to allow an infinite amount of password attempts. So, even if a software encrypted USB had a password counter that limited the amount of password attempts, the program could be altered through the PC by a skilled programmer.

Hardware encrypted USBs will not connect to the PC without the password so it cannot be altered through the PC. So by separating the algorithm and encryption key within the encryption chip from the PC, it prevents potential hackers from accessing and/or tampering with your software encryption program through the host PC.

Along with the separation of the encryption chip, hardware encrypted USBs use an internal password counter which limits the number of passwords attempts. By limiting the amount of password attempts, the hardware encrypted USB prevents brute-force attacks from guessing your password, and destroys or freezes the stored data once a user surpasses the limit. So even if you are one of the million people that have lost a USB, the stored information will be kept from prying eyes.

Additional USB Security Features worth Having
Whenever connecting a USB into a host PC, regardless of whether it is hardware or software USB encryption, it is susceptible to viruses and malware. A common USB virus, the Autorun Virus can alter the autorun.inf file that most USBs use to automatically start the login process. This can lead to an infection of corporate networks if the infected USB is connected to an office PC that is part of an office network. To resolve this issue, USBs are being loaded with anti-virus software to help combat the risk of infection through the host PC. For example, SECUDRIVE has protected all their secure USBs with Trend Micro’s TMUSB 2.0 vaccine program to prevent any infection.

Hardware over Software
When it comes down to level of security, hardware USB encryption is superior. Its separation of the encryption key and resistance to brute force attacks makes hardware USB encryption much more robust and resistant to hacking attempts. If you are thinking of purchasing software encryption for your USB, think again. If your data is important enough to protect, wouldn’t you want the highest standard in USB encryption protection? Some may argue that software encryption may be cheaper. This may be true initially, but in the long run, the benefits of hardware USB encryption outweigh the initial costs. Why risk losing important information to potential competitors with a subpar encryption method? It isn’t worth risking millions of company dollars to skimp on USB data protection. When it comes to USB encryption, hardware encryption is the obvious choice.