It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords. Should such a program be released into the public domain, anyone who can use a search engine can read the stick's contents without any trouble. Moreover, it looks as if there isn't really much to the so-called 'self destruction' feature, which, according to the data sheet, causes the flash memory [to be] burned. However, as far as we have been able to determine, there isn't any extra hardware on the chip - such as a dc-dc-converter - that could physically destroy the memory by targeting it with more voltage than it can handle.
Secustick importer Walter Preij has responded with surprise to our findings. 'The manufacturer assured me that the system is completely secure', he said. The French supplier told us that their system is not intended to be the ultimate protection. 'Every security system can be cracked. We always tell our customers that they should test the Secustick to see if it lives up to their expectations. Our customers are happy with the level of protection that our product offers. Normally, the amount of security is sufficient, not everyone has the technical expertise that you have', said a spokesperson, ignoring the options that those with malicious intent might have at their disposal, or the possibility that a cracked version of the software is put on the web. According to the company's CEO, there is an improved version of the stick in the pipeline, which should be ready within two months. For really big secrets, the company also has another line of products 'with even better security'.
Our advice should be clear: anyone with 130 euros to spare for a shiny metal USB stick with a necklace is free to go out and spend it on the Secustick, but those who want to carry their data around safely are better off searching for a more advanced model, or to use a regular stick in combination with a program such as TrueCrypt.
Tweakers.net would like to thank Sprite_tm for his extensive technical contributions to this article.
Plug this story