Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2017-16242
[Description]
An issue was discovered on MECO USB Memory Stick with Fingerprint
MECOZiolsamDE601 devices. The fingerprint authentication requirement
for data access can be bypassed. An attacker with physical access can
send a static packet to a serial port exposed on the PCB to unlock the
key and get access to the data without possessing the required
fingerprint.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
MECO
------------------------------------------
[Affected Product Code Base]
MECO USB Memory Stick with Fingerprint - MECOZiolsamDE601
------------------------------------------
[Affected Component]
USB key security controller
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Escalation of Privileges]
True
------------------------------------------
[Impact Information Disclosure]
True
------------------------------------------
[Attack Vectors]
Physical access to the USB key.
------------------------------------------
[Reference]
https://www.blackhat.com/us-17/briefings/schedule/index.html#attacking-encrypted-usb-keys-the-hardware-way-7443
https://www.blackhat.com/docs/us-17/thursday/us-17-Picod-Attacking-Encrypted-USB-Keys-The-Hard(ware)-Way.pdf
https://www.elie.net/talk/attacking-encrypted-usb-keys-the-hardware-way
------------------------------------------
[Discoverer]
Remi Audebert, Jean-Michel Picod, Elie Bursztein
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.