Section 5.7 of ONFI specification 2.1 allows USB Flash devices (USB keys and other solid state drives) to have a unique identifier that may be queried. (This feature is optional.) This makes it possible to track a drive as it is being used on different computers, violating the owner's privacy giving a record of his or her movements from place to place over time. The unique ID remains visible and unchanged even after the owner has completely erased all the data on the drive.
I hope someone creates a device for which the unique ID is arbitrarily programmable to anything else: this will provide plausible deniability if someone is accused of being in a certain place at a certain time because the ID of a Flash device they own was surreptitiously logged as having been used there.
How prevalent is this problem generally (beyond Flash)? What devices do people own that have unchangeable unique IDs that can be queried by an adversary? CPU's, hard drives, motherboard chipsets, cards, USB peripherals?
No comments :
Post a Comment