Kingston IronKey Keypad Drive: Hardware Security and Performance Review

The Kingston IronKey Keypad 200C is a hardware-encrypted, keypad-secured USB-C flash drive designed for security-conscious travelers. This design addresses concerns about device searches at borders and the difficulty of transferring sensitive files without leaving a digital trail via cloud services.

The 32GB review unit boasts a FIPS 140-3 Level 3 security rating. It also features an IP68 rating, which protects the drive against dust and submersion for up to 30 minutes at 1.5 meters.
Throughput performance is rated for 145MB/s read speeds and 115MB/s write speeds over USB 3.2 Gen-1.

The drive includes an advanced physical design, featuring an alphanumeric keypad on top for entering a PIN directly on the device, signal LEDs, and a dedicated key button. A rubber-sealed protective cap ensures waterproofing.

Unusually for a flash drive, the device incorporates a rechargeable 3.7V LiPo battery. This battery is necessary to allow the PIN to be entered and validated before the drive is plugged in. Initial use requires a charge of 30 to 60 minutes.

Setup was successful on Windows and Linux systems. The drive features several administrative functions, including an admin-account feature that allows a locked-out user to regain access after a forgotten password or brute-force lockout. Other features include read-only mode and a configurable auto-lock timer.

During testing, throughput measurements using CrystalDiskMark exceeded the drive’s rated speeds.

Regarding security, a teardown revealed that the circuit board was fully encapsulated in epoxy resin that resisted isopropyl alcohol, nitro thinner, and physical scraping. Furthermore, a triggered brute-force wipe followed by an attempted data recovery resulted only in unusable data fragments, confirming that the wipe genuinely destroyed the underlying data.

A theoretical vulnerability was flagged involving a University of Cambridge-documented attack. This method involves desoldering the drive’s memory chip before the tenth failed PIN attempt and restoring it from a backup image to reset the failure counter, which could provide an attacker with more guesses against a keyspace of up to a trillion possible passcodes. This is characterized as a sophisticated, hardware-level attack rather than a practical everyday risk.

Mobile compatibility proved to be a limitation during testing. Neither a Samsung Galaxy S24 Ultra nor an older Galaxy S10 recognized the drive directly, even after changing file systems. The drive required connection through a USB-C hub for recognition. Kingston’s support team noted that other units of the same model work fine on an S24 Ultra, suggesting this was an isolated compatibility quirk.

Physically, settings changes often relied on memorized button combinations from the manual due to the keypad’s limited button count, rather than an intuitive on-device menu.

Source: OCInside