Here's what PCSTATS discovered... and I might note that no other hardware "review" website to test the SuperTalent Luxio picked up on any of these obvious issues as of this articles' publication. Just another reason why you should always Get the 'STATS and Stay Informed!

Bug 1) How To Loose Ownership of the Encryption Password:
Here's how PCSTATS did it. Pop the SuperTalent Luxio drive into a USB slot, launch the SecureLock software and set up the private partition and initial password to (1). Log out by removing the Luxio from the USB slot.
- Re-insert the Luxio and unlock the drive by typing in the correct password (1) in the SecureLock application.
With the Luxio drive unlocked it's now possible go to the "Change Password" form and set a new password to (2) without entering anything in the first "Old Password" field (enter 2 in all the other fields).
- Unplug the Luxio drive and then re-insert it.
Launch SecureLock and attempt to unlock the drive with the new (and unauthorized) password of (2) - the Luxio unlocks!

In other words, if you walk away from your PC for a moment and leave the Supertalent Luxio plugged in and unlocked, anyone can open up the SecureLock application and change the password of your encrypted USB drive to something entirely new without proving they are authorized to do so.

Even Windows challenges user account password changes by demanding the original password! Yikes!

Bug 2) Wrong Password / Right Password = Formatted Partition Bug:
Here's what PCSTATS found. Launch the SecureLock software and set up a private partition on the Supertalent Luxio with password set to (1).
- Login once to confirm the password works, unplug Luxio USB drive and re-insert it, or simply log off.
- Attempt to unlock the drive through SecureLock in the normal way, but enter an incorrect password three times in a row.
- Enter the correct password on the fourth attempt and watch in horror as the Luxio continues to decline the password even though it's now correct!
- If you enter the correct password on the fifth and sixth attempts it will still reject it. On the sixth attempt, regardless if the password is correct, the USB drive will automatically format itself and erase all your data. (Except when Bug 4 happens.)

The only way to escape from this programming Catch-22 is to unplug the USB drive before the format warning, plug it back in and login anew with the correct password. This leads into PCSTATS third and fourth major bug discoveries below.

Bug 3) Unlimited Log In Attempts for Brute Force Password Hacking:

The Luxio USB drive is supposed to reset itself and format all data on the private partition after five failed log in attempts. If you can believe it, anyone can circumvent the five failed login attempts. Here's how PCSTATS did it. Simply unplug the drive, plug it back in and open up the login window again. Each time the login window is closed the 'failed login attempts' counter seems to reset to 0, so an individual could easily apply brute force password cracking to breach your password.

Not that everyone needs to go to such measures, if the private partition on the Luxio is set to greater than 32GB all you need to do is login incorrectly a half-dozen times... Yup, we're not kidding.

Bug 4) Circumvent The Password - Gain Full Access to "Encrypted" Data in 10 seconds:
According to the SuperTalent Luxio product FAQ - "After five consecutive incorrect password attempts the Luxio will automatically reformat itself and all data on the Luxio will be lost. This feature helps protect your data should your Luxio be lost or stolen." Makes sense, otherwise any individual could apply a brute force password hacking tool to crack your password, which is probably something simple like "123456" anyhow.

Well unfortunately for Luxio owners this doesn't always happen. In fact, all the SuperTalent Luxio encryption measures can be circumvented very easily. Here's how PCSTATS did it with the 64GB Luxio drive we tested in our labs. Purposefully make six incorrect login attempts in a row, provided the private partition is between 33-64GB in size. After the sixth you get full file access. If the private partition is 32GB or less , the drive will automatically format the partition after the last failed login attempt as it is supposed to, erasing all the data it holds.

I'd hazard a guess that the SecureLock application was programmed when 32GB was the maximum USB drive size, so for sizes greater than this its format command fails to engage. A mind boggling oversight isn't it?

These are the steps PCSTATS took.
- Launch the SecureLock software and create a private partition between 33-64GB in size and set the password to (1).
- Login once to confirm the password works, and log off.
- Attempt to unlock the drive through SecureLock by entering an incorrect password six times in a row.
- By the sixth attempt the SecureLock software will tell you that it is Formatting the private partition and erasing all the data it contained - except that it doesn't actually erase the partition.
- Instead SecureLock disables the password protection on what should be a freshly formatted partition!

The end result is that it only takes six incorrect password attempts to circumvent AES-256 encryption and allow anyone to access to the encrypted files (for partitions of 33GB-to-64GB size). This is such a fundamental programming bug that it makes us seriously question just what "encryption" is actually applied on the SuperTalent Luxio.

USB Speed Tests

Up next PCSTATS will benchmark this USB flash drive with and without its "hardware encryption" engaged to see what kind of data transfer speeds we can expect from the SuperTalent Luxio.