A FIPS 140-2 certified USB stick found to be insecure

Objectif Securite found a FIPS 140-2 level 2 certified USB stick with biometric authentication and built-in AES256 hardware encryption to be insecure. During some reverse engineering sessions, Objectif Sécurité found a way to systematically recover a weakly hashed copy of the master password protecting the encrypted files stored on the device. Once cracked, this password gives access to every encrypted file stored on the USB stick. The company producing the key was contacted and a patch issued for their customers.