‘Unhackable’ eyeDisk flash drive exposes passwords in clear text

The eyeDisk USB drive does not appear to meet its lofty security claims.

The most hacked passwords: Is yours one of them? Your name, your favorite football team and your favourite band: The UK's National Cyber Security Centre has released a list of the 100,000 most common passwords to appear in data breaches. Read more: https://zd.net/2UYNnKP

Whenever product or service vendors use the word "unhackable," they are setting themselves up for the scrutiny of security researchers.

As we've previously seen with the Viper smart car alarms and the Bitfi wallet -- both marketed as basically hackerproof -- the term "unhackable" is a red flag to a bull in the cybersecurity realm.

In the first case, researchers were quickly able to find vulnerabilities which allowed data to be stolen, cars to be unlocked, and vehicle alarms to be disabled. In the second example, a 15-year-old compromised the Bitfi wallet to play Doom, because, why not?

Lessons have not been learned about the unhackable claim, it seems, and now the eyeDisk USB drive is the latest example of why such lofty claims have to be backed up to the hilt.

EyeDisk, hosted on the Kickstarter crowdfunding platform, claims to be an "unhackable" USB flash drive which keeps "your digital data locked and secure, granting access to only you."

The $99 flash drive claims to use iris recognition technology in tandem with AES-256 encryption to keep information stored on the device safe.

"We develop[ed] our own iris recognition algorithm so that no one can hack your USB drive even they have your iris pattern," the Kickstarter campaign says. "Your personal iris data used for identification will never be retrieved or duplicated even if your USB is lost."

However, according to Pen Test Partners researcher David Lodge, the claimed level of security implemented within eyeDisk falls short.

Lodge recently obtained one of the devices and began his investigation. After plugging the eyeDisk into a Windows virtual machine (VM), the researcher found the product came up as a USB camera, a read-only flash volume, and a removable media volume.

screenshot-2019-05-10-at-12-16-36.png

eyeDisk

The first task was to see if the eyeDisk could be unlocked reliably using an iris scan, made possible by holding the device's camera up to your eye. Lodge found that roughly two out of three times, the device worked, and in the failed cases a backup password was sufficient.

The next stage involved tests to see if eyeDisk could be fooled with a photograph or a similar iris pattern, contributed by the researcher's child. EyeDisk performed well in both cases and did not unlock.

However, when Lodge began to examine eyeDisk's software and hardware setup, problems began to emerge.

CNET: Ever app trained facial recognition tech on users' photos, report says

Dissemination of the hardware revealed what was basically "a USB stick with a hub and camera attached."

EyeDisk's contents are unlocked when the authenticator element of the device passes a password along to the controlling software. The researcher chose to use Wireshark, an open-source packet analyzer, to see if he could sniff out the contents. (The latest versions of Wireshark support USBPcap for sniffing USB packets in real-time.)

It wasn't long before it became apparent that the so-called "unhackable" device unlocks by sending these passwords in clear text.

"So what happens if I enter the wrong password? I'll give you a clue: exactly the same thing," the researcher noted. "No matter what you enter it sends the same packet to the device. This means that the app itself must read this from the device and then resend it when it unlocks it."

TechRepublic: On-device speech recognition may make smart assistants more appealing

"The software collects the password first, then validates the user-entered password BEFORE sending the unlock password," Lodge added. "This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device."

It is, therefore, possible to obtain the password/hash, in clear text, by simply sniffing the USB traffic.

Pen Test Partners attempted to contact the eyeDisk team on April 4, 2019. The vendor immediately responded and the full details of the security problems uncovered by the researchers were provided on the same day.

See also: Hackers attack Confluence Servers, hijack power for cryptocurrency mining

By April 9, eyeDisk said it would fix the problem, but no date for a patch was given. The cybersecurity team continued to chase the vendor, advising that public disclosure would be made on May 9, but it has been radio silence ever since.

"Our advice to vendors who wish to make the claim their device is unhackable, stop," the researcher says. "it is a unicorn. Get your device tested and fix the issues discovered."

ZDNet has reached out to eyeDisk and will update if we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0