Another ‘unhackable’ product has seemingly paid the price of making high claims – this time, it is the eyeDisk flash drive. According to a researcher, the drive that claims to have impeccable data security with iris scan technology ironically exposed passwords in plain text.
eyeDisk Flash Drive Vulnerability
A researcher from Pen Test Partners discovered a vulnerability in the seemingly ‘unhackable’ eyeDisk Flash Drive. He found that the device could expose passwords in plain text, making the data vulnerable. The researcher David Lodge has stated about his findings in his blog post.
As revealed, Lodge first tested the device for some obvious security issues. He found that the drive worked seemingly well as it didn’t unlock with a photograph. Then he proceeded further to dissect the device for its hardware. The device turned out to be a USB stick with a hub and an attached camera. Even then he didn’t find anything alarming.
However, upon inspecting the software, he could detect the problems. He found that the drive’s authenticator element passed along some password to control the software. David Lodge could sniff the USB traffic with Wireshark and found that the device sent these passwords in plain text.
The software collects the password first, then validates the user-entered password BEFORE sending the unlock password.
Consequently, anyone could easily sniff the USB traffic to obtain the passwords in clear text, thereby becoming able to unlock the device and access data.
A lot of complex SCSI commands were used to understand the controller side of the device. But obtaining the password/iris can be achieved by simply sniffing the USB traffic to get the password/hash in clear text.
No Fix Yet – Drive Remains ‘Hackable’
The makers of the gadget claimed superior data security for the device as it operates on iris scan technology. In addition, they also claimed to have an proprietary algorithm that supposedly made the device ‘unhackable’. As claimed in their Kickstarter campaign,
eyeDisk features AES 256-bit encryption for your iris pattern. We develop our own iris recognition algorithm so that no one can hack your USB drive even they have your iris pattern.
Nonetheless, a little meddling with the software by the researcher swiftly unveiled the weakness of such claims. Lodge advises the users of the eyeDisk Flash drive not to rely entirely on the device for data security, particularly when there is no fix from the vendors yet.
In the absence of a fix or any advice from EyeDisk, our advice to users of the device is to stop relying on it as a method of securing your data- unless you apply additional controls such as encrypting your data before you copy it to the device.
Previously, McAfee’s BitFi Wallet and the Viper car alarm system have also made similar claims and, it didn’t take much time for security researchers to prove them wrong. Once again, researchers have seemingly proved that ‘nothing is unhackable’.
Let us know your thoughts in the comments section.