Supposedly Unhackable eyeDisk Secure Thumb Drive Is Embarrassingly Quite Hackable
eyeDisk was able to raise over $21,000 from nearly 250 backers and began shipping the thumb drive in 32GB and 128GB capacities earlier this year. The device uses a combination of AES-256 encryption and iris recognition to lock down the device and keep it safe from harm's way. In fact, eyeDisk was billed as "the world’s first USB flash drive that uses iris recognition technology for unbeatable data security."
Researchers from Pen Test Partners were able to put the eyeDisk's "unhackable" claim to the test, and the drive failed spectacularly – despite all the claims via its Kickstarter page touting its security. Although attempts to fool the onboard camera used for the iris unlock feature failed (score one for the eyeDisk team), researcher David Lodge found that he was able to use a USB traffic sniffing tool to easily obtain the backup password that was user-set on the device.
"That string in red, that’s the password I set on the device. In the clear. Across an easy to sniff bus," writes Lodge. "The bit in blue is a 16 byte hash, which is about the right size for md5 and doesn’t match the hash of the password, so it could be the iris hash.
"Let me just repeat this: this 'unhackable' device unlocks the volume by sending a password through in clear text."
What's even more puzzling is the fact that the device sends its unlock password in plain text before it is even validated -- in other words, you could enter in gibberish into the password field to "unlock" the device in Windows, and the device password will be made visible for anyone monitoring USB traffic.
Pen Test Partners first attempted to contact eyeDisk on April 4, after which they promptly responded. On April 9, the company claimed that it would fix the issue; to which Pen Test Partners gave the company a May 9deadline before they would publicly disclose their findings. They never received any further communication, so Pen Test Partners -- like clockwork -- disclosed the exploit on May 9.
"Our advice to vendors who wish to make the claim their device is unhackable, stop, it is a unicorn," said Lodge.