Claiming your product is “unhackable” is a sure fire way to attract the attention of security researchers aiming to prove you wrong which is exactly what happened recently to the eyeDisk USB drive.
In its Kickstarter campaign, eyeDisk claimed to be an “unhackable” USB flash drive that keeps “your digital data locked and secure, granting access to only you” through the use of iris recognition technology and AES-256 encryption.
The company offered more details on how its USB drive is able to fend off hacking attempts on its Kickstarter page, saying:
“We developed our own iris recognition algorithm so that no one can hack your USB drive even they have your iris pattern. Your personal iris data used for identification will never be retrieved or duplicated even if your USB is lost.”
Hacking the unhackable
According to Pen Test Partners researcher David Lodge, eyeDisk’s “unhackable” claims fall short as he was able to bypass the device’s security measures fairly quickly after obtaining one for himself.
Lodge began his tests on the device by plugging it into a Windows VM where the USB drive appeared as a USB camera, a read-only flash volume and a removable media volume.
First he tested the eyeDisk’s iris scanner to see if it could be used to consistently unlock the device and this feature worked as advertised roughly two out of three times. Then Lodge tried to fool the device by using a picture of his child (who has a similar iris scan) to unlock it and once again, the device performed as intended.
However, when the researcher began to examine eyeDisk’s software and hardware setup, the real problems emerged since the device is essentially “a USB stick with a hub and camera attached.” The contents stored on the eyeDisk drive are unlocked when the authenticator element passes a password along to the controlling software.
Lodge used the open-source packet analyzer, Wireshark to see if he could sniff out the USB packets being sent from the device. It was then when he realized that the “unhackable” device unlocks by sending these passwords in clear text. This means that its possible to obtain the password/hash in clear text simply by sniffing the USB traffic sent from the eyeDisk.
Pen Test Partners reached out to the eyeDisk team and the firm provided the full details of the security problems discovered to the manufacturer who says they’re working on a fix for the problem. However, the real lesson here is that using the term “unhackable” is just an open invitation to hackers that businesses would be best to avoid using in the future.