If you try to market a product as “unhackable,” it stands to reason that someone is going to attempt to hack your device to knock you down a peg or two. And that is exactly what happened with eyeDisk, which was first brought to light last year with a successful Kickstarter campaign.
eyeDisk was able to raise over $21,000 from nearly 250 backers and began shipping the thumb drive in 32GB and 128GB capacities earlier this year.
The device uses a combination of AES-256 encryption and iris recognition to lock down the device and keep it safe from harm’s way. In fact, eyeDisk was billed as “the world’s first USB flash drive that uses iris recognition technology for unbeatable data security.”
Researchers from Pen Test Partners were able to put the eyeDisk’s “unhackable” claim to the test, and the drive failed spectacularly – despite all the claims via its Kickstarter page touting its security.
Although attempts to fool the onboard camera used for the iris unlock feature failed (score one for the eyeDisk team), one security researcher found that he was able to use a USB traffic sniffing tool to easily obtain the backup password that was user-set on the device.
EyeDisk’s contents are unlocked when the authenticator element of the device passes a password along to the controlling software. The researcher chose to use Wireshark, an open-source packet analyzer, to see if he could sniff out the contents. (The latest versions of Wireshark support USBPcap for sniffing USB packets in real-time.)
Let me just repeat this: this ‘unhackable’ device unlocks the volume by sending a password through in clear text.
What’s even more puzzling is the fact that the device sends its unlock password in plain text before it is even validated — in other words, you could enter in gibberish into the password field to “unlock” the device in Windows, and the device password will be made visible for anyone monitoring USB traffic.
Pen Test Partners first attempted to contact eyeDisk on April 4th, after which they promptly responded. On April 9th, the company claimed that it would fix the issue; to which Pen Test Partners gave the company a May 9th deadline before they would publicly disclose their findings.
They never received any further communication, so Pen Test Partners — like clockwork — disclosed the exploit on May 9th.