Be Careful If You Rely on eyeDisk Flash Drives to Store Passwords and Other Sensitive Data
What is an eyeDisk exactly? It's a flash drive that can store your photos, documents, and other files. The MSRP for the 32GB version is $99. The logical next question is obvious: Why is it so eye-watering expensive?
eyeDisk was born out of a Kickstarter campaign that saw 246 backers donate just over $21 thousand to the project. It must be said that they were lured in by some pretty bold claims. The one-and-a-half-minute video says that eyeDisk is the first flash drive that protects users' data with iris-recognition technology and that it's the "most innovative and productive way" to keep your documents, projects, personal files, and "embarrassing selfies" safe. The people behind eyeDisk also decided to put the word "unhackable" in a very prominent place on the Kickstarter page. This, as we'll now find out, was a very big mistake.
Another day, another device that claims to be "unhackable" turns out to be anything but
Last year, the penetration testing specialists from Pen Test Partners were examining Bitfi – a hardware bitcoin wallet that was also marketed as "unhackable". Although Bitfi was supported by John McAfee (who, as some of you may know, used to work in the security industry), Pen Test Partners managed to bust the "unhackable" claims pretty easily.
In March, they were playing around with a few smart car alarm systems. The people marketing one of the alarms were following in Bitfi's footsteps and were saying that their product is "unhackable". It turned out that the system was very much hackable. You might have guessed what happened to eyeDisk.
eyeDisk stores and relays your password in plaintext
As we mentioned already, eyeDisk acts like a normal USB flash drive with the only exception that it won't let you access your data unless you use the built-in camera to scan your iris and prove that you are the one trying to open the files. Users are also asked to create a password, however, which should act as a backup authentication mechanism in case the camera gets damaged.
Pen Test Partners' David Lodge got his eyeDisk in late March and immediately went about looking for problems. According to him, about a third of his attempts to unlock his own device using his own iris failed, which is hardly great, but on the bright side, he noted that he wasn't able to fool the system using a photograph or the eyes of his child. When he dug deeper, however, he noticed a rather glaring security flaw.
Lodge used Wireshark to sniff through the packets of information that are exchanged between eyeDisk and the computer it's plugged into. He was shocked to find out that upon trying to unlock the device, eyeDisk sends the password to the PC in clear text. The behavior is observed regardless of whether or not the attacker has the right password, and the offending packet also contains what Lodge suspects might be an MD5 hash of the owner's iris data. The upshot is that if an eyeDisk device falls into the wrong hands, it can be unlocked with relative ease, and the data inside it could be exposed.
Following the accepted responsible disclosure practices, David Lodge got in touch with eyeDisk's developers immediately after he discovered the flaw in early April. Although they did take their time, the people responsible for the not-at-all-unhackable USB drive acknowledged the issue and told Lodge that they will fix it. What they didn't do is give any sort of deadline for the patch, and after not hearing from them for a month, Pen Test Partners decided that the bug should be reported publicly.
What can we learn from this?
If you own eyeDisk, you might want to carefully think about the type of files that you put on the device. As we mentioned already, the attack is not difficult to pull off, and all the required information is now publicly available. Pen Test Partners advise that if you're going to use eyeDisk for storing any sort of sensitive information, you are better off encrypting the data beforehand.
There is a simple yet powerful lesson for the vendors trying to market security devices and applications as well. Stop calling your products "unhackable".