A USB stick dubbed eyeDisk that uses iris recognition to unlock the drive claims to be “unhackable” – only, it isn’t. In fact, a simple Wireshark analysis revealed the device’s password – in plain text.
David Lodge of Pen Test Partners noticed the product on Kickstarter, where it amassed enough funding to go into production. Its page notes:
With eyeDisk you never need to worry about losing your USB or the vulnerability of your data stored in it. eyeDisk features AES 256-bit encryption for your iris pattern. We develop our own iris recognition algorithm so that no one can hack your USB drive even [if] they have your iris pattern. Your personal iris data used for identification will never be retrieved or duplicated even if your USB is lost.
After obtaining one of the gadgets, Lodge found that the device correctly paired to his eye, and he was able to unlock it using the biometric feature most of the time (two out of three attempts on average – there’s a backup password in case of failure).
Then he tried to fool the mechanism – but a photograph didn’t do the trick, nor did trying his child’s eyes, which are his same color.
Moving on to hardware, here he ran into two issues – one is that taking it apart nearly destroys the device, so putting it back together again would be a Humpty Dumpty effort that would fool no one if the eyeDisk tried to pass as untampered with.
Two, after analyzing all the chips, Lodge discovered that “what we have here is, literally, a USB stick with a hub and camera attached. That means most of the brains are in the software.”
And then software is where he found the hack.
He noted that with a USB, when a person authenticates to it, the retinal mechanism must pass something to the device in order to unlock its contents.
“If I could sniff this, I could maybe replay it,” Lodge noted in his Thursday analysis.
Using the popular network packet analyzer known as Wireshark, whose USBPcap function allows real-time packet-sniffing from a USB, Lodge was able to determine the that the device used Command Descriptor Blocks (CDB) to send commands to and from the device. The commands used standard USB terminology, he said; i.e., “In” is to the host and “Out” is to the device.
When he activated packet sniffing while unlocking the device, he saw within the CDBs a string containing his password, and another “16-byte hash, which is about the right size for md5 and doesn’t match the hash of the password, so it could be the iris hash.”
As he put it in a nutshell, “This ‘unhackable’ device unlocks the volume by sending a password through in clear text.”
Further, an analysis of eyeDisk’s controller code showed that it was possible to improve the attack with an automated command script that would abuse sub opcode 05 to force the password to be dumped.
“Obtaining the password/iris can be achieved by simply sniffing the USB traffic to get the password/hash in clear text,” Lodge concluded. “The software collects the password first, then validates the user-entered password BEFORE sending the unlock password. This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device.”
Users should thus encrypt any data they plan on storing on the eyeDisk, he noted.
After contacting the vendor, eyeDisk acknowledged the message and asked for more details – but went dark after that, according to Lodge, even though Pen Test Partners warned the company that it would be following a 30-day responsible disclosure process. Absent any additional communication, Pen Test Partners released its findings on May 9.
Threatpost reached out to eyeDisk and will update this post with any further information.
