Don’t believe “unhackable” claims. Especially in the hardware department. A portable storage drive marketed as unhackable has succumbed to the tech-savvy hands of a pen tester, and in an embarrassing way too.
The USB stick in question, called the eyeDisk, recently got successfully crowd-funded on Kickstarter. The hacker having trouble believing its creators’ “unhackable” advertising is David Lodge, of Pen Test Partners. He offers a detailed (and enjoyable) narrative on the subject, revealing that eyeDisk’s unhackable claims are completely false.
But first, eyeDisk’s bold claim:
“With eyeDisk you never need to worry about losing your USB or the vulnerability of your data stored in it. eyeDisk features AES 256-bit encryption for your iris pattern. We develop our own iris recognition algorithm so that no one can hack your USB drive even [if] they have your iris pattern. Your personal iris data used for identification will never be retrieved or duplicated even if your USB is lost.”
During his testing, Lodge essentially found that despite its much-touted Iris-scanning capabilities, the “unhackable” device unlocks the volume by sending a password through in clear text, as shown below.
Credits: David Lodge, Pen Test Partners
“So what happens if I enter the wrong password? I’ll give you a clue: exactly the same thing. Let me just let you go “huh?” for a second. Yep, no matter what you enter it sends the same packet to the device. This means that the app itself must read this from the device and then resend it when it unlocks it.”
Lodge then proceeded to see where the password is fetched from to improve his attack. After some trial and error, he found the memory address where it was stored, wrote a script and then dumped it.
“So, a lot of complex SCSI commands were used to understand the controller side of the device, but obtaining the password/iris can be achieved by simply sniffing the USB traffic to get the password/hash in clear text,” Lodge says.
“The software collects the password first, then validates the user-entered password BEFORE sending the unlock password. This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device,” he concludes.
The technicalities will be interesting for those eager to know exactly how the hack went. For the not-so-tech savvy demographic wanting a clear verdict on eyeDisk: the device seems to be less secure than its marketing brochure claims. Be careful out there!