CATEGORIES
home News

Supposedly Unhackable eyeDisk Secure Thumb Drive Is Embarrassingly Quite Hackable

by Brandon HillFriday, May 10, 2019, 02:30 PM EDT
eyedisk banner
If you try to market a product as “unhackable,” it stands to reason that someone is going to attempt to hack your device to knock you down a peg or two. That is exactly what happened with eyeDisk, which was first brought to light last year with a successful Kickstarter campaign.

eyeDisk was able to raise over $21,000 from nearly 250 backers and began shipping the thumb drive in 32GB and 128GB capacities earlier this year. The device uses a combination of AES-256 encryption and iris recognition to lock down the device and keep it safe from harm's way. In fact, eyeDisk was billed as "the world’s first USB flash drive that uses iris recognition technology for unbeatable data security."

Researchers from Pen Test Partners were able to put the eyeDisk's "unhackable" claim to the test, and the drive failed spectacularly – despite all the claims via its Kickstarter page touting its security. Although attempts to fool the onboard camera used for the iris unlock feature failed (score one for the eyeDisk team), researcher David Lodge found that he was able to use a USB traffic sniffing tool to easily obtain the backup password that was user-set on the device.

eyedisk password

"That string in red, that’s the password I set on the device. In the clear. Across an easy to sniff bus," writes Lodge. "The bit in blue is a 16 byte hash, which is about the right size for md5 and doesn’t match the hash of the password, so it could be the iris hash.

"Let me just repeat this: this 'unhackable' device unlocks the volume by sending a password through in clear text."

What's even more puzzling is the fact that the device sends its unlock password in plain text before it is even validated -- in other words, you could enter in gibberish into the password field to "unlock" the device in Windows, and the device password will be made visible for anyone monitoring USB traffic.

eyedisk unlocking

Pen Test Partners first attempted to contact eyeDisk on April 4th, after which they promptly responded. On April 9th, the company claimed that it would fix the issue; to which Pen Test Partners gave the company a May 9th deadline before they would publicly disclose their findings. They never received any further communication, so Pen Test Partners -- like clockwork -- disclosed the exploit on May 9th.

"Our advice to vendors who wish to make the claim their device is unhackable, stop, it is a unicorn," said Lodge.

Tags:  security, Hack, hacks, eyedisk
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment