'Unhackable' Encrypted Flash Drive eyeDisk Is, As It Happens, Hackable

According to the findings of Pen Test Partners, a U.K.-based cybersecurity firm, the "unhackable" eyeDisk, an allegedly secure USB flash drive that uses iris recognition to unlock and decrypt the device, is hackable. From a report: In its Kickstarter campaign last year, eyeDisk raised more than $21,000; it began shipping devices in March. There's just one problem: it's anything but "unhackable." Pen Test Partners researcher David Lodge found the device's backup password -- to access data in the event of device failure or a sudden eye-gouging accident -- could be easily obtained using a software tool able to sniff USB device traffic.

Re:So what?

[_Sharp'r_]

You obviously didn't RTFA (I know, I must be new here...):

Worse, he said, the device’s real password can be picked up even when the wrong password has been entered. Lodge explained this as the device revealing its password first, then validating it against whatever password the user submitted before the unlock password is sent.

So yeah, if you find the device laying around, you just plug it in and sniff the USB bus while you try a wrong password and you know the right password.

You know, the exact threat scenario this device is supposedly tricked out to prevent.

Only as secure as your weakest link

[Riceballsan]

Always cracks me up on every device. They always spend ALL of their research into the main super secure latest and greatest thing... then they put in a backup in case something goes wrong and use the cheapest possible methods. Does no security research ever realize things, reminds me of the several thousand dollar fingerprint doorlock... which had a backup key with a 2 cent lock that only needed a straight paperclip down the center of to open.

Re:Only as secure as your weakest link

[Anonymous Coward]

The flaw here is the very idea of a "backup password". If you want data to be decryptable using only the right secret key, or the right biometrics, or whatever--with no less secure access possible, you have to stick to that. You have to be willing to just lose access to the encrypted data if the required method becomes impossible. Any less-secure fallback will automatically become the attack vector. Governments who want backdoors are always willfuly ignorant of that.

Re:

[rogoshen1]

..."ignorant" he says
No, it's a most definitely a feature to them.

Thanks to parallel construction, a backdoor which they know they could most likely defeat means they wouldn't need a warrant or to go through the proper channels.

Re:Only as secure as your weakest link

[Kjella]

The flaw here is the very idea of a "backup password". If you want data to be decryptable using only the right secret key, or the right biometrics, or whatever--with no less secure access possible, you have to stick to that.

The real issue is that people don't want that. Imagine you lost your house key, doesn't matter if you were drunk or robbed or sloppy or whatever but it's gone. And they tell you everything in it is gone, we can bulldoze it and build something new but everything you kept in it is lost. Most people prefer some generally unfeasible but potentially possible battering ram or welding torch, with enough effort you can get back in but it vastly exceeds the value of stealing your stuff. If you had a million dollars, would you want it in an FDIC insured bank account or an offline Bitcoin wallet? If it's the latter, if you lose it you lose it. No ifs, no buts, if you lost the key it's gone forever. I know someone who'd be a millionaire if not for a bad USB stick. Goodbye bitcoins.

Re:

[sjames]

On the other hand, the backup method can be made reasonably secure. Nobody wants a lock on their house where if you lose the key or "lose" the key, you just press the bright red button marked "in case of lost key" to get in.

Re:

[ctilsie242]

I wonder if the backup password could have been implemented in a more secure fashion.

For example, using a mechanism similar to TrueCrypt/VeraCrypt to decrypt a small section to check if the key is valid. This can use bcrypt for some added brute force resistance. Then, once the password validates that check, use that key for the rest of the data. This isn't rocket science, since a similar mechanism has been used to protect 8 character UNIX passwords, crypt(3) since the 1980s.

I don't know if the designers

Re:

[sexconker]

Relevant: https://www.youtube.com/watch?... [youtube.com]

Re:Only as secure as your weakest link

[GrumpySteen]

Security questions as a backup are okay as long as you remember one thing; always lie

First childhood pet? ThePlanetUranus
City where you were born? ElmoBumpyTorus
Mother's maiden name? xxxcyberdude420xxx

Nobody is going to find those answers by searching and, even if they try social engineering, you're going to give them the real answers, not the lies you use for security questions.

Re:

[bob4u2c]

City where you were born? ElmoBumpyTorus

Well as I live and breath, another ElmoBumpyTorusian! Howy, brother!

Re:

[Bert64]

Because they rely on security through obscurity... The iris recognition is highly visible to everyone and good for marketing, but the backdoor requires some knowledge to discover and exploit.

Re:

[ctilsie242]

That is common in the IoT style security industry, from my experience.

Several years ago, I once interviewed at a place that actually called their data center "100% secure", bragging about their physical security which required an optical scan, access card, and PIN. They had a man trap with two doors going in. However, the exit door had a simple household doorknob lock on it with five regular (i.e. bumpable) pins. Needless to say, when I recommended that the manual lock be upgraded to something like an Ab

Always the same old story ...

[UnknownSoldier]

CluelessPHB: This hardware/software is unhackable!!!
Programmer: Challenge accepted!
*few minutes/months/years later device is hacked*
CluelessPHB: WTF!
Programmer: (They never learn.)

When are people going to learn: The FASTEST way to motivate a programmer is to tell them that they can't do something!

Re:

[Registered Coward v2]

CluelessPHB: This hardware/software is unhackable!!! Programmer: Challenge accepted! *few minutes/months/years later device is hacked* CluelessPHB: WTF! Programmer: (They never learn.)

When are people going to learn: The FASTEST way to motivate a programmer is to tell them that they can't do something!

True, except is was a clueless programmer who setup the password autehntication in the first place.

Re:

[rogoshen1]

"When are people going to learn: The FASTEST way to motivate a programmer is to tell them that they can't do something!"

Huh, I always thought it was a combination of hellishly long work hours, occasional pizza, maaaaaybe a foosball table, and unfulfilled promises of equity?

Re:

[alexo]

CluelessPHB: This hardware/software is unhackable!!!
Programmer: Challenge accepted!
*few minutes/months/years later device is hacked*
CluelessPHB: WTF!
Programmer: (They never learn.)

When are people going to learn: The FASTEST way to motivate a programmer is to tell them that they can't do something!

You cannot solve the traveling salesman problem (given a list of cities and the distances between them, find the shortest route that visits all cities and returns to the origin) in polynomial time.

Ball's in your court.

Re:

[ctilsie242]

I will give you this. If I had 100 cities, I cannot give you the absolute -best- answer proven by math in any real time, but I can give you something usable [github.com]. Something close enough for real life work. The ironic thing is even though the Big-O factor for the Traveling Salesman problem is O(n^2*2^n), the Big-O factor can be reduced to O(n) with basic algorithms from over a decade ago or even O(ln(n)) [nih.gov] with more advanced ones. Going from the heat death of the universe to a few seconds is definitely an impro

Re:

[arglebargle_xiv]

Another issue in this case is that it's a crowdfunded device. Someone has a bright idea, often with little domain knowledge - not necessarily a bad thing, they don't know enough to know it can't be done so they sometimes do things that others think aren't worth trying or doing - but in this case they have lot of enthusiasm, at least for awhile, but not the ability to follow through with it. There's a ton of crowdfunded projects like this, neat idea, not enough domain knowledge to realise it's going to be

Re:

[swillden]

When are people going to learn: The FASTEST way to motivate a programmer is to tell them that they can't do something!

Do you think that's a bad thing?

Incentivizing attacks is an important goal for anyone who really cares about security. This is why good companies offer bounties, pay pen testers and other security researchers, hire their own attack team, etc.

backup pass?

[ChoGGi]

Isn't it worse that it's sending the password in plain text?
https://techcrunch.com/wp-cont... [techcrunch.com]

In other news, Snake Oil fails to cure cancer

[ffkom]

... so people are advised against buying it.

It seems to me

[mark_reh]

that if you want a secure place to store data, you don't want any "in case it breaks/you forget" mode. If it breaks or you forget the passcode or you lose your eye or finger or whatever, your data should be inaccessible to you and everyone else. If you want it to be accessible if the hardware fails, buy two devices and keep a secure copy at a different physical location. If you worry about losing your eye, keep a back up on something that uses a fingerprint or passcode or some other key that isn't likely to fail at the same time you lose your eye.

Bigger news

[jwymanm]

They only made 20k and still delivered a working product on kickstarter. I think they deserve at least a few chances at fixing the issue before we blast bad press all over about them. I mean this news was warranted since wtf but I mean going forward maybe some positive criticism and not saying it's an absolute failure. At least an update if they (or especially if they don't) fix this glaring fault.

Re:

[ArchieBunker]

Has there ever been a successful kickstarter product? As in something I can buy from a store? If these products are so needed then why don't companies already make them?

Re:

[ctilsie242]

The market is already crowded with devices like this. The best used to be IronKey which was designed extremely well on all fronts, be it physical attack (potted epoxy + zeroing of keys with tamper resistance), brute forcing (the key would either erase itself or actually fry itself, ensuring no way of recovery), to being usable without admin rights.

Other companies like Apricorn have FIPS certified USB flash drives with PIN pads on them which require no drivers on the computer side (the computer just sees a

security is hard.

[bloodhawk]

It is generally what happens when people that have a cool idea and "think" they understand security try to implement security. Security is hard and requires specific expertise, if you think you can do it better than the experts you are almost certainly wrong. It is the biggest failing I see every day in dealing with governments and private sector where their in-house "experts" think they are better than the experts and it is usually what leads them to disaster.

Toy security

[Anonymous Coward]

This device is ment for milennials who can wave it around like a penis and say "OMG like soooo kewl, I am unpwnable and Uberelite!"

Generation X knows to strongly encrypt the files, as much as possible, and then copy it to an ordinary flash drive (for those really paranoid, double encrypt with two different methods, and maybe do some bit shifting of the encrypted files).

Better to have an ordinary flashdrive which has nearly unrecoverable/unreadable garbage to everybody except the owner, than to use t

Utter Stupidity

[l0ungeb0y]

If itâ(TM)s got a microprocessor and an instruction set, itâ(TM)s hackable