An “unbreakable” eyeDisk is protected by an iris scan, but transmits a password in clear text
EyeDisk USB stick with biometric security that cannot be cracked
The latest biometric security methods do not always mean increased security. The failure of the eyeDisk developers actually reveals more general trends. Unfortunately, in the IT industry, it happens that under the influence of “brilliant” new technologies, people forget about the basics of security.
The developers touted eyeDisk as an “unbreakable” USB drive and successfully placed over $ 21,000 in pre-orders on Kickstarter .
In fact, the eyeDisk device is a flash card with an integrated camera that scans the iris. Since the gadget’s processing power is not enough for image analysis and authentication, the image along with the password is transferred via USB to a computer with special software.
Scanning and recognition take about 0.5 seconds.
A 32GB flash drive is selling for $ 99, and investors could order it for $ 50 as part of a crowdfunding campaign. The most expensive 128 GB flash drive costs $ 178 ($ 89). Sales began in March 2019.
An “unbreakable” flash drive has attracted the attention of PenTestPartners hackers. They writethat the first thing they did was connect the media to the Windows virtual machine. It was recognized as three devices, including a USB camera. The infrared camera takes funny black and white photographs: for example, bearded people don’t see a beard.
Pentesters then opened eyeDisk and examined its insides. Subsequently, this was not useful for hacking, but this is the standard procedure. They drew attention to a curious fact: there are three MCUs on the board (highlighted in red and green in the photographs), but there is no central control unit among them, each chip has its own role.
The camera is shown in blue and the tssop8 microcircuit in purple (PUYA P25Q040H SPI NOR Flash).
Then came the software time. The latest versions of Wireshark packet sniffer are able to listen to traffic via USB. For reference, USB mass storage is a shell for SCSI commands, so the general pattern looks something like this:
Here are the LUN (Logical Unit Number) under which the device is recognized, and the CDB (Command Descriptor Block) command descriptor block. In this case, the top packet sends a SCSI command with the 0x06 opcode and receives a response from the device. In USB terminology, the word “In” indicates the direction to the host, “Out” - to the device.
The contents of the first packet: The
contents of the response packet:
But what packets are sent when the device is unlocked after successful authentication. First, the SCSI command from the host:
And the device response:
Red indicates the password that is set for the device. As you can see, it is transmitted in the clear. But listening to the USB bus is not difficult, which the developers did not think about at all. Or it was freelancers who were not directly told to implement password encryption (see the article “Web developers write insecure code by default” : the same problem on the web).
16 bytes of the iris hash are highlighted in blue in the screenshot - the second factor of two-factor authentication.
The most interesting thing is that if you enter the wrong password or scan an arbitrary iris, the program sends exactly the same data packet to the device, receiving the same answer.
That's all that an “unbreakable” eyeDisk drive is.
Pentesters tinkered a bit with flash memory, made a dump and found a specific area of memory where the password is stored. Although this was already, in principle, optional. The principal vulnerability is that for verification, the software requests a password and a scan of the iris of the real user from the device, which is transmitted in clear form. Information is transmitted during each authentication attempt, and reconciliation occurs on the host.
The vulnerability report was sent to eyeDisk a month ago, the manufacturer promised to fix the vulnerability, but still has not given an answer, in this regard, the pentesters decided to announce the details of the hack.
Listening to traffic very often reveals vulnerabilities in the devices of the Internet of things and other peripherals. Developers sometimes forget that you can listen to any transmission channel. Trendy modern technologies like scanning the iris or other biometrics will not add security if you neglect encryption.
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 by promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.