Iris-Reading USB Device Marketed As Unhackable Is Hacked

biometrics iris reading

The eyeDisk, a USB flash drive that claims to be unhackable, has been hacked by a U.K.-based cybersecurity firm called Pen Test Partners, according to a report by TechCrunch.

The device raised upwards of $21,000 in a Kickstarter campaign, and the company behind it began sending out the devices in March.

“With eyeDisk you never need to worry about losing your USB or the vulnerability of your data stored in it. eyeDisk features AES 256-bit encryption for your iris pattern,” the Kickstarter page said. “We develop our own iris recognition algorithm so that no one can hack your USB drive even they have your iris pattern. Your personal iris data used for identification will never be retrieved or duplicated even if your USB is lost.”

Pen Test researcher David Lodge found a way to access the device’s backup password, which is used in the event the device fails or someone is unable to use their eye, by using a software tool that locates USB device traffic.

Also, the device’s real password can be sniffed out even if someone enters the wrong password. The device reveals the password first before validating it against whatever the user enters, before the unlock pass is sent back.

“So, a lot of complex SCSI commands were used to understand the controller side of the device, but obtaining the password/iris can be achieved by simply sniffing the USB traffic to get the password/hash in clear text,” Lodge wrote in a blog post explaining how he found the weakness. “The software collects the password first, then validates the user-entered password BEFORE sending the unlock password. This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device.”

Lodge recommends adding additional encryption to the device. When he reached out to eyeDisk, they said they would fix the problem, but have yet to do so.

“In the absence of a fix or any advice from EyeDisk, our advice to users of the device is to stop relying on it as a method of securing your data — unless you apply additional controls such as encrypting your data before you copy it to the device,” Lodge wrote. “Our advice to vendors who wish to make the claim their device is unhackable, stop, it is a unicorn. Get your device tested and fix the issues discovered.”