Pen testing beats iris biometric USB data storage device via backup password
Iris biometrics-secured USB flash drive eyeDisk is not “unhackable” as it is claimed to be, as UK cybersecurity firm Pen Test Partners have discovered a way to break into the device without a spoof attack, according to a blog post.
Startup eyeDisk raised more than $21,000 in a successful Kickstarter campaign last year, promising data encryption. The soft spot, security-wise, however, turns out to be the backup password. Pen Test Partners researcher David Lodge says the device matched his iris biometrics about two-thirds of the time, and was not fooled by attempts to unlock it with his children’s eyes or a picture of his own. However, he discovered he could obtain the password in plain text with a traffic-sniffing software tool. The data is passed from the host and the device during the unlocking procedure, regardless of whether the user enters the correct password or an incorrect one. The same snapshot of sniffed data also contains a string which Lodge says may be the iris hash.
“The software collects the password first, then validates the user-entered password BEFORE sending the unlock password,” according to Lodge. “This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device.”
Lodge disclosed the vulnerability on April 4, and eyeDisk responded immediately. The company acknowledged the communication and said it would provide a fix on April 9, but no further response was forthcoming, and Lodge publicly disclosed the information on May 9.
Lodge advises device users to stop relying on it for data security, or at least to further encrypt their data. He also says no technology is unhackable, though Infinity Optics developed a Biometric Cryptography platform earlier this year that it says has no error rate and, while revocable, cannot be hacked.