’Unhackable’ USB has been hacked by a group of experts

A USB drive with biometric authentication, allegedly impossible to hack, has been hacked, exposing passwords in plain text, reported IICS cyber security course specialists.

This device, called eyeDisk, is the world’s first USB drive that uses biometric technology (iris recognition) to protect the stored information. This device can be used without the need for Internet connection, as well as the user’s biometric measurements will not be transmitted to any other platform outside the same device.

Further, cyber security course specialists decided to perform some tests on this device; “while we were doing some penetration tests into a Bitcoin wallet, the idea of an ‘impossible to hack’ device excited us and we decided to support crowd funding projects aiming to design ‘unhackable’ tools”.

“At the beginning of the tests, after connecting the eyeDisk to a Windows virtual machine, specialists were able to extract passwords/hashes in plain text; they simply had to trace the USB traffic”.

Cyber security course experts said that, basically, eyeDisk was just a USB device with a connected hub and camera; “we got the password with just tracking the USB traffic”, the specialists confirmed. Experts accessed the device’s backup password, which is used in case the biometric identifier fails or something happens in the user’s eye, using only a software tool to detect the traffic on the USB devices.

According to the specialists from the International Institute of Cyber Security (IICS) this tool has a very poor security approach and is prone to collapse. EyeDisk developers claimed that this device used a technology for iris recognition in conjunction with AES-256 encryption.

The developers confirmed that they received a report on the flaws in eyeDisk on April 9 and promised to launch updates to correct them; however, the company did not mention an approximate date for the corrections to be released. On May 8th the deadline for the company to reveal the incident and publish its updates finished; as this did not occur, the vulnerability was revealed by the experts the following day.

“After observing so many cases of ‘unhackable’ devices that can actually be hacked, we begin to believe that this is such a risky statement by the developers; perhaps the ‘unhackable’ concept has been used in a slightly embellished way”, the specialists concluded.