’Unhackable’ USB has been hacked by a group of experts
A USB drive with biometric authentication, allegedly impossible to hack, has been hacked, exposing passwords in plain text, reported IICS cyber security course specialists.
This device, called eyeDisk, is the world’s
first USB drive that uses biometric technology (iris recognition) to protect the
stored information. This device can be used without the need for Internet
connection, as well as the user’s biometric measurements will not be
transmitted to any other platform outside the same device.
Further, cyber security course specialists
decided to perform some tests on this device; “while we were doing some
penetration tests into a Bitcoin wallet, the idea of an ‘impossible to hack’
device excited us and we decided to support crowd funding projects aiming to
design ‘unhackable’ tools”.
“At the beginning of the tests, after
connecting the eyeDisk to a Windows
virtual machine, specialists were able to extract passwords/hashes in plain
text; they simply had to trace the USB traffic”.
Cyber security course experts said that,
basically, eyeDisk was just a USB device with a connected hub and camera; “we
got the password with just tracking the USB traffic”, the specialists
confirmed. Experts accessed the device’s backup password, which is used in case
the biometric identifier fails or something happens in the user’s eye, using only
a software tool to detect the traffic on the USB devices.
According to the specialists from the International
Institute of Cyber Security (IICS) this tool has a very poor security approach
and is prone to collapse. EyeDisk developers claimed that this device used a
technology for iris recognition in conjunction with AES-256 encryption.
The developers confirmed that they received a
report on the flaws in eyeDisk on April 9 and promised to launch updates to
correct them; however, the company did not mention an approximate date for the
corrections to be released. On May 8th the deadline for the company to reveal
the incident and publish its updates finished; as this did not occur, the
vulnerability was revealed by the experts the following day.
“After observing so many cases of
‘unhackable’ devices that can actually be hacked, we begin to believe that this
is such a risky statement by the developers; perhaps the ‘unhackable’ concept
has been used in a slightly embellished way”, the specialists concluded.
Gloss