The paradox, the USB stick eyeDisk that uses iris recognition to unlock the drive could reveal the device’s password in plain text in a simple way.
eyeDisk is a USB stick that uses iris recognition to unlock the drive, it is advertised as the “Unhackable USB Flash Drive,” instead it could reveal the device’s password in plain text.
Just analyzing the eyeDisk USB stick with the Wireshark packet analyzer
Security expert David Lodge from Pen Test Partners decided to analyze the product after he discovered it on Kickstarter.
With eyeDisk you never need to worry about losing your USB or the vulnerability of your data stored in it. eyeDisk features AES 256-bit encryption for your iris pattern.” reads the description of the product. “We develop our own iris recognition algorithm so that no one can hack your USB drive even [if] they have your iris pattern. Your personal iris data used for identification will never be retrieved or duplicated even if your USB is lost.
Lodge configured the device to recognize his eye and noticed that he was able to unlock it two out of three attempts on average. The first tests he made attempted to bypass the biometric authentication using a photo, but it did work. Then he attempted to use his child’s eyes to unlock the device, but it failed too.
The expert started analyzing the components of the device plugging it into a Windows VM to study how it runs.
Lodge concluded that the eyeDisk is composed by three devices:
- A USB camera
- A read-only flash volume
- A removable media volume
then he analyzing all the chips contained into the device and concluded that eyeDisk is basically a USB stick with a hub and camera attached.
The interesting bit, from a hardware side is that there is not real central MCU – the Phison NAND controller has the most flexibility; but each chip is specific to a role.” reads the analysis published by the expert.
“What we have here is, literally, a USB stick with a hub and camera attached. That means most of the brains are in the software.
Londge pointed out that when the user authenticates to the USB stick
He noted that with a USB, when a person authenticates to it, the camera pass something to the device in order to unlock the drive.
“So I took the lazy way – at some point when I authenticate to it, it must pass something to the device to unlock the private volume.” continues the researcher. “If I could sniff this, I could maybe replay it. Normally I would dig out the Beagle USB sniffer, but I wasn’t anywhere near our office, so I was lazy: I used Wireshark.”
Lodge used the Wireshark USBPcap function to sniff packet from a USB in real time and discovered that the device used Command Descriptor Blocks (CDB) to send commands to and from the device.
The traffic generated while he was unlocking the device included a string containing his password.
“That string in red, that’s the password I set on the device. In the clear. Across an easy to sniff bus. The bit in blue is a 16 byte hash, which is about the right size for md5 and doesn’t match the hash of the password, so it could be the iris hash.” adds Lodge.
“Let me just repeat this: this “unhackable” device unlocks the volume by sending a password through in clear text.”
The expert also analyzed the controller of the USB stick and the way it use custom SCSI commands. He discovered it was possible to improve the attack with an automated command script that would abuse sub opcode 05 to force the password to be dumped.
“Obtaining the password/iris can be achieved by simply sniffing the USB traffic to get the password/hash in clear text,” Lodge concluded. “The software collects the password first, then validates the user-entered password BEFORE sending the unlock password. This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device.”
Let’s close with the timeline of the flaw:
- Initial disclosure 4th April 2019
- Immediate response from vendor
- Full details provided 4th April 2019
- Chase on the 8th April as no response or acknowledgement of issues
- 9th April vendor acknowledges and advises they will fix – no date given
- 9th April ask when they expect to fix, notify customers and pause distribution due to fundamental security issue. Advised public disclosure date 9th May 2019 – no response
- 8th May final chase before disclosure
- 9th May disclosed