Home Cyber Crime ‘Unhackable’ eyeDisk flash drive exposes passwords in clear textual content

‘Unhackable’ eyeDisk flash drive exposes passwords in clear textual content

by ethhack

Probably the most hacked passwords: Is yours one in all them?
Your identify, your favourite soccer workforce and your favorite band: The UK’s Nationwide Cyber Safety Centre has launched a listing of the 100,000 most typical passwords to seem in information breaches. Learn extra: https://zd.web/2UYNnKP

At any time when services or products distributors use the phrase “unhackable,” they’re setting themselves up for the scrutiny of safety researchers.

As we have beforehand seen with the Viper good automobile alarms and the Bitfi pockets — each marketed as principally hackerproof — the time period “unhackable” is a crimson flag to a bull within the cybersecurity realm.

In the first case, researchers have been rapidly capable of finding vulnerabilities which allowed information to be stolen, vehicles to be unlocked, and car alarms to be disabled. Within the second instance, a 15-year-old compromised the Bitfi pockets to play Doom, as a result of, why not?

Classes haven’t been realized concerning the unhackable declare, it appears, and now the eyeDisk USB drive is the newest instance of why such lofty claims must be backed as much as the hilt.

EyeDisk, hosted on the Kickstarter crowdfunding platform, claims to be an “unhackable” USB flash drive which retains “your digital information locked and safe, granting entry to solely you.”

The $99 flash drive claims to make use of iris recognition expertise in tandem with AES-256 encryption to maintain data saved on the gadget secure.

“We develop[ed] our personal iris recognition algorithm in order that nobody can hack your USB drive even they’ve your iris sample,” the Kickstarter marketing campaign says. “Your private iris information used for identification won’t ever be retrieved or duplicated even when your USB is misplaced.”

Nevertheless, according to Pen Test Partners researcher David Lodge, the claimed degree of safety carried out inside eyeDisk falls quick.

Lodge not too long ago obtained one of many units and started his investigation. After plugging the eyeDisk right into a Home windows digital machine (VM), the researcher discovered the product got here up as a USB digital camera, a read-only flash quantity, and a detachable media quantity.



The primary activity was to see if the eyeDisk might be unlocked reliably utilizing an iris scan, made doable by holding the gadget’s digital camera as much as your eye. Lodge discovered that roughly two out of thrice, the gadget labored, and within the failed circumstances a backup password was enough.

The following stage concerned exams to see if eyeDisk might be fooled with {a photograph} or the same iris sample, contributed by the researcher’s little one. EyeDisk carried out properly in each circumstances and didn’t unlock.

Nevertheless, when Lodge started to look at eyeDisk’s software program and {hardware} setup, issues started to emerge.

CNET: Ever app trained facial recognition tech on users’ photos, report says

Dissemination of the {hardware} revealed what was principally “a USB keep on with a hub and digital camera connected.”

EyeDisk’s contents are unlocked when the authenticator factor of the gadget passes a password alongside to the controlling software program. The researcher selected to make use of Wireshark, an open-source packet analyzer, to see if he may sniff out the contents. (The most recent variations of Wireshark assist USBPcap for sniffing USB packets in real-time.)

It wasn’t lengthy earlier than it grew to become obvious that the so-called “unhackable” gadget unlocks by sending these passwords in clear textual content.

“So what occurs if I enter the unsuitable password? I am going to provide you with a clue: precisely the identical factor,” the researcher famous. “It doesn’t matter what you enter it sends the identical packet to the gadget. Because of this the app itself should learn this from the gadget after which resend it when it unlocks it.”

TechRepublic: On-device speech recognition may make smart assistants more appealing

“The software program collects the password first, then validates the user-entered password BEFORE sending the unlock password,” Lodge added. “This can be a very poor method given the unhackable claims and basically undermines the safety of the gadget.”

It’s, subsequently, doable to acquire the password/hash, in clear textual content, by merely sniffing the USB site visitors.

Pen Take a look at Companions tried to contact the eyeDisk workforce on April 4, 2019. The seller instantly responded and the complete particulars of the safety issues uncovered by the researchers have been supplied on the identical day.

See additionally: Hackers attack Confluence Servers, hijack power for cryptocurrency mining

By April 9, eyeDisk mentioned it could repair the issue, however no date for a patch was given. The cybersecurity workforce continued to chase the seller, advising that public disclosure can be made on Might 9, but it surely has been radio silence ever since.

“Our recommendation to distributors who want to make the declare their gadget is unhackable, cease,” the researcher says. “it’s a unicorn. Get your gadget examined and repair the problems found.”

ZDNet has reached out to eyeDisk and can replace if we hear again. 

Earlier and associated protection

Have a tip? Get in contact securely through WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0

Source link

Related Articles

Leave a Comment