eyeDisk USB drive with biometric protection that cannot be cracked
Most modern methods of biometric protection do not always mean increased security. The failure of eyeDisk developers actually shows more general trends. Unfortunately, in the IT industry it happens that, under the impression of "brilliant" new technologies, people forget about the basics of security.
The developers advertised eyeDisk as an “unbreakable” USB-drive - and successfully issued a “Kickstarter” more than $ 21 Thousands of pre-orders
In fact, the eyeDisk device is a flash card with an integrated camera that scans the iris. Since the computing power of the gadget is not enough for image analysis and authentication, the picture along with the password is transferred via USB to the computer where the special software works.
Scanning and recognition takes about 0.5 seconds.
A 32GB flash drive is sold for $ 99, and investors could order it for $ 50 as part of a crowdfunding campaign. The most expensive 128 GB flash drive costs $ 178 ($ 89). Sales began in March 2019.
The “unbreakable” flash drive attracted the attention of hackers from PenTest Partners. They write
that they first connected the media to the Windows virtual machine. It was recognized as three devices, including a USB camera. The infrared camera takes funny black and white photos: for example, bearded people do not have a beard.
Then penterster opened eyeDisk and examined its insides. Subsequently, it was not useful for hacking, but this is the standard procedure. They drew attention to a curious fact: there are three MCUs on the board (highlighted in red and green in the photos), but there is no central control unit among them, each chip has its own role.
Blue is the camera, and purple is two tssop8 chips (PUYA P25Q040H SPI NOR Flash).
Then it's software time. The latest versions of the Wireshark sniffer are able to listen on USB traffic. For reference, USB mass storage is a shell for SCSI commands, so the general pattern looks like this:
Here are the LUN (Logical Unit Number), under which the device is recognized, and the CDB command descriptor block (Command Descriptor Block). In this case, the top packet sends a SCSI command with opcode 0x06 and receives a response from the device. In USB terminology, the word “In” indicates the direction to the host, “Out” to the device.
Content of the first package:
Contents of the reply packet:
But what packets are transmitted at the time of unlocking the device after successful authentication. First SCSI command from host:
And the device response:
The red color shows the password that is set for the device.As you can see, it is transmitted in the clear. But listening to the USB bus does not pose any difficulty, which the developers did not think at all. Or were they freelancers who were not directly told to implement password encryption (see the article "Web developers write unsafe code by default "
: the same problem on the web).
The blue color on the screenshot highlights 16 bytes of the iris hash - the second factor of two-factor authentication.
The most interesting thing is that if you enter the wrong password or scan an arbitrary iris, the program sends exactly the same data packet to the device, receiving the same answer.
That's all that constitutes an “unbreakable” eyeDisk.
Pentesters fumbled a bit more with flash memory, made a dump and found a specific memory area where the password is stored. Although it was already, in principle, optional. The principal vulnerability is that, for verification, the software requests a password from the device and an iris scan of the real user, which is transmitted in the open form. Information is transmitted with each authentication attempt, and reconciliation occurs on the host.
The vulnerability report was sent to eyeDisk a month ago, the manufacturer promised to fix the vulnerability, but so far it hasn’t given an answer, and in this regard, the pentesters decided to announce the details of the hacking.
Listening to traffic very often reveals vulnerabilities in the Internet of Things and other peripherals. Developers sometimes forget that any transmission channel can be heard. Trendy modern technologies like iris scanning or other biometrics will not add security if we ignore encryption.
Take part in the PKI survey from GlobalSign until May 24, 2019 and you will have the opportunity to win prizes, one of which is the Amazon Gift Card for $ 500.
The survey is available at: www.surveymonkey.com/r/GlobalSignPKI-2019