EyeDisk flash drive "steadfast" exposes passwords in clear text

by



[ad_1]

The most pirated passwords: is yours one of them?
Your name, your favorite football team and your favorite group: The UK National Cyber ​​Security Center has published a list of the 100,000 most commonly used passwords in data breaches. Learn more: https://zd.net/2UYNnKP

Whenever the suppliers of products or services use the word "indelible", they prepare for the scrutiny of security researchers.

As we have seen previously with the Viper Smart Car Alarms and the Bitfi Wallet, both marketed as inherently harmless, the term "unalterable" is a red flag for a bull in the field of cybersecurity.

In the first case, researchers were able to quickly detect vulnerabilities for stealing data, unlocking cars and disabling vehicle alarms. In the second example, a 15-year-old has compromised the Bitfi wallet to play Doom, why not?

It seems that lessons have not been learned about the unshakeable claim, and the eyeDisk USB drive is the latest example as to why such claims must be backed up to the end.

EyeDisk, hosted on the Kickstarter crowdfunding platform, is an "indestructible" USB flash drive that keeps your digital data locked and secure, allowing you to access your data only.

The $ 99 flash drive claims to use the iris recognition technology in tandem with AES-256 encryption to protect the information stored on the device.

"We develop[ed] our own iris recognition algorithm so that no one can hack your USB stick even if they have your iris pattern, "says the Kickstarter campaign." Your personal iris data used for identification will never be recovered or duplicated, even if your USB key is lost. "

However, according to David Lodge, a researcher at Pen Test Partners, the level of security claimed in eyeDisk is insufficient.

Lodge recently got one of the devices and began his investigation. After plugging the eyeDisk into a Windows virtual machine, the researcher discovered that the product came in the form of a USB camera, a flash volume read-only and a removable media volume.

screenshot-2019-05-10-at-12-16-36.png

eyeDisk

The first task was to determine if the eyeDisk could reliably be unlocked with an iris scan, made possible by holding the camera of the camera at eye level. Lodge found that about two times out of three, the device was working and that in case of failure, a backup password was enough.

The next step was to test if eyeDisk could be deceived with a photo or a pattern similar to the iris, provided by the researcher's child. EyeDisk performed well in both cases and was not unlocked.

However, when Lodge began to review the hardware and software configuration of eyeDisk, problems began to appear.

CNET: According to a report, a facial recognition technician never trained on user photos

The broadcast of the material revealed what was basically "a USB stick with a hub and an attached camera".

EyeDisk content is unlocked when the device authenticator passes a password to the control software. The researcher chose to use Wireshark, an open source packet analyzer, to see if he could detect the content. (The latest versions of Wireshark support USBPcap for detecting USB packets in real time.)

Quickly, it appeared that the so-called "non-hackable" device was unlocked by sending these passwords in clear.

"So what happens if I enter a bad password?" I'll give you a hint: exactly the same thing, "the researcher noted. "No matter what you enter, it sends the same packet to the device, which means that the application itself has to read it from the device and then return it when it unlocks it."

TechRepublic: Voice recognition built into the device can make smart assistants more attractive

"The software first collects the password and then validates the password entered by the user BEFORE sending the unlock password," added Lodge. "It's a very mediocre approach, given the unalterable claims, which fundamentally compromises the safety of the device."

It is therefore possible to obtain the password / hash, in plain language, simply by sniffing the USB traffic.

Pen Test Partners attempted to contact the eyeDisk team on April 4, 2019. The supplier responded immediately and full details of the security issues discovered by the researchers were provided on the same day.

See also: Hackers attack Confluence servers and divert power for cryptocurrency extraction

On April 9, eyeDisk said it would solve the problem, but no date was set for a fix. The cybersecurity team continued to sue the vendor, saying the public disclosure would be made on May 9, but radio silence has been maintained ever since.

"Stop our advice to sellers who want to say that their device is unusable, stop," says the researcher. "It's a unicorn, have your device tested and solve the problems you've discovered."

ZDNet has reached out to eyeDisk and will update if we have new news.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499 or more at Keybase: charlie0

[ad_2]

Source link