Is There Such Thing as An Unhackable USB Drive? Not Yet.

USB Drive in the palm of hand.

They said that the Titanic was unsinkable. Airships like the Hindenburg were supposed to be safe. In fact, anytime anyone invents something and claims it’s incorruptible, the entire world seems to go out of its way to disprove it. That is also the case with the eyeDisk USB stick, a crowdfunded project that claims its product to be “unhackable” and comes with a $99 price tag.

A USB storage device that is invulnerable to the usual nefarious virus or keylogging schemes of Blackhat operators is definitely an attractive notion. USB drives are generally considered safe cold storage because they do not require the Internet to function (and therefore avoid most hacking attempts) but are still liable to other attacks such as infected ports, damage, theft, loss, or other malicious software that can break encoded passwords. The low cost and high capacity capabilities of USB drives still make them very useful and so it’s no wonder that the eyeDisk caught the eye of several tech and security expert somebodies who then proceeded to test it out.

The device uses a combination of iris recognition technology and AES-256 encryption to lock the device. The owners of the Kickstarter campaign claim it is their own algorithm and reassure readers that even if your drive is lost, your identification cannot just be retrieved or duplicated. Promising words that performance tests, unfortunately, fail to live up to.

An expert at Pen Test Partners, David Lodge, examined and tested the device and reported in his blog that it was lacking. Sure, it worked fine and when the biometric scan (the iris recognition tech) failed, a backup password was an easy fix to access data. Photographs of irises (both that matched or were very close) also did not unlock the device.

The issue comes in the construction and method of function. Essentially, the eyeDisk is “a USB stick with a hub and camera attached.” The device works by unlocking content when the authenticator element sends a password to the controlling software…in plain text. Not only does it send in plain text, but regardless of the password you input (correct or not), the proper passcode is revealed. This means that when any attempt to log in is made, you only need a program to “sniff” the USB traffic to easily discover the password written in plain, unencoded language. You don’t even need the password to be correct.

As open source packet analyzers are not exactly difficult to come by (Lodge used Wireshark), this obviously strikes down the “unhackable” qualifier to the eyeDisk stick drive. The disconnected nature of the device’s components, three separate functions without a firm continuity (read: no connecting hardware, only software) between the parts, is troubling and seems almost lazy. The idea is a good one as biometrics are becoming considered more and more viable in daily use but the execution needs work. Pen Test Partners contacted the creators in early April of this year and quickly reassured that fixes were on the way. As of Lodge’s blog post (May 9th), there does not appear to have been anything updated. As the device is born from a Kickstarter campaign, however, the timeline for when this could happen could vary wildly.  We can only hope that the inventors of the eyeDisk hear the advice and warnings from Pen Test Partners and incorporates patches and updates to remedy the issue. Until then, Pen Test Partners recommend that if you continue to use the eyeDisk to also encrypt your data before copying to the drive.