
‘eyeDisk’ USB drive secured with iris recognition reveals password in plain text - rbanffy
https://www.pentestpartners.com/security-blog/eyedisk-hacking-the-unhackable-again/
======
ezoe
This _unhackable_ USB drive has a camera and it check the iris pattern as well
as a password before unlocking the storage.

USB drive doesn't have enough processing power so the software running at host
implement the iris pattern recognition and authentication.

The problem is, the USB drive store the password and iris pattern value by
plaintext and it's readable without unlocking.

Totally useless.

------
zaroth
Bionetrics are never going to be able to be used to directly produce a strong
key, so it always reduces to a question of how secure is the enclave, and bugs
in the pattern recognition.

In this case there was no Secure Enclave at all. If you do have a enclave you
trust to keep a private key safe, my preference would always be to use a
simple (not trivial) password/passcode and depend on strict rate limiting.

The only way to avoid a private key being stored in an enclave is to derive
the key from a strong password. This avoids the whole class of key extraction
attacks but, now there is a password that can be attacked offline.

If you combine a decent password with an online hardening / rate limiting
system then I think you have something which stands a chance. But I’m building
a commercial product in exactly this space, so I’m not entirely unbiased.

~~~
ctvo
How is what you’re building different from Apples fingerprint / facial
recognition system?

~~~
zaroth
It's not biometric at all, BlindHash is a way to protect passwords from
offline attack. Today we have a service to protect passwords at rest
(authentication). We are doing a closed beta now which pairs BlindHash with
TrueCrypt/VeraCrypt to protected data at rest.

------
32032141
[http://spritesmods.com/?art=bioslimdisk](http://spritesmods.com/?art=bioslimdisk)

[http://spritesmods.com/?art=diskgenie](http://spritesmods.com/?art=diskgenie)

[http://spritesmods.com/?art=biostick](http://spritesmods.com/?art=biostick)

[http://spritesmods.com/?art=securehd](http://spritesmods.com/?art=securehd)

[http://spritesmods.com/?art=secustick](http://spritesmods.com/?art=secustick)

There's some patterns with 'secure USB storage', notably that none of them are
anything besides a toy.

~~~
pmorici
I mean to be fair all of those appear to be cheap junk. You would probably
find better results with something from a reputable brand or that has
undergone some kind of third party testing.

~~~
32032141
They're basically all exactly this though, no matter what you're paying this
is generally what is underneath. Competent encryption in hardware is
difficult, so everybody is doing it in software, and then why id the software
hardware specific to begin with?

------
nshm
I had that story long time ago. I've got A-DATA MyFlash FP1 stick with
fingerprint unlock. Somehow it didn't work on Linux. I sniffed the USB and
figured out that after fingerprint check it simply sends a fixed 3-byte
command to the stick to switch to real storage instead of dummy storage. You
don't even need the password to unlock it.

------
nebulous1
> x86 is not my thing: I prefer efficient, well-designed machines code such as
> ARM

shots fired

~~~
yjftsjthsd-h
In fairness, I've never known anyone to describe x86 as anything but...
idiosyncratic. Its not terrible, and it goes hand in hand with decades of
unbroken backwards compatibility, but it really isn't the most elegant thing.

~~~
mikeash
The original ARM is pretty wacky too. Not as wacky as x86, but not what I
would call clean.

Thankfully, unlike x86, ARM’s 64-bit ISA ditched the dumb parts and is very
clean.

~~~
yjftsjthsd-h
Intel did _try_ with Itanium, but... Well, decades of backwards compatibility,
plus unfortunate design choices.

~~~
mikeash
It makes me sad to think of what we could have had if Intel had built a 64-bit
CPU with a clean, straightforward ISA and a compatibility mode for x86-64,
instead of the monstrosity that was Iranian.

------
raverbashing
Ah a kickstarter project. Why am I not surprised...

Still, the corolary of "the unsafest projects will be the ones with the most
amount of overblown claims" seem to stand.

~~~
detaro
Traditional manufacturers of this kind of thing mess up all the time too,
kickstarter isn't a very strong signal here IMHO

------
tyingq
Here's the Kickstarter page for this thing:
[https://www.kickstarter.com/projects/eyedisk/eyedisk-
unhacka...](https://www.kickstarter.com/projects/eyedisk/eyedisk-unhackable-
usb-flash-drive)

------
TimNN
The original blog post with more details can be found here:
[https://www.pentestpartners.com/security-blog/eyedisk-
hackin...](https://www.pentestpartners.com/security-blog/eyedisk-hacking-the-
unhackable-again/)

~~~
nebulous1
That's the same post?

~~~
detaro
link was changed

