Hacker News new | past | comments | ask | show | jobs | submit login
‘eyeDisk’ USB drive secured with iris recognition reveals password in plain text (pentestpartners.com)
175 points by rbanffy on May 12, 2019 | hide | past | favorite | 22 comments

This unhackable USB drive has a camera and it check the iris pattern as well as a password before unlocking the storage.

USB drive doesn't have enough processing power so the software running at host implement the iris pattern recognition and authentication.

The problem is, the USB drive store the password and iris pattern value by plaintext and it's readable without unlocking.

Totally useless.

Bionetrics are never going to be able to be used to directly produce a strong key, so it always reduces to a question of how secure is the enclave, and bugs in the pattern recognition.

In this case there was no Secure Enclave at all. If you do have a enclave you trust to keep a private key safe, my preference would always be to use a simple (not trivial) password/passcode and depend on strict rate limiting.

The only way to avoid a private key being stored in an enclave is to derive the key from a strong password. This avoids the whole class of key extraction attacks but, now there is a password that can be attacked offline.

If you combine a decent password with an online hardening / rate limiting system then I think you have something which stands a chance. But I’m building a commercial product in exactly this space, so I’m not entirely unbiased.

How is what you’re building different from Apples fingerprint / facial recognition system?

It's not biometric at all, BlindHash is a way to protect passwords from offline attack. Today we have a service to protect passwords at rest (authentication). We are doing a closed beta now which pairs BlindHash with TrueCrypt/VeraCrypt to protected data at rest.

I mean to be fair all of those appear to be cheap junk. You would probably find better results with something from a reputable brand or that has undergone some kind of third party testing.

They're basically all exactly this though, no matter what you're paying this is generally what is underneath. Competent encryption in hardware is difficult, so everybody is doing it in software, and then why id the software hardware specific to begin with?

Reputable brands that passed FIPS testing have also been hacked in the past. https://securingtomorrow.mcafee.com/business/vulnerability-i...

Synology is a semi-reputable name brand that sells things like NASes and is in one of the links above.

I had that story long time ago. I've got A-DATA MyFlash FP1 stick with fingerprint unlock. Somehow it didn't work on Linux. I sniffed the USB and figured out that after fingerprint check it simply sends a fixed 3-byte command to the stick to switch to real storage instead of dummy storage. You don't even need the password to unlock it.

> x86 is not my thing: I prefer efficient, well-designed machines code such as ARM

shots fired

In fairness, I've never known anyone to describe x86 as anything but... idiosyncratic. Its not terrible, and it goes hand in hand with decades of unbroken backwards compatibility, but it really isn't the most elegant thing.

The original ARM is pretty wacky too. Not as wacky as x86, but not what I would call clean.

Thankfully, unlike x86, ARM’s 64-bit ISA ditched the dumb parts and is very clean.

Intel did try with Itanium, but... Well, decades of backwards compatibility, plus unfortunate design choices.

It makes me sad to think of what we could have had if Intel had built a 64-bit CPU with a clean, straightforward ISA and a compatibility mode for x86-64, instead of the monstrosity that was Iranian.

Ah a kickstarter project. Why am I not surprised...

Still, the corolary of "the unsafest projects will be the ones with the most amount of overblown claims" seem to stand.

Traditional manufacturers of this kind of thing mess up all the time too, kickstarter isn't a very strong signal here IMHO

For a project like this to be considered secure, it should have an open, public design to begin with. That's even more important given the fact that they used Kickstarter.

Here's the Kickstarter page for this thing: https://www.kickstarter.com/projects/eyedisk/eyedisk-unhacka...

The original blog post with more details can be found here: https://www.pentestpartners.com/security-blog/eyedisk-hackin...

That's the same post?

link was changed

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact