We live in a world where security researchers scrutinise many complaints. Supposedly leak-proof cups are thrown around violently, allegedly unbreakable objects are catapulted against walls and supposedly indestructible devices are torn apart by security researchers every day on a trial basis. Some products keep what they promise, but Pen Test Partners released on September 9. May the result of a test that this of eyeDisk does not belong to it.
EyeDisk is designed to provide "unhackable" storage space by relying on iris detection instead of traditional passwords. The project raised 21,892 dollars on Indiegogo in 2018 and 21,112 dollars on Kickstarter earlier this year. The device went on 19. In April, the shipping company Pen Test Partners decided to investigate eyeDisk's claims. Just to find out pretty quickly that eyeDisk isn't nearly as secure as it should be.
The good news is that eyeDisk's iris detection has not been a victim of false alarms. After all, this is a common problem with biometric security mechanisms. Fingerprint scanners, facial recognition and their counterparts have all too often been deceived by images of the real body part in the past. Pen Test Partners found that eyeDisk was not deceived by such photos, so at least this part of the system was implemented correctly.
The bad news is that eyeDisk sends a packet with the unlock password and hash in plain text so that they can be read out with a simple USB sniffer. "The software first collects the password and then validates the password entered by the user before sending the unlock password," Pen Test Partners can be quoted as saying. "This is a very bad approach given the claims of being unbreakable and fundamentally undermines the safety of the device."
EyeDisk was reportedly released on 4 May. April informs about the problem. However, communication seems to have been difficult to get going, with eyeDisk after the 9th. They have not responded at all since then. You can't find any real contact information for eyeDisk. On neither crowdfunding platform, email delivery still works and the link to the press kit on Dropbox has expired. The links on the eyeDisk website lead to accounts for Wix, that's it.
Pen Test Partners advised eyeDisk users to "no longer rely on this implementation as a way to secure your data – unless you apply additional controls, such as encryption of your data before you copy it to the device". Companies were also advised not to claim that their products were indestructible – which is good advice per se – but should probably be ignored in the future. Because the marketing potential for an "indestructible" or "unhackable" device is simply too great.
Source: Pen Test Partners, Tom's Hardware