Few claims go unchecked. Unspillable mugs are smacked around, unbreakable plates are thrown at walls and unhackable devices are torn apart by security researchers. Some products live up to their promises, but Pen Test Partners said on May 9 that eyeDisk isn't one of them.
EyeDisk is supposed to offer "unhackable" storage by relying on iris recognition instead of traditional passwords. The project raised $21,892 on Indiegogo in 2018 and $21,112 on Kickstarter earlier this year. The device started to ship on March 19, and the Pen Test Partners security company decided to examine eyeDisk's claims in April, only to quickly discover that eyeDisk isn't nearly as secure as it's said to be.
The good news was that eyeDisk's iris recognition didn't fall prey to false positives. This is a common issue with biometric security mechanisms--fingerprint scanners, facial recognition and their counterparts have often been fooled by pictures of the right body part. Pen Test Partners found that eyeDisk wasn't fooled by those duplicitous photographs, though, so at least it got that part of the system right.
The bad news was that eyeDisk sends a packet containing the unlock password and hash in clear text, so they can be gleaned with a USB sniffer. "The software collects the password first, then validates the user-entered password BEFORE sending the unlock password," Pen Test Partners said. "This is a very poor approach given the unhackable claims and fundamentally undermines the security of the device."
EyeDisk was reportedly told about the issue on April 4. Communication appears to have been sporadic, with eyeDisk no longer responding after April 9 despite being contacted three times since. We couldn't find contact information for eyeDisk. There is no email provided on either crowdfunding platform, the press kit Dropbox link has expired and the social links on eyeDisk's website lead to accounts for Wix.
Pen Test Partners advised eyeDisk users to "stop relying on it as a method of securing your data--unless you apply additional controls, such as encrypting your data before you copy it to the device." It also advised companies to stop claiming their products are unhackable, which is sound advice, so it'll probably be ignored. The marketing potential for an unhackable device is simply too great for them to ignore.